"PKCS#1 v2.0 encryption is usually called OAEP encryption" Where can I confirm it?

Question

I heard that "PKCS#1 v2.0 encryption is usually called OAEP encryption".

I'll need some kind of "official" doc saying this before using it on my project. I'm trying to find it with no sucess. Any idea where can I find it?

Thanks!

(by the way, could anyone with more than 1500 reputation create the tag PKCS#1? Thanks!)

Answer 1

PKCS#1, prior to version 2.0, described a single encryption scheme. From version 2.0, the OAEP padding was added to PKCS#1, and the previous encryption scheme has been retroactively called "v1.5" (because that's the only scheme which was described in the 1.5 version of PKCS#1). In PKCS#1 itself, the two encryption schemes are called "RSAES-OAEP" and "RSAES-PKCS1-V1_5".

The OAEP padding can theoretically be used with many other asymmetric encryption schemes, but RSA is (by far) the most widely used asymmetric encryption system.

Coloquially, RSA encryption with OAEP padding is often known as "PKCS#1 v2.0 encryption" since the older scheme is called "PKCS#1 v1.5 encryption", but this is not an "official" name. Both OAEP and v1.5 are standard and supported by the recent versions of PKCS#1, so v1.5 is no less a "v2.0" scheme than OAEP. As I said above, the official name (as defined in PKCS#1) is "RSAES-OAEP".

Answer 2

It might be the case that the other poster said that it's "usually called OAEP encryption" because PKCS#1 v2.0 is when OAEP was introduced to the standard, according to the history located in this pdf. (see page 56). I don't know if anyone actually addresses v2.0 as OAEP. It should be noted that I'm not intimately involved in using these standards, so that could be the case and I wouldn't know it.

(edited for spelling/grammar errors)

Answer 3

Use the source

It can be confirmed going to the PKCS #1 specifications. PKCS #1 has been published in different forms by different organisations. The easiest to find are the (non-offical) versions published by the IETF.

• RFC 2437 for PKCS #1: RSA Cryptography Specifications Version 2.0

PKCS #1 version 1.5 didn't have OAEP. So its one and only encryption scheme was subsequently called "RSAES-PKCS1-V1_5" in v2.0. The official name of second encryption scheme introduced in v2.0 is "RSAES-OAEP" (RSA Encryption Scheme - Optimal Asymmetric Encryption Padding).

• RFC 2313 PKCS #1: RSA Encryption Version 1.5

To further complicate the picture, v2.1 changed the definition of RSAES-OAEP. So the RSAES-OAEP in PKCS #1 v2.0 is incompatible with RSAES-OAEP in PKCS #1 v2.1 and v2.2.

• RFC 3447 Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1
• RFC 8017 PKCS #1: RSA Cryptography Specifications Version 2.2

Even the titles are slightly different between versions!

Do or do not, there is no try

It is better to use the official term "RSAES-OAEP" along with a version number.

While "PKCS #1 encryption" probably means "OAEP encryption", it is better to avoid calling it that because it is wrong/ambiguous:

• PKCS #1 (v1.0) does not have any "OAEP".
• PKCS #1 (v2.0 and above) defines multiple encryption schemes, of which "OAEP" is only one of them. The term "PKCS #1 encryption" could technically mean the RSAES-PKCS1-V1_5" encryption scheme (though that usage is rare).
• PKCS #1 defines an RSA encryption primitive (officially called "RSAEP"), so the term makes more sense referring to that. RSAES-OAEP is made up of both an encoding method and that encryption primitive.
• It doesn't make it clear which of the incompatible RSAES-OAEP versions it is referring to.

Also, the encoding method for RSAES-OAEP has options (which hash function to use, and which mask generation function to use). And besides the data being encrypted by RSAES-OAEP, there can also be "encoding parameters". So for interoperability, those need to be clearly specified too.

It's a trap!