Why SHA-1 or MD5 Are Safe in RSA-OAEP
Why SHA-1 or MD5 Are Safe in RSA-OAEP 관련
Earlier in the section above, we mentioned that we’d be using SHA-1 for our mathematical formulation and examples. When you see SHA-1 or MD5 used in the context of RSA-OAEP, don’t let the fact that these hash functions are considered broken for collision resistance alarm you. If you notice carefully in the previous section, the hash functions serve two very specific roles that do not rely on their collision resistance. Let’s break them down one by one:
Label Hashing
The hash function is used to compute a fixed-length hash of an optional label (often empty).
Now let’s see why is this safe in the context. This hash, called , acts as a domain separator. Its job is simply to ensure that the label is correctly associated with the ciphertext during decryption. As long as the label is chosen wisely (that is, not built from adversary-controlled parts), collision resistance isn’t critical here.
Mask Generation Function ()
The hash function is also used inside to create a pseudorandom mask. This mask is applied both to the data block and to the random seed used in the encoding process.
In this context, the hash function is treated as a random oracle. The job is to spread the randomness of the seed across a larger block of data. For this purpose, properties like length extension or collision resistance are not relevant. What matters is that the output appears random, and even SHA-1 or MD5 can deliver that when used in this controlled, fixed-input scenario.