I’ve found a way to complete a task which I’d solve with passwords or by sending keys over the wire (otherwise) by using RSA’s homomorphic property.
I’m restricted to RSA (any padding; for hardware reasons) to implement “blindable decryption”, where one party holds some encrypted data, blinds it, sends it to the decryption oracle, receives it and recovers the embedded key by unblinding.
For this a “secure-as-possible” version of RSA is required which still has the multiplicative homomorphic property.
So what is the best padding for RSA that keeps this property?
Note: An IND-CCA1 version of RSA would be perfectly fine.
My definition of best (in order of preference): Highest security level, easiest implementability, fastest run-time.
Edit: I removed the ECDH unit as the question is way more interesting this way. The ECDH unit can solve the problem using ElGamal and an ECIES like approach.