{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T03:56:36Z","timestamp":1769313396544,"version":"3.49.0"},"publisher-location":"Berlin, Heidelberg","reference-count":42,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"value":"9783642010002","type":"print"},{"value":"9783642010019","type":"electronic"}],"license":[{"start":{"date-parts":[[2009,1,1]],"date-time":"2009-01-01T00:00:00Z","timestamp":1230768000000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2009]]},"DOI":"10.1007\/978-3-642-01001-9_23","type":"book-chapter","created":{"date-parts":[[2009,4,15]],"date-time":"2009-04-15T12:38:25Z","timestamp":1239799105000},"page":"389-406","source":"Crossref","is-referenced-by-count":21,"title":["On the Security of Padding-Based Encryption Schemes \u2013 or \u2013 Why We Cannot Prove OAEP Secure in the Standard Model"],"prefix":"10.1007","author":[{"given":"Eike","family":"Kiltz","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Krzysztof","family":"Pietrzak","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","reference":[{"key":"23_CR1","doi-asserted-by":"crossref","unstructured":"Abe, M., Kiltz, E., Okamoto, T.: CCA-security with optimal ciphertext overhead. In: ASIACRYPT, pp. 355\u2013371 (2008)","DOI":"10.1007\/978-3-540-89255-7_22"},{"key":"23_CR2","doi-asserted-by":"crossref","unstructured":"Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM CCS 1993, pp. 62\u201373 (1993)","DOI":"10.1145\/168588.168596"},{"key":"23_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"92","DOI":"10.1007\/BFb0053428","volume-title":"Advances in Cryptology - EUROCRYPT \u201994","author":"M. Bellare","year":"1995","unstructured":"Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol.\u00a0950, pp. 92\u2013111. Springer, Heidelberg (1995)"},{"key":"23_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"519","DOI":"10.1007\/3-540-48405-1_33","volume-title":"Advances in Cryptology - CRYPTO \u201999","author":"M. Bellare","year":"1999","unstructured":"Bellare, M., Sahai, A.: Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol.\u00a01666, pp. 519\u2013536. Springer, Heidelberg (1999)"},{"key":"23_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/BFb0055716","volume-title":"Advances in Cryptology - CRYPTO \u201998","author":"D. Bleichenbacher","year":"1998","unstructured":"Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol.\u00a01462, pp. 1\u201312. Springer, Heidelberg (1998)"},{"key":"23_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"412","DOI":"10.1007\/11535218_25","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"A. Boldyreva","year":"2005","unstructured":"Boldyreva, A., Fischlin, M.: Analysis of random oracle instantiation scenarios for OAEP and other practical schemes. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol.\u00a03621, pp. 412\u2013429. Springer, Heidelberg (2005)"},{"key":"23_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"210","DOI":"10.1007\/11935230_14","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2006","author":"A. Boldyreva","year":"2006","unstructured":"Boldyreva, A., Fischlin, M.: On the security of OAEP. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol.\u00a04284, pp. 210\u2013225. Springer, Heidelberg (2006)"},{"key":"23_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1007\/3-540-44647-8_17","volume-title":"Advances in Cryptology - CRYPTO 2001","author":"D. Boneh","year":"2001","unstructured":"Boneh, D.: Simplified OAEP for the RSA and rabin functions. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol.\u00a02139, pp. 275\u2013291. Springer, Heidelberg (2001)"},{"key":"23_CR9","unstructured":"Brown, D.R.L.: What hashes make RSA-OAEP secure? Cryptology ePrint Archive, Report 2006\/223 (2006), http:\/\/eprint.iacr.org\/"},{"issue":"4","key":"23_CR10","doi-asserted-by":"publisher","first-page":"557","DOI":"10.1145\/1008731.1008734","volume":"51","author":"R. Canetti","year":"2004","unstructured":"Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM\u00a051(4), 557\u2013594 (2004)","journal-title":"J. ACM"},{"key":"23_CR11","doi-asserted-by":"crossref","unstructured":"Canetti, R., Micciancio, D., Reingold, O.: Perfectly one-way probabilistic hash functions (preliminary version). In: STOC, pp. 131\u2013140 (1998)","DOI":"10.1145\/276698.276721"},{"key":"23_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"254","DOI":"10.1007\/11496137_18","volume-title":"Applied Cryptography and Network Security","author":"B. Chevallier-Mames","year":"2005","unstructured":"Chevallier-Mames, B., Phan, D.H., Pointcheval, D.: Optimal asymmetric encryption and signature paddings. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol.\u00a03531, pp. 254\u2013268. Springer, Heidelberg (2005)"},{"key":"23_CR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"226","DOI":"10.1007\/3-540-45708-9_15","volume-title":"Advances in Cryptology - CRYPTO 2002","author":"J.-S. Coron","year":"2002","unstructured":"Coron, J.-S., Joye, M., Naccache, D., Paillier, P.: Universal padding schemes for RSA. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol.\u00a02442, pp. 226\u2013241. Springer, Heidelberg (2002)"},{"key":"23_CR14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"502","DOI":"10.1007\/978-3-540-76900-2_31","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2007","author":"R. Cramer","year":"2007","unstructured":"Cramer, R., Hanaoka, G., Hofheinz, D., Imai, H., Kiltz, E., Pass, R., Shelat, A., Vaikuntanathan, V.: Bounded CCA2-secure encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol.\u00a04833, pp. 502\u2013518. Springer, Heidelberg (2007)"},{"key":"23_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"203","DOI":"10.1007\/3-540-39118-5_19","volume-title":"Advances in Cryptology - EUROCRYPT \u201988","author":"I. Damg\u00e5rd","year":"1988","unstructured":"Damg\u00e5rd, I.: Collision free hash functions and public key signature schemes. In: G\u00fcnther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol.\u00a0330, pp. 203\u2013216. Springer, Heidelberg (1988)"},{"key":"23_CR16","doi-asserted-by":"crossref","unstructured":"Dodis, Y., Freedman, M.J., Jarecki, S., Walfish, S.: Versatile padding schemes for joint signature and encryption. In: ACM CCS, pp. 344\u2013353 (2004)","DOI":"10.1145\/1030083.1030129"},{"key":"23_CR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"449","DOI":"10.1007\/11535218_27","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"Y. Dodis","year":"2005","unstructured":"Dodis, Y., Oliveira, R., Pietrzak, K.: On the generic insecurity of the full domain hash. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol.\u00a03621, pp. 449\u2013466. Springer, Heidelberg (2005)"},{"issue":"2","key":"23_CR18","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1007\/s00145-002-0204-y","volume":"17","author":"E. Fujisaki","year":"2004","unstructured":"Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. Journal of Cryptology\u00a017(2), 81\u2013104 (2004)","journal-title":"Journal of Cryptology"},{"key":"23_CR19","doi-asserted-by":"crossref","unstructured":"Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: FOCS, pp. 305\u2013313 (2000)","DOI":"10.1109\/SFCS.2000.892119"},{"key":"23_CR20","doi-asserted-by":"crossref","unstructured":"Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: FOCS, pp. 325\u2013335 (2000)","DOI":"10.1109\/SFCS.2000.892121"},{"key":"23_CR21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"434","DOI":"10.1007\/978-3-540-70936-7_24","volume-title":"Theory of Cryptography","author":"Y. Gertner","year":"2007","unstructured":"Gertner, Y., Malkin, T.G., Myers, S.: Towards a separation of semantic and CCA security for public key encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol.\u00a04392, pp. 434\u2013455. Springer, Heidelberg (2007)"},{"key":"23_CR22","doi-asserted-by":"crossref","unstructured":"Gertner, Y., Malkin, T., Reingold, O.: On the impossibility of basing trapdoor functions on trapdoor predicates. In: FOCS, pp. 126\u2013135 (2001)","DOI":"10.1109\/SFCS.2001.959887"},{"key":"23_CR23","doi-asserted-by":"crossref","unstructured":"Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: STOC, pp. 25\u201332 (1989)","DOI":"10.1145\/73007.73010"},{"key":"23_CR24","doi-asserted-by":"crossref","unstructured":"Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: FOCS, pp. 102\u2013115 (2003)","DOI":"10.1109\/SFCS.2003.1238185"},{"key":"23_CR25","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"394","DOI":"10.1007\/978-3-540-24638-1_22","volume-title":"Theory of Cryptography","author":"I. Haitner","year":"2004","unstructured":"Haitner, I.: Implementing oblivious transfer using collection of dense trapdoor permutations. In: Naor, M. (ed.) TCC 2004. LNCS, vol.\u00a02951, pp. 394\u2013409. Springer, Heidelberg (2004)"},{"key":"23_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"92","DOI":"10.1007\/978-3-540-28628-8_6","volume-title":"Advances in Cryptology \u2013 CRYPTO 2004","author":"C.-Y. Hsiao","year":"2004","unstructured":"Hsiao, C.-Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol.\u00a03152, pp. 92\u2013105. Springer, Heidelberg (2004)"},{"key":"23_CR27","doi-asserted-by":"crossref","unstructured":"Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: STOC, pp. 44\u201361 (1989)","DOI":"10.1145\/73007.73012"},{"key":"23_CR28","unstructured":"Kim, J.H., Simon, D.R., Tetali, P.: Limits on the efficiency of one-way permutation-based hash functions. In: FOCS, pp. 535\u2013542 (1999)"},{"key":"23_CR29","unstructured":"Kobara, K., Imai, H.: OAEP++: A very simple way to apply OAEP to deterministic OW-CPA primitives. Cryptology ePrint Archive, Report 2002\/130 (2002), http:\/\/eprint.iacr.org\/"},{"key":"23_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"366","DOI":"10.1007\/978-3-540-45146-4_22","volume-title":"Advances in Cryptology - CRYPTO 2003","author":"Y. Komano","year":"2003","unstructured":"Komano, Y., Ohta, K.: Efficient universal padding techniques for multiplicative trapdoor one-way permutation. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol.\u00a02729, pp. 366\u2013382. Springer, Heidelberg (2003)"},{"issue":"3","key":"23_CR31","doi-asserted-by":"publisher","first-page":"359","DOI":"10.1007\/s00145-005-0345-x","volume":"19","author":"Y. Lindell","year":"2006","unstructured":"Lindell, Y.: A simpler construction of CCA2-secure public-key encryption under general assumptions. Journal of Cryptology\u00a019(3), 359\u2013377 (2006)","journal-title":"Journal of Cryptology"},{"key":"23_CR32","doi-asserted-by":"crossref","unstructured":"Micali, S., Rabin, M.O., Vadhan, S.P.: Verifiable random functions. In: FOCS, pp. 120\u2013130 (1999)","DOI":"10.1109\/SFFCS.1999.814584"},{"key":"23_CR33","doi-asserted-by":"crossref","unstructured":"Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC (1990)","DOI":"10.1145\/100216.100273"},{"key":"23_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"159","DOI":"10.1007\/3-540-45353-9_13","volume-title":"Topics in Cryptology - CT-RSA 2001","author":"T. Okamoto","year":"2001","unstructured":"Okamoto, T., Pointcheval, D.: REACT: Rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol.\u00a02020, pp. 159\u2013175. Springer, Heidelberg (2001)"},{"key":"23_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"252","DOI":"10.1007\/11935230_17","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2006","author":"P. Paillier","year":"2006","unstructured":"Paillier, P., Villar, J.L.: Trading one-wayness against chosen-ciphertext security in factoring-based encryption. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol.\u00a04284, pp. 252\u2013266. Springer, Heidelberg (2006)"},{"key":"23_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-540-40061-5_1","volume-title":"Advances in Cryptology - ASIACRYPT 2003","author":"D.H. Phan","year":"2003","unstructured":"Phan, D.H., Pointcheval, D.: Chosen-ciphertext security without redundancy. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol.\u00a02894, pp. 1\u201318. Springer, Heidelberg (2003)"},{"key":"23_CR37","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1007\/978-3-540-30539-2_5","volume-title":"Advances in Cryptology - ASIACRYPT 2004","author":"D.H. Phan","year":"2004","unstructured":"Phan, D.H., Pointcheval, D.: OAEP 3-round:A generic and secure asymmetric encryption padding. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol.\u00a03329, pp. 63\u201377. Springer, Heidelberg (2004)"},{"key":"23_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"433","DOI":"10.1007\/3-540-48071-4_30","volume-title":"Advances in Cryptology - CRYPTO \u201992","author":"C. Rackoff","year":"1993","unstructured":"Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol.\u00a0740, pp. 433\u2013444. Springer, Heidelberg (1993)"},{"key":"23_CR39","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"419","DOI":"10.1007\/978-3-642-00457-5_25","volume-title":"TCC 2009","author":"A. Rosen","year":"2009","unstructured":"Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol.\u00a05444, pp. 419\u2013436. Springer, Heidelberg (2009)"},{"key":"23_CR40","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"256","DOI":"10.1007\/3-540-69053-0_18","volume-title":"Advances in Cryptology - EUROCRYPT \u201997","author":"V. Shoup","year":"1997","unstructured":"Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol.\u00a01233, pp. 256\u2013266. Springer, Heidelberg (1997)"},{"issue":"4","key":"23_CR41","doi-asserted-by":"publisher","first-page":"223","DOI":"10.1007\/s00145-002-0133-9","volume":"15","author":"V. Shoup","year":"2002","unstructured":"Shoup, V.: OAEP reconsidered. Journal of Cryptology\u00a015(4), 223\u2013249 (2002)","journal-title":"Journal of Cryptology"},{"key":"23_CR42","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"334","DOI":"10.1007\/BFb0054137","volume-title":"Advances in Cryptology - EUROCRYPT \u201998","author":"D.R. Simon","year":"1998","unstructured":"Simon, D.R.: Findings Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol.\u00a01403, pp. 334\u2013345. Springer, Heidelberg (1998)"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology - EUROCRYPT 2009"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-01001-9_23","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,2,8]],"date-time":"2025-02-08T23:42:49Z","timestamp":1739058169000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-01001-9_23"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2009]]},"ISBN":["9783642010002","9783642010019"],"references-count":42,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-01001-9_23","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2009]]}}}