RSA–REACT: An Alternative to RSA–OAEP

The last few months, several new results appeared about the OAEP construction, and namely the RSA–OAEP cryptosystem. Whereas OAEP was believed to provide the highest security level (IND-CCA2), with an efficient exact security level, the effective security result had been showed to be incomplete. Nevertheless, the particular instantiation with RSA (which is anyway almost the sole application) had been eventually proven secure, but the security reduction appears to be quite inefficient. Therefore, with respect to the provable security result, RSA–OAEP with a 1024-bit modulus just provides a 2 security level. Several alternatives have been recently proposed, but most of them face the same problem with a quadratic time security reduction. Excepted the recent generic conversion, called REACT, which admits a linear time reduction. Consequently, RSA–REACT appears to be the best alternative to RSA–OAEP, granted the high security level, even with real world parameters. RSA–REACT with a 1024-bit modulus indeed guarantees a 2 security level (IND-CCA2 under the RSA assumption). Furthermore, the full construction is already proven secure when integrating symmetric encryption, which guarantees the security of the overall communication.