diff options
author | Bodo Möller <bodo@openssl.org> | 2000-12-05 10:30:21 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2000-12-05 10:30:21 +0000 |
commit | 9347ba487c6e72ca2dca04835ff649d88647b568 (patch) | |
tree | 2f50ed1c2f7cdd9e6c7f60615bcd48df1e4eec44 /crypto | |
parent | c28500900eeab05cf9fd6d7c39a5de057433e6ab (diff) |
Discuss http://www.shoup.net/papers/oaep.ps.Z
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/rsa/rsa_oaep.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index f735c8d638..8d306d1ead 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -2,7 +2,22 @@ /* Written by Ulf Moeller. This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ -/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ +/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ + +/* See Victor Shoup, "OAEP reconsidered," Nov. 2000, + * <URL: http://www.shoup.net/papers/oaep.ps.Z> + * for problems with the security proof for the + * original OAEP scheme, which EME-OAEP is based on. + * + * Note that for RSA OAEP a security proof in the + * random oracle model *does* exist if 160 < log_2(N/e); + * cf. section 7.2 ("But RSA-OAEP with exponent 3 is + * provably secure") of Shoup's paper. (The slight + * differences between the OAEP definition used by Shoup + * and OAEP as defined in RFC 2437 should not affect + * this result.) + */ + #if !defined(NO_SHA) && !defined(NO_SHA1) #include <stdio.h> |