scispace - formally typeset
Search or ask a question

Showing papers on "Optimal asymmetric encryption padding published in 2002"


Journal ArticleDOI
Victor Shoup1
01 Sep 2002
TL;DR: It turns out—essentially by accident, rather than by design—that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.
Abstract: The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard ``black box'' security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+ , along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out--essentially by accident, rather than by design--that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

148 citations


Book ChapterDOI
18 Aug 2002
TL;DR: It is shown that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosen-ciphertext attacks, in the random oracle model, and allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner.
Abstract: A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is different from the one used for signing. The goal of this paper is to simplify this common setting. First, we show that PSS can also be used for encryption, and gives an encryption scheme semantically secure against adaptive chosen-ciphertext attacks, in the random oracle model. As a result, PSS can be used indifferently for encryption or signature. Moreover, we show that PSS allows to safely use the same RSA key-pairs for both encryption and signature, in a concurrent manner. More generally, we show that using PSS the same set of keys can be used for both encryption and signature for any trapdoor partial-domain one-way permutation. The practical consequences of our result are important: PKIs and public-key implementations can be significantly simplified.

82 citations


Book ChapterDOI
18 Feb 2002
TL;DR: This paper proposes an efficient and provably secure transform to encrypt a message with any asymmetric one-way cryptosystem, and achieves adaptive chosen-ciphertext security in the random oracle model.
Abstract: This paper proposes an efficient and provably secure transform to encrypt a message with any asymmetric one-way cryptosystem. The resulting scheme achieves adaptive chosen-ciphertext security in the random oracle model.Compared to previous known generic constructions (Bellare, Rogaway, Fujisaki, Okamoto, and Pointcheval), our embedding reduces the encryption size and/or speeds up the decryption process. It applies to numerous cryptosystems, including (to name a few) ElGamal, RSA, Okamoto-Uchiyama and Paillier systems.

53 citations


Book ChapterDOI
13 Aug 2002
TL;DR: In this article, a side channel attack on a plaintext encrypted by EME-OAEP PKCS#1 v.1.5 and v.2.1 was presented.
Abstract: This paper contains three parts. In the first part we present a new side channel attack on a plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Manger's attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher's and Manger's attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant.

32 citations


01 Jan 2002
TL;DR: A formal and complete proof was found in joint work by the author and others that rearmed the strong level of security provided by RSA{OAEP, however, this new security proof still does not guarantee security for key sizes used in practice due to the ineciency of the security reduction (the reduction to inverting RSA takes quadratic time).
Abstract: In 1993, Bellare and Rogaway formalized the concept of a random oracle, imported from complexity theory for cryptographic purposes. This new tool allowed them to present several asymmetric encryption and signature schemes that are both ecien t and provably secure (in the random oracle model). The Optimal Asymmetric Encryption Padding (OAEP) is the most signican t application of the random ora- cle model to date. It gives an ecien t RSA encryption scheme with a strong security guarantee (semantic security against chosen-ciphertext attacks). After Bleichenbacher's devastating attack on RSA{PKCS #1 v1.5 in 1998, RSA{OAEP became the natural successor (RSA{PKCS #1 v2.0) and thus a de facto international standard. Surpris- ingly, Shoup recently showed that the original proof of security for OAEP is incorrect. Without a proof, RSA{OAEP cannot be trusted to provide an adequate level of security. Luckily, shortly after Shoup's discovery a formal and complete proof was found in joint work by the author and others that rearmed the strong level of security provided by RSA{OAEP. However, this new security proof still does not guarantee security for key sizes used in practice due to the ineciency of the security reduction (the reduction to inverting RSA takes quadratic time). Recent alternatives to OAEP, such as OAEP + , SAEP + , and REACT, admit more ecien t proofs and thus provide adequate security for key sizes used in practice.

24 citations


Book ChapterDOI
12 Feb 2002
TL;DR: In this paper, the authors considered arbitrary-length chosen-ciphertext secure asymmetric encryption, and proposed two generic constructions, gem-1 and gem-2, which apply to explicit fixed-length weakly secure primitives and provide a strongly secure (IND-CCA2) public-key encryption scheme for messages of unfixed length (typically computer files).
Abstract: This paper considers arbitrary-length chosen-ciphertext secure asymmetric encryption, thus addressing what is actually needed for a practical usage of strong public-key cryptography in the real world. We put forward two generic constructions, gem-1 and gem-2 which apply to explicit fixed-length weakly secure primitives and provide a strongly secure (IND-CCA2) public-key encryption scheme for messages of unfixed length (typically computer files). Our techniques optimally combine a single call to any one-way trapdoor function with repeated encryptions through some weak block-cipher (a simple xor is fine) and hash functions of fixed-length input so that a minimal number of calls to these functions is needed. Our encryption/decryption throughputs are comparable to the ones of standard methods (asymmetric encryption of a session key + symmetric encryption with multiple modes). In our case, however, we formally prove that our designs are secure in the strongest sense and provide complete security reductions holding in the random oracle model.

23 citations


Posted Content
TL;DR: It is proved in the random oracle model that OAEP++, which was proposed by us at the rump session of Asiacrypt 2000, can generate IND-CCA2 ciphers using deterministic OW-CPA cryptographic primitives.
Abstract: We prove in the random oracle model that OAEP++, which was proposed by us at the rump session of Asiacrypt 2000, can generate IND-CCA2 ciphers using deterministic OW-CPA cryptographic primitives. Note that OAEP++ differs from OAEP proposed by Jonsson in [4]. While OAEP requires a non-malleable block cipher, OAEP++ does not require such additional functions. The security reduction of OAEP++ is as tight as that of OAEP.

19 citations


Book ChapterDOI
18 Feb 2002
TL;DR: This paper shows how to securely combine a simple encryption scheme with a proof of knowledge made noninteractive with a hash function to create encryption schemes that offer security against adaptive chosen ciphertext attacks.
Abstract: To create encryption schemes that offer security against adaptive chosen ciphertext attacks, this paper shows how to securely combine a simple encryption scheme with a proof of knowledge made noninteractive with a hash function. A typical example would be combining the ElGamal encryption scheme with the Schnorr signature scheme. While the straightforward combination will fail to provide security in the random oracle model, we present a class of encryption schemes that uses a proof of knowledge where the security can be proven based on the random oracle assumption and the number theoretic assumptions. The resulting schemes are useful as any casual party can be assured of the (in)validity of the ciphertexts.

14 citations


Patent
25 Feb 2002
TL;DR: The authors proposed a variant of the El-Gamal public key encryption scheme, which is provably secure against an adaptively chosen ciphertext adversary using standard public-key cryptography assumptions i.e. not the random oracle model.
Abstract: This invention relates to a variant of the El-Gamal public key encryption scheme, which is provably secure against an adaptively chosen ciphertext adversary using standard public-key cryptography assumptions i.e. not the random oracle model. This new scheme has roughly half the computational overhead and similar communication overhead as the scheme by Cramer-Shoup.

11 citations


Posted Content
TL;DR: This paper contains a new side channel attack on a plaintext encrypted by EME-OAEP PKCS#1 v.2.1.5 and a general idea of fault-based attacks on the RSA-KEM scheme and presents two particular attacks as the examples.
Abstract: This paper contains three parts. In the first part we present a new side channel attack on plaintext encrypted by EME-OAEP PKCS#1 v.2.1. In contrast with Mangers attack, we attack that part of the plaintext, which is shielded by the OAEP method. In the second part we show that Bleichenbacher's and Manger's attack on the RSA encryption scheme PKCS#1 v.1.5 and EME-OAEP PKCS#1 v.2.1 can be converted to an attack on the RSA signature scheme with any message encoding (not only PKCS). This is a new threat for those implementations of PKI, in which the roles of signature and encryption keys are not strictly separated. This situation is often encountered in the SSL protocol used to secure access to web servers. In the third part we deploy a general idea of fault-based attacks on the RSA-KEM scheme and present two particular attacks as the examples. The result is the private key instead of the plaintext as with attacks on PKCS#1 v.1.5 and v.2.1. These attacks should highlight the fact that the RSA-KEM scheme is not an entirely universal solution to problems of RSAES-OAEP implementation and that even here the manner of implementation is significant. Category / Keywords: public-key cryptography / side channel attack, confirmation oracle, RSA-KEM, RSAES-OAEP, PKCS#1 v.1.5, PKCS#1 v.2.1, Bleichenbacher's attack, Manger's attack, power analysis, fault analysis.

1 citations