A key encapsulation mechanism (KEM) can be used to construct a “hybrid” cryptosystems. In these cryptosystems symmetric keys (e.g. for AES) are encrypted using asymmetric keys. The symmetric key is used for encrypting data.
A naive KEM built using RSA primitives could use “textbook” RSA to encrypt a randomly generated symmetric key but this has some significant flaws:
eis small (e.g.
e=3), the symmetric key may not be reduced by the modulus after exponentiation. This means the “encrypted” key would be trivially decrypted by taking the
eth-root of the ciphertext.
Unpadded RSA ciphertexts can be manipulated in predicatable ways. The paper “When Textbook RSA is Used to Protect the Privacy of Hundreds of Millions of Users” describes a fantastic attack on an unpadded RSA-based KEM where captured encrypted keys were decrypted by replaying ciphertexts with clever bit-shifts.
RSA-KEM works by generating a random integer
(0, N-1) (where
N is the modulus of the key) and encrypting/encapsulating
r. The symmetric key is then derived by throwing
r into a key derivation function (KDF).
As I understand it, OAEP is emulating a construction like RSA-KEM in that it attempts to converts a message into a
r-like value. The extra complexity that OAEP introduces is to handle messages that are not necessarily evenly distributed in
(0, N-1) and the padding step needs to be reversible.