Update "OAEP reconsidered" comment

author: Bodo Möller <bodo@openssl.org> 2001-01-24 14:59:25 +0000
committer: Bodo Möller <bodo@openssl.org> 2001-01-24 14:59:25 +0000
commit: 9ae9c221de0cc6c8204290d9c7a6f633001af753 (patch)
tree: 271c4cb6904d718b9124e10003d7dc2134059a59 /crypto
parent: 4256650d68d3e50f908dd4563704d8911ac57302 (diff)
1 files changed, 8 insertions, 8 deletions
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 8d306d1ead..d402a200b9 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -8,14 +8,14 @@
  * <URL: http://www.shoup.net/papers/oaep.ps.Z>
  * for problems with the security proof for the
  * original OAEP scheme, which EME-OAEP is based on.
- *
- * Note that for RSA OAEP a security proof in the
- * random oracle model *does* exist if 160 < log_2(N/e);
- * cf. section 7.2 ("But RSA-OAEP with exponent 3 is
- * provably secure") of Shoup's paper.  (The slight
- * differences between the OAEP definition used by Shoup
- * and OAEP as defined in RFC 2437 should not affect
- * this result.)
+ * 
+ * A new proof can be found in E. Fujisaki, T. Okamoto,
+ * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
+ * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
+ * The new proof has stronger requirements for the
+ * underlying permutation: "partial-one-wayness" instead
+ * of one-wayness.  For the RSA function, this is
+ * an equivalent notion.
  */
author	Bodo Möller <bodo@openssl.org>	2001-01-24 14:59:25 +0000
committer	Bodo Möller <bodo@openssl.org>	2001-01-24 14:59:25 +0000
commit	9ae9c221de0cc6c8204290d9c7a6f633001af753 (patch)
tree	271c4cb6904d718b9124e10003d7dc2134059a59 /crypto
parent	4256650d68d3e50f908dd4563704d8911ac57302 (diff)