CRYPTO NEWS

Bitcoin fights to hold $29K as fear of regulation and Terra’s UST implosion hit crypto hard

Bitcoin leverage traders show little interest in going long even as BTC price flirts with new lows below $29,000.

OAEP security with variable length hash function

I’m implementing a hobby cryptosystem for fun and to increase my knowledge on the subject, and I was wondering if the OAEP construct was still sufficient as an all-or-nothing-transform if variable length hash functions (specifically SHAKE256) are used for the $G$ and $H$ random oracles. I already found a paper showing that OAEP was functional ::Listen

I’m implementing a hobby cryptosystem for fun and to increase my knowledge on the subject, and I was wondering if the OAEP construct was still sufficient as an all-or-nothing-transform if variable length hash functions (specifically SHAKE256) are used for the $G$ and $H$ random oracles.

I already found a paper showing that OAEP was functional as an all-or-nothing-transform, but I’d like to use SHAKE256 as a hash function because it allows for arbitrary-length messages.

My current implementation is here. I pad the message to a minimum of 32 bytes, and then then my $k0$ length, or the length of the additional information added, is another 32 bytes.

I’m wondering if this use of SHAKE256 is theoretically secure, or if there is a problem with using a variable output hash function with OAEP. I’m not concerned with side channel attacks, this is a purely educational implementation.