Home

OAEPs

OAEPs, short for Optimal Asymmetric Encryption Padding variants, refer to a family of padding schemes used with RSA encryption to transform a plaintext message into a form suitable for RSA modular arithmetic. OAEP was introduced by Bellare and Rogaway in 1994 and has been standardized as RSAES-OAEP in PKCS#1 (and later in RFC 8017). The schemes are designed to provide probabilistic encryption and to resist several attack models when implemented correctly, by combining a hash function and a mask generation function.

Construction, at a high level, involves taking a message M and an optional label L (often empty),

Security and usage notes emphasize probabilistic encryption: OAEP prevents certain padding oracle and deterministic attack vectors

computing
a
hash
of
L,
and
forming
a
data
block
DB
that
contains
the
hash,
a
padding
string
of
zero
bytes
(PS),
a
single
0x01
delimiter,
and
the
message
M.
A
random
seed
is
generated.
The
seed
is
masked
by
applying
a
mask
generation
function
(MGF1)
to
DB,
and
DB
is
masked
by
applying
MGF1
to
the
masked
seed.
The
final
encoded
message
is
EM
=
0x00
||
maskedSeed
||
maskedDB,
which
is
then
encrypted
with
RSA.
Decryption
reverses
the
steps
and
verifies
the
structure
and
delimiter.
and
is
widely
used
as
the
standard
padding
for
RSA
encryption
in
many
protocols.
OAEP
schemes
are
parameterizable
with
different
hash
functions
(for
example
SHA-1
or
SHA-256)
and
corresponding
MGF1
instances;
the
label
L
should
be
kept
consistent
between
encryption
and
decryption.
OAEP
is
defined
as
RSAES-OAEP
in
PKCS#1
and
is
distinct
from
PSS,
the
padding
scheme
used
for
RSA
signatures.