RSA-OAEP is RKA Secure

Abstract

In this paper we show that RSA-OAEP is secure against related key attacks (RKA) in the random oracle model under the strong RSA (sRSA) assumption. The key related functions can be affine functions. Compared to the chosen ciphertext security proof of OAEP, we overcome two major obstacles: answering the decryption queries under related keys; and preventing the adversary from promoting queries that are corresponding to the same message with the challenge ciphertext. These two obstacles also exist in the RKA security proof of RSA-OAEP+ and RSA-SAEP\(^+\). By combining our technique and the chosen ciphertext security proofs, RSA-OAEP+ and RSA-SAEP\(^+\) can also be proved RKA secure. In our proof, the security of the scheme relies substantially on the algebraic property of the sRSA function.

This work is Supported by the National Basic Research Program of China (973 project)(No. 2013CB338002), the National Nature Science Foundation of China (No. 61070171, No. 61272534), the Strategic Priority Research Program of Chinese Academy of Sciences under Grant XDA06010702 and IIE’s Cryptography Research Project (No.Y3Z0027103, No.Y3Z0024103).

Appendix

Simulation of Random oracles G and H

• for a fresh query \(\gamma \) to \(G,\mathcal {B}\) looks at the H-List, and enumerating all queries \(\delta \) asked to \(H\) with answer \(H_{\delta }\), one builds \(z=\gamma \oplus H_{\delta }\), and checks whether \(y=(\delta \Vert z)^e\). If for some \(\delta \) the equation holds, we find the partial preimage \(s^*\) of \(c^*\), and we can still correctly simulate \(G\) by answering the query with \(G_{\gamma }=\delta \oplus (m_b\Vert 0^{k_1})\). Note that \(G_{\gamma }\) is uniformly distributed since \(\delta =s^*\) is uniformly distributed. Otherwise, one outputs a random value \(G_{\gamma }\). In both cases, the pair \((\gamma ,G_{\gamma })\) is added to the G-List.

• For a fresh query \(\delta \) to \(H\), one outputs a random value \(H_{\delta }\), and add the pair \((\delta ,H_{\delta })\) to the H-List. Then for any \((\gamma ,G_{\gamma })\in \) G-List, one may build \(z=\gamma \oplus H_{\delta }\), and checks whether \(y=(\delta \Vert z)^e\). If for some \(\gamma \) the equation holds, we find the partial preimage \(s^*\) of \(c^*\).

Probability Analysis

1. (1)

   \(\Pr [\mathtt{Fail }\wedge \lnot \mathtt{CBad }\wedge \lnot \mathtt{AskRS }|\lnot \mathtt{AskH }]\le 2^{-k_1}+q_G\cdot 2^{-k_0}.\)

   $$\lnot \mathtt{AskRS }=\lnot \mathtt{AskR }\vee \lnot \mathtt{AskS }=\lnot \mathtt{AskR } \vee (\mathtt{AskR }\wedge \lnot \mathtt{AskS })$$
   $$\begin{aligned} \lnot \mathtt{CBad }=\lnot \mathtt{RBad }\wedge \lnot \mathtt{SBad } \end{aligned}$$
   $$\begin{aligned}&\Pr [\mathtt{Fail }\wedge \lnot \mathtt{CBad }\wedge \lnot \mathtt{AskRS }]\\&\,\le \Pr [\mathtt{Fail }\wedge \lnot \mathtt{RBad }\wedge \lnot \mathtt{AskR }]+ \Pr [\mathtt{Fail }\wedge \lnot \mathtt{SBad }\wedge (\mathtt{AskR }\wedge \lnot \mathtt{AskS })]\\&\,\le \Pr [\mathtt{Fail }|\lnot \mathtt{RBad }\wedge \lnot \mathtt{AskR }]+ \Pr [\mathtt{AskR }|\lnot \mathtt{SBad }\wedge \lnot \mathtt{AskS })] \end{aligned}$$

   But when \(r\) is not asked to \(G\) and \(r\ne r^*, G(r)\) is unpredictable, thus the probability that \((s\oplus G(r))[0...k_1-1]=0^{k_1}\) is less than \(2^{-k_1}\). On the other hand, when \(H(s)\) has not been asked and \(s\ne s^*\), \(r=H(s)\oplus t\) is unpredictable. On this condition, the probability of having asked \(r\) to \(G\) is less than \(q_G\cdot 2^{-k_0}\). In addition, this event is independent of AskH, which yields

   $$\Pr [\mathtt{Fail }\wedge \lnot \mathtt{CBad }\wedge \lnot \mathtt{AskRS }|\lnot \mathtt{AskH }]\le 2^{-k_1}+q_G\cdot 2^{-k_0}.$$
2. (2)

   \(\Pr [\mathtt{RBad }|\lnot \mathtt{SBad }\wedge \lnot \mathtt{AskH }]\le 2^{-k_0}\).

   The event means that RBad occurs provided \(s\ne s^*\) and the adversary has not queried \(s^*\) from \(H\). So \(H(s^*)\) is unpredictable and independent of \(H(s)\) as well as \(t\) and \(t^*\), and the probability that \(r=r^*\), which means \(H(s^*)=H(s)\oplus t\oplus t^*\) is at most \(2^{-k_0}\).

3. (3)

   \(\Pr [\mathtt{AskR }|\mathtt{SBad }\wedge \lnot \mathtt{AskH }]\le q_G\cdot 2^{-k_0}\).

   The event means that \(r\) has been asked to \(G\) whereas \(s=s^*\) and \(H(s^*)\) is unpredictable, hence \(r=H(s)\oplus t\) is unpredictable and the probability of this event is at most \(q_G\cdot 2^{-k_0}\).

4. (4)

   \(\Pr [\mathtt{Fail }\wedge \lnot \mathtt E |\lnot \mathtt{AskR }\wedge \mathtt{SBad } \wedge \lnot \mathtt{AskH }]\le 2^{-k_1}\).

   Note that \(\lnot \mathtt E \) means that events \(\mathtt{RBad },\lnot \mathtt{AskR }, \mathtt{SBad },\lnot \mathtt{AskH }\) cannot happen at the same time. So the whole event means that \(s=s^*,r\ne r^*, r\) has not been asked to \(G\), and \((G(r)\oplus s)[n...n+k_1-1]=0^{k_1}\), which lead to that \((G(r)\oplus G(r^*))[n...n+k_1-1]=0^{k_1}\). Then the equation holds with probability upper bound by \(2^{-k_1}\).

5. (5)

   \(\Pr [\mathtt{AskH }\wedge \mathtt{Bad }]\ge \Pr [\mathtt{Bad }]-\frac{2q_D}{2^{k_1}} -\frac{2q_Dq_G+q_D+q_G}{2^{k_0}}-q_D\epsilon '.\)

   \(\Pr [\mathtt{AskH }\wedge \lnot \mathtt{Bad }]\ge 2\epsilon -\Pr [\mathtt{Bad }].\)

   $$\begin{aligned} \Pr [\mathtt{AskH }\wedge \mathtt{Bad }]&= \Pr [\mathtt{Bad }]-\Pr [\lnot \mathtt{AskH }\wedge \mathtt{Bad }]\\&\ge \Pr [\mathtt{Bad }]-\Pr [\lnot \mathtt{AskH }\wedge \mathtt{GBad }]-\Pr [\lnot \mathtt{AskH }\wedge \mathtt{DBad }]\\&\ge \Pr [\mathtt{Bad }]-\Pr [\mathtt{GBad }|\lnot \mathtt{AskH }]-\Pr [\mathtt{DBad }|\lnot \mathtt{AskH }]\\&\ge \Pr [\mathtt{Bad }]-\Pr [\mathtt{AskG }|\lnot \mathtt{AskH }]-\Pr [\mathtt{DBad }|\lnot \mathtt{AskH }]\\&\ge \Pr [\mathtt{Bad }]-\frac{q_G}{2^{k_0}}-q_D(\frac{2}{2^{k_1}}+\frac{2q_G+1}{2^{k_0}}+\epsilon ')\\&\ge \Pr [\mathtt{Bad }]-\frac{2q_D}{2^{k_1}}-\frac{2q_Dq_G+q_D+q_G}{2^{k_0}}-q_D\epsilon '. \end{aligned}$$

   The above inequations can be get from Lemma 1 and previous results. Let \(P_A\) denote \(\Pr [\mathtt{AskH }\wedge \lnot \mathtt{Bad }]\), then we have:

   $$\begin{aligned} \Pr [\mathtt{AskH }\wedge \lnot \mathtt{Bad }]&\ge \Pr [b=b'\wedge \mathtt{AskH }\wedge \lnot \mathtt{Bad }]\\&= \Pr [b=b'\wedge \lnot \mathtt{Bad }]- \Pr [b'=b\wedge \mathtt{AskH }\wedge \lnot \mathtt{Bad }]\\&\ge \Pr [b=b']-\Pr [\mathtt{Bad }]-\Pr [\lnot \mathtt{AskH }\wedge \lnot \mathtt{Bad }]\cdot \Pr [b=b'|\lnot \mathtt{AskH }\wedge \lnot \mathtt{Bad }]\\&= \frac{1}{2}+\epsilon -\Pr [\mathtt{Bad }]-\frac{1}{2}\cdot (1-P_A-\Pr [\mathtt{Bad }])\\ P_A&\ge 2\epsilon -\Pr [\mathtt{Bad }] \end{aligned}$$

   Note that when \(\lnot \mathtt{AskH }\) occurs, \(H(s^*)\) is unpredictable, thus \(r^*=t^*\oplus H(s^*)\) is unpredictable and \(b\) as well. This fact is independent of the event \(\lnot \mathtt{Bad }\), hence \(\Pr [b'=b|\lnot \mathtt{AskH }\wedge \lnot \mathtt{Bad }]=\frac{1}{2}\). In addition, \(\Pr [\mathtt{Bad }]+(\Pr [\mathtt{AskH }\wedge \lnot \mathtt{Bad }]+ \Pr [\lnot \mathtt{AskH }\wedge \lnot \mathtt{Bad }])=1,\) so \(\Pr [\lnot \mathtt{AskH }\wedge \lnot \mathtt{Bad }]=1-P_A-\Pr [\mathtt{Bad }].\)