Cryptography
Updated Sun, 22 May 2022 07:50:34 GMT

# Role of lHash field in RSAES-OAEP

The RSA encryption padding of RSAES-OAEP has a lHash field set to the hash of a label. That label is typically the empty string, or some public description of the intended use of the message.

Does the lHash field play some role in the security (confidentiality of M under IND-CCA2 or similar), or security reduction to RSA? Does that depend on lHash being checked on decryption? On lHash not leaking on decryption of malformed cryptograms?

Would removing lHash and accordingly increasing the maximum size of M harm security?

Update: Squeamish Ossifrage answers, essentially by yes. Accordingly, PKCS#1v2.2's EME-OAEP decoding wants lHash to be checked, as well as other padding, and that it be done in constant time:

Care must be taken to ensure that an opponent cannot distinguish the different error conditions [on 00, lHash, PS, 01], whether by error message or timing, or, more generally, learn partial information about the encoded message EM. Otherwise an opponent may be able to obtain useful information about the decryption of the ciphertext C, leading to a chosen-ciphertext attack such as the one observed by Manger [35].

James Manger's A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0, in proceedings of Crypto 2001, essentially shows that decryption implementations leaking if the leading 00 is present can be converted into a decryption oracle.

## Solution

I believe $\mathit{lHash} \mathbin\Vert \mathit{PS} \mathbin\Vert \mathrm{01}$ serves the rle of the zero-padding in $s = (m \mathbin\Vert 0^{k_1}) \oplus G(r)$ from the formulation of RSAES-OAEP in the standard reference for its security reduction, on p. 5. Verifying that it matches exactly what you intend is critical for the security reduction to work, in particular where it figures into Game 6 on p. 14, to provide the bounds involving $k_1$ in Theorem 1 on p. 9.

Using a label perhaps provides some kind of domain separation for different applications, in case, e.g., two application's entropy sources are both broken.