Showing papers on "Optimal asymmetric encryption padding published in 2003"

Chosen-Ciphertext Security without Redundancy

Abstract: We propose asymmetric encryption schemes for which all ciphertexts are valid (which means here “reachable”: the encryption function is not only a probabilistic injection, but also a surjection). We thus introduce the Full-Domain Permutation encryption scheme which uses a random permutation. This is the first IND-CCA cryptosystem based on any trapdoor one-way permutation without redundancy, and more interestingly, the bandwidth is optimal: the ciphertext is over k more bits only than the plaintext, where 2 − k is the expected security level. Thereafter, we apply it into the random oracle model by instantiating the random permutation with a Feistel network construction, and thus using OAEP. Unfortunately, the usual 2-round OAEP does not seem to be provably secure, but a 3-round can be proved IND-CCA even without the usual redundancy \(m || 0^{k_1}\), under the partial-domain one-wayness of any trapdoor permutation. Although the bandwidth is not as good as in the random permutation model, absence of redundancy is quite new and interesting: many implementation risks are ruled out.

Why provable security matters

Abstract: Recently, methods from provable security, that had been developped for the last twenty years within the research community, have been extensively used to support emerging standards. This in turn has led researchers as well as practitioners to raise some concerns about this methodology. Should provable security be restricted to the standard computational model or can it rely on the so-called random oracle model? In the latter case, what is the practical meaning of security estimates obtained using this model? Also, the fact that proofs themselves need time to be validated through public discussion was somehow overlooked. Building on two case studies, we discuss these concerns. One example covers the public key encryption formatting scheme OAEP originally proposed in [3]. The other comes from the area of signature schemes and is related to the security proof of ESIGN [43]. Both examples show that provable security is more subtle than it at first appears.

Why provable security matters

Abstract: Recently, methods from provable security, that had been developped for the last twenty years within the research community, have been extensively used to support emerging standards. This in turn has led researchers as well as practitioners to raise some concerns about this methodology. Should provable security be restricted to the standard computational model or can it rely on the so-called random oracle model? In the latter case, what is the practical meaning of security estimates obtained using this model? Also, the fact that proofs themselves need time to be validated through public discussion was somehow overlooked. Building on two case studies, we discuss these concerns. One example covers the public key encryption formatting scheme OAEP originally proposed in [3]. The other comes from the area of signature schemes and is related to the security proof of ESIGN [43]. Both examples show that provable security is more subtle than it at first appears.

Efficient Universal Padding Techniques for Multiplicative Trapdoor One-Way Permutation

Abstract: Coron et al proposed the ES-based scheme PSS-ES which realizes an encryption scheme and a signature scheme with a unique padding technique and key pair The security of PSS-ES as an encryption scheme is based on the partial-domain one-wayness of the encryption permutation In this paper, we propose new ES schemes OAEP-ES, OAEP++-ES, and REACT-ES, and prove their security under the assumption of only the one-wayness of encryption permutation OAEP-ES, OAEP++-ES, and REACT-ES suit practical implementation because they use the same padding technique for encryption and for signature, and their security proof guarantees that we can prepare one key pair to realize encryption and signature in the same way as PSS-ES Since one-wayness is a weaker assumption than partial-domain one-wayness, the proposed schemes offer tighter security than PSS-ES Hence, we conclude that OAEP-ES, OAEP++-ES, and REACT-ES are more effective than PSS-ES REACT-ES is the most practical approach in terms of the tightness of security and communication efficiency

Parallel authentication and public-key encryption

Abstract: A parallel authentication and public-key encryption is introduced and exemplified on joint encryption and signing which compares favorably with sequential Encrypt-then-Sign (EtS) or Sign-then-Encrypt (StE) schemes as far as both efficiency and security are concerned. A security model for signcryption, and thus joint encryption and signing, has been recently defined which considers possible attacks and security goals. Such a scheme is considered secure if the encryption part guarantees indistinguishability and the signature part prevents existential forgeries, for outsider but also insider adversaries. We propose two schemes of parallel signcryption, which are efficient alternative to Commit-then-Sign-and-Encrypt (CtE&S). They are both provably secure in the random oracle model. The first one, called generic parallel encrypt and sign, is secure if the encryption scheme is semantically secure against chosen-ciphertext attacks and the signature scheme prevents existential forgeries against random-message attacks. The second scheme, called optimal parallel encrypt and sign, applies random oracles similar to the OAEP technique in order to achieve security using encryption and signature components with very weak security requirements - encryption is expected to be one-way under chosen-plaintext attacks while signature needs to be secure against universal forgeries under random-plaintext attack, that is actually the case for both the plain-RSA encryption and signature under the usual RSA assumption. Both proposals are generic in the sense that any suitable encryption and signature schemes (i.e. which simply achieve required security) can be used. Furthermore they allow both parallel encryption and signing, as well as parallel decryption and verification. Properties of parallel encrypt and sign schemes are considered and a new security standard for parallel signcryption is proposed.

A General Construction of IND-CCA2 Secure Public Key Encryption

Abstract: We propose a general construction for public key encryption schemes that are IND-CCA2 secure in the random oracle model. We show that the scheme proposed in [1,2] fits our general framework and moreover that our method of analysis leads to a more efficient security reduction.

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Abstract: Vaudenay has shown in [5] that a CBC encryption mode ([2], [9]) combined with the PKCS#5 padding [3] scheme allows an attacker to invert the underlying block cipher, provided she has access to a valid-padding oracle which for each input ciphertext tells her whether the corresponding plaintext has a valid padding or not. Having on mind the countermeasures against this attack, different padding schemes have been studied in [1]. The best one is referred to as the ABYT-PAD. It is designed for byte-oriented messages. It removes the validpadding oracle, thereby defeating Vaudenay's attack, since all deciphered plaintexts are valid in this padding scheme. In this paper, we try to combine the well-known cryptographic message syntax standard PKCS#7 [8] with the use of ABYT-PAD instead of PKCS#5. Let us assume that we have access to a PKCS#7CONF oracle that tells us for a given ciphertext (encapsulated in the PKCS#7 structure) whether the deciphered plaintext is correct or not according to the PKCS#7 (v1.6) syntax. This is probably a very natural assumption, because applications usually have to reflect this situation in its behavior. It could be a message for the user, an API error message, an entry in the log file, different timing behavior, etc. We show that access to such an oracle again enables an attacker to invert the underlying block cipher. The attack requires single captured ciphertext and approximately 128 oracle calls per one ciphertext byte. It shows that we cannot hope to fully solve problems with side channel attacks on the CBC encryption mode by using a “magic” padding method or an obscure message-encoding format. Strong cryptographic integrity checks of ciphertexts should be incorporated instead.

Parallel Signcryption with OAEP, PSS-R, and other Feistel Paddings

Abstract: We present a new, elegant composition method for joint signature and encryption, also referred to as signcryption. The new method, which we call Padding-based Parallel Signcryption (PbPS), builds an efficient signcryption scheme from any family of trapdoor permutations, such as RSA. Each user U generates a single public/secret key pair fU/f −1 U used for both sending and receiving the data. To signcrypt a message m to a recipient with key frcv, a sender with key fsnd efficiently transforms m into a pair 〈w, s〉, and simply sends frcv(w)‖f −1 snd (s). PbPS enjoys many attractive properties: simplicity, efficiency, generality, parallelism of “encrypting”/“signing”, optimal exact security, flexible and ad-hoc key management, key reuse for sending/receiving data, optimally-low message expansion, long message and associated data support, and, finally, complete compatibility with the PKCS#1 infrastructure. The pairs 〈w, s〉 sufficient for the security of PbPS are called universal two-padding schemes. Using one round of the Feistel transform, we give a very general construction of such schemes. Interestingly, we notice that all popular padding schemes with message recovery used for plain signature or encryption, such as OAEP, OAEP+, PSS-R, and “scramble all, encrypt small” [21], naturally consist of two pieces 〈w, s〉. Quite remarkably, we show that all such pairs become special cases of our construction. As a result, we find a natural generalization of all conventional padding schemes, and show that any such padding can be used for signcryption with PbPS. However, none of such paddings gives optimal message bandwidth. For that purpose and of independent interest, we define a new “hybrid” between PSS-R and OAEP, which we call Probabilistic Signature-Encryption Padding (PSEP). We recommend using PbPS with PSEP to achieve the most flexible and secure signcryption scheme up-to-date. To justify this point, we provide a detailed practical comparison of PbPS/PSEP with other previously-proposed signcryption candidates.

Chosen-ciphertext security without redundancy

Abstract: We propose asymmetric encryption schemes for which all ciphertexts are valid (which means here reachable: the encryption function is not only a probabilistic injection, but also a surjection). We thus introduce the Full-Domain Permutation encryption scheme which uses a random permutation. This is the first IND-CCA cryptosystem based on any trapdoor one-way permutation without redundancy, and more interestingly, the bandwidth is optimal: the ciphertext is over k more bits only than the plaintext, where 2 -k is the expected security level. Thereafter, we apply it into the random oracle model by instantiating the random permutation with a Feistel network construction, and thus using OAEP. Unfortunately, the usual 2-round OAEP does not seem to be provably secure, but a 3-round can be proved IND-CCA even without the usual redundancy m∥0 k 1, under the partial-domain one-wayness of any trapdoor permutation. Although the bandwidth is not as good as in the random permutation model, absence of redundancy is quite new and interesting: many implementation risks are ruled out.

Public key encryption communication method

Abstract: PROBLEM TO BE SOLVED: To provide a public key encryption communication technology capable of certifying security. SOLUTION: In a Rabin encryption, a composite number N as the public key is selected as p q (p, q are prime numbers and d is more than 1). A hash function is combined with an OAEP by using uniqueness for decrypting. The security can be certified on conditions of a rapidly decrypting process and difficulty for factoring N into prime numbers. (The security shows strong concealment against an attack of adaptively selecting encrypted texts). The security against the attack of selecting the encrypted texts can be certified and the public key encryption communication technology capable of rapidly processing decryption can be provided. The public key encryption communication technology can also reduce a computational load when a transmitted data is encrypted and decrypted and certify as an IND-CCA2 on a condition of difficulty for computing an inverse function of one-way substitution (e.g. difficulty for factoring into prime numbers).