Showing papers on "Optimal asymmetric encryption padding published in 1999"

Secure Integration of Asymmetric and Symmetric Encryption Schemes

Abstract: This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense -- indistinguishability against adaptive chosen-ciphertext attacks in the random oracle model. In particular, this conversion can be applied effciently to an asymmetric encryption scheme that provides a large enough coin space and, for every message, many enough variants of the encryption, like the ElGamal encryption scheme.

Secure integration of asymmetric and symmetric encryption schemes

Abstract: This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense- indistinguishability against adaptive chosen-ciphertext attacks in the random oracle model. In particular, this conversion can be applied efficiently to an asymmetric encryption scheme that provides a large enough coin space and, for every message, many enough variants of the encryption, like the ElGamal encryption scheme.

How to Enhance the Security of Public-Key Encryption at Minimum Cost

Abstract: This paper presents a simple and efficient conversion from a semantically secure public-key encryption scheme against passive adversaries to a non-malleable (or semantically secure) public-key encryption scheme against adaptive chosen-ciphertext attacks (active adversaries) in the random oracle model. Since our conversion requires only one random (hash) function operation, the converted scheme is almost as efficient as the original one, when the random function is replaced by a practical hash function such as SHA-1 and MD5. We also give a concrete analysis of the reduction for proving its security, and show that our security reduction is (almost) optimally efficient. Finally this paper gives some practical examples of applying this conversion to some practical and semantically secure encryption schemes such as the ElGamal, Blum-Goldwasser and Okamoto-Uchiyama schemes[4, 7, 9].

Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization

Abstract: We prove the equivalence of two definitions of nonmalleable encryption appearing in the literature -- the original one of Dolev, Dwork and Naor and the later one of Bellare, Desai, Pointcheval and Rogaway. The equivalence relies on a new characterization of non-malleable encryption in terms of the standard notion of indistinguishability of Goldwasser and Micali. We show that non-malleability is equivalent to indistinguishability under a "parallel chosen ciphertext attack," this being a new kind of chosen ciphertext attack we introduce, in which the adversary's decryption queries are not allowed to depend on answers to previous queries, but must be made all at once. This characterization simplifies both the notion of non-malleable encryption and its usage, and enables one to see more easily how it compares with other notions of encryption. The results here apply to non-malleable encryption under any form of attack, whether chosen-plaintext, chosen-ciphertext, or adaptive chosen-ciphertext.

Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries

Abstract: This paper proposes two new public-key cryptosystems semantically secure against adaptive chosen-ciphertext attacks Inspired from a recently discovered trapdoor technique based on composite-degree residues, our converted encryption schemes are proven, in the random oracle model, secure against active adversaries (NM-CCA2) under the assumptions that the Decision Composite Residuosity and Decision Partial Discrete Logarithms problems are intractable We make use of specific techniques that differ from Bellare-Rogaway or Fujisaki-Okamoto conversion methods Our second scheme is specifically designed to be efficient for decryption and could provide an elegant alternative to OAEP

Efficient public-key cryptosystems provably secure against active adversaries

Abstract: This paper proposes two new public-key cryptosystems semantically secure against adaptive chosen-ciphertext attacks Inspired from a recently discovered trapdoor technique based on composite-degree residues, our converted encryption schemes are proven, in the random oracle model, secure against active adversaries (NM-CCA2) under the assumptions that the Decision Composite Residuosity and Decision Partial Discrete Logarithms problems are intractable We make use of specific techniques that differ from Bellare-Rogaway or Fujisaki-Okamoto conversion methods Our second scheme is specifically designed to be efficient for decryption and could provide an elegant alternative to OAEP

On the Security Properties of OAEP as an All-or-Nothing Transform

Abstract: This paper studies All-or-Nothing Transforms (AONTs), which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known. Applications of AONTs include improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary's advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exhaustive search. We also show that no AONT can achieve substantially better security than OAEP.

On the security properties of OAEP as an All-or-Nothing transform

Abstract: This paper studies All-or-Nothing Transforms (AONTs). which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is tion, with the property that it is hard to invert unless all of the output is known. Applications of AONTs mclude improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary's advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exliaustive search We also show that no AONT can achieve substantially better security than OAEP.

New public key cryptosystems based on the dependent-RSA problems

Abstract: Since the Diffie-Hellman paper, asymmetric encryption has been a very important topic, and furthermore ever well studied. However, between the efficiency of RSA and the security of some less efficient schemes, no trade-off has ever been provided. In this paper, we propose better than a trade-off: indeed, we first present a new problem, derived from the RSA assumption, the "Dependent-RSA Problem". A careful study of its difficulty is performed and some variants are proposed, namely the "Decisional Dependent-RSA Problem". They are next used to provide new encryption schemes which are both secure and efficient. More precisely, the main scheme is proven semantically secure in the standard model. Then, two variants are derived with improved security properties, namely against adaptive chosen-ciphertext attacks, in the random oracle model. Furthermore, all those schemes are more or less as efficient as the original RSA encryption scheme and reach semantic security.

Advances in cryptology, CRYPTO '99 : 19th Annual International Cryptology Conference, Santa Barbara, California, USA, August 15-19, 1999 : proceedings

Abstract: Public-Key Cryptanalysis I.- On the Security of RSA Padding.- Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization.- The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications.- Invited Lecture.- Information-Theoretic Cryptography.- Secure Communication and Computation.- Information Theoretically Secure Communication in the Limited Storage Space Model.- The All-or-Nothing Nature of Two-Party Secure Computation.- Distributed Cryptography.- Adaptive Security for Threshold Cryptosystems.- Two Party RSA Key Generation.- Robust Distributed Multiplication without Interaction.- A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic Voting.- Secret-Key Cryptography.- Truncated Differentials and Skipjack.- Fast Correlation Attacks Based on Turbo Code Techniques.- Highly Nonlinear Resilient Functions Optimizing Siegenthaler's Inequality.- Message Authentication Codes.- UMAC: Fast and Secure Message Authentication.- Square Hash: Fast Message Authentication via Optimized Universal Hash Functions.- Constructing VIL-MACs from FIL-MACs: Message Authentication under Weakened Assumptions.- Stateless Evaluation of Pseudorandom Functions: Security Beyond the Birthday Barrier.- Public-Key Cryptanalysis II.- Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from Crypto '97.- Weakness in Quaternion Signatures.- Cryptanalysis of "2R" Schemes.- Factoring N = p r q for Large r.- Traitor Tracing.- An Efficient Public Key Traitor Tracing Scheme.- Dynamic Traitor Tracing.- Efficient Methods for Integrating Traceability and Broadcast Encryption.- Differential Power Analysis.- Differential Power Analysis.- Towards Sound Approaches to Counteract Power-Analysis Attacks.- Signature Schemes.- Separability and Efficiency for Generic Group Signature Schemes.- A Forward-Secure Digital Signature Scheme.- Abuse-Free Optimistic Contract Signing.- Zero Knowledge.- Can Statistical Zero Knowledge Be Made Non-interactive? or On the Relationship of SZK and NISZK.- On Concurrent Zero-Knowledge with Pre-processing.- Asymmetric Encryption.- On the Security Properties of OAEP as an All-or-Nothing Transform.- Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization.- Secure Integration of Asymmetric and Symmetric Encryption Schemes.- Electronic Cash.- Auditable, Anonymous Electronic Cash.- Protocols and Broadcasting.- Oblivious Transfer with Adaptive Queries.- Compressing Cryptographic Resources.- Coding Constructions for Blacklisting Problems without Computational Assumptions.- An Information Theoretic Analysis of Rooted-Tree Based Secure Multicast Key Distribution Schemes.

Non-malleable encryption : Equivalence between two notions, and an indistinguishability-based characterization

Abstract: We prove the equivalence of two definitions of non-malleable encryption appearing in the literature-the original one of Dolev, Dwork and Naor and the later one of Bellare, Desai, Pointcheval and Rogaway. The equivalence relies on a new characterization of non-malleable encryption in terms of the standard notion of indistinguishability of Gold-wasser and Micali. We show that non-malleability is equivalent to indistinguishability under a parallel chosen ciphertext attack, this being a new kind of chosen ciphertext attack we introduce, in which the adversary's decryption queries are not allowed to depend on answers to previous queries, but must be made all at once. This characterization simplifies both the notion of non-malleable encryption and its usage, and enables one to see more easily how it compares with other notions of encryption. The results here apply to non-malleable encryption under any form of attack, whether chosen-plaintext, chosen-ciphertext, or adaptive chosen-ciphertext.

A proposal for generating shared RSA parameters

Abstract: This paper describes how two parties can jointly generate the parameters for the RSA encryption system. The proposed protocol generates a public modulus number, without the parties knowing the factorization of that number. Although the encryption exponent is publicly known, each party holds only a port of the exponent for decrypting the received messages.