Discuss http://www.shoup.net/papers/oaep.ps.Z

author: Bodo Möller <bodo@openssl.org> 2000-12-05 10:30:21 +0000
committer: Bodo Möller <bodo@openssl.org> 2000-12-05 10:30:21 +0000
commit: 9347ba487c6e72ca2dca04835ff649d88647b568 (patch)
tree: 2f50ed1c2f7cdd9e6c7f60615bcd48df1e4eec44
parent: c28500900eeab05cf9fd6d7c39a5de057433e6ab (diff)
download: openssl-new-9347ba487c6e72ca2dca04835ff649d88647b568.tar.gz
1 files changed, 16 insertions, 1 deletions
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index f735c8d638..8d306d1ead 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -2,7 +2,22 @@
 /* Written by Ulf Moeller. This software is distributed on an "AS IS"
    basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
 
-/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
+
+/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
+ * <URL: http://www.shoup.net/papers/oaep.ps.Z>
+ * for problems with the security proof for the
+ * original OAEP scheme, which EME-OAEP is based on.
+ *
+ * Note that for RSA OAEP a security proof in the
+ * random oracle model *does* exist if 160 < log_2(N/e);
+ * cf. section 7.2 ("But RSA-OAEP with exponent 3 is
+ * provably secure") of Shoup's paper.  (The slight
+ * differences between the OAEP definition used by Shoup
+ * and OAEP as defined in RFC 2437 should not affect
+ * this result.)
+ */
+
 
 #if !defined(NO_SHA) && !defined(NO_SHA1)
 #include <stdio.h>
author	Bodo Möller <bodo@openssl.org>	2000-12-05 10:30:21 +0000
committer	Bodo Möller <bodo@openssl.org>	2000-12-05 10:30:21 +0000
commit	9347ba487c6e72ca2dca04835ff649d88647b568 (patch)
tree	2f50ed1c2f7cdd9e6c7f60615bcd48df1e4eec44
parent	c28500900eeab05cf9fd6d7c39a5de057433e6ab (diff)
download	openssl-new-9347ba487c6e72ca2dca04835ff649d88647b568.tar.gz