diff options
author | Bodo Möller <bodo@openssl.org> | 2001-01-24 14:59:25 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2001-01-24 14:59:25 +0000 |
commit | 9ae9c221de0cc6c8204290d9c7a6f633001af753 (patch) | |
tree | 271c4cb6904d718b9124e10003d7dc2134059a59 /crypto | |
parent | 4256650d68d3e50f908dd4563704d8911ac57302 (diff) |
Update "OAEP reconsidered" comment
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/rsa/rsa_oaep.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 8d306d1ead..d402a200b9 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -8,14 +8,14 @@ * <URL: http://www.shoup.net/papers/oaep.ps.Z> * for problems with the security proof for the * original OAEP scheme, which EME-OAEP is based on. - * - * Note that for RSA OAEP a security proof in the - * random oracle model *does* exist if 160 < log_2(N/e); - * cf. section 7.2 ("But RSA-OAEP with exponent 3 is - * provably secure") of Shoup's paper. (The slight - * differences between the OAEP definition used by Shoup - * and OAEP as defined in RFC 2437 should not affect - * this result.) + * + * A new proof can be found in E. Fujisaki, T. Okamoto, + * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!", + * Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>. + * The new proof has stronger requirements for the + * underlying permutation: "partial-one-wayness" instead + * of one-wayness. For the RSA function, this is + * an equivalent notion. */ |