Showing papers on "Optimal asymmetric encryption padding published in 2005"

Analysis of random oracle instantiation scenarios for OAEP and other practical schemes

Abstract: We investigate several previously suggested scenarios of instantiating random oracles (ROs) with “realizable” primitives in cryptographic schemes. As candidates for such “instantiating” primitives we pick perfectly one-way hash functions (POWHFs) and verifiable pseudorandom functions (VPRFs). Our analysis focuses on the most practical encryption schemes such as OAEP and its variant PSS-E and the Fujisaki-Okamoto hybrid encryption scheme. We also consider the RSA Full Domain Hash (FDH) signature scheme. We first show that some previous beliefs about instantiations for some of these schemes are not true. Namely we show that, contrary to Canetti's conjecture, in general one cannot instantiate either one of the two ROs in the OAEP encryption scheme by POWHFs without losing security. We also confirm through the FDH signature scheme that the straightforward instantiation of ROs with VPRFs may result in insecure schemes, in contrast to regular pseudorandom functions which can provably replace ROs (in a well-defined way). But unlike a growing number of papers on negative results about ROs, we bring some good news. We show that one can realize one of the two ROs in a variant of the PSS-E encryption scheme and either one of the two ROs in the Fujisaki-Okamoto hybrid encryption scheme through POWHFs, while preserving the IND-CCA security in both cases (still in the RO model). Although this partial instantiation in form of substituting only one RO does not help to break out of the random oracle model, it yet gives a better understanding of the necessary properties of the primitives and also constitutes a better security heuristic.

Padding oracle attacks on CBC-Mode encryption with secret and random IVs

Abstract: In [8], Paterson and Yau presented padding oracle attacks against a committee draft version of a revision of the ISO CBC-mode encryption standard [3] Some of the attacks in [8] require knowledge and manipulation of the initialisation vector (IV) The latest draft of the revision of the standard [4] recommends the use of IVs that are secret and random This obviates most of the attacks of [8] In this paper we consider the security of CBC-mode encryption against padding oracle attacks in this secret, random IV setting We present new attacks showing that several ISO padding methods are still weak in this situation

A Weak-Randomizer Attack on RSA-OAEP with e = 3.

Abstract: Coppersmith’s heuristic algorithm for finding small roots of bivariate modular equations can be applied against low-exponent RSA-OAEP if its randomizer is weak. An adversary that knows the randomizer can recover the entire plaintext message, provided it is short enough for Coppersmith’s algorithm to work. In practice, messages are symmetric cipher keys and these are potentially short enough for certain sets of key sizes. Weak randomizers could arise in constrained smart cards or in kleptographic implementations. Because RSA’s major use is transporting symmetric keys, this attack is a potential concern. In this respect, OAEP’s design is more fragile than necessary, because a secure randomizer is critical to prevent a total loss of secrecy, not just a loss of semantic security or chosen-ciphertext security. Countermeasures and more robust designs that have little extra performance cost are proposed and discussed.

Optimal asymmetric encryption and signature paddings

Abstract: Strong security notions often introduce strong constraints on the construction of cryptographic schemes: semantic security implies probabilistic encryption, while the resistance to existential forgeries requires redundancy in signature schemes. Some paddings have thus been designed in order to provide these minimal requirements to each of them, in order to achieve secure primitives. A few years ago, Coron et al. suggested the design of a common construction, a universal padding, which one could apply for both encryption and signature. As a consequence, such a padding has to introduce both randomness and redundancy, which does not lead to an optimal encryption nor an optimal signature. In this paper, we refine this notion of universal padding, in which a part can be either a random string in order to introduce randomness or a zero-constant string in order to introduce some redundancy. This helps us to build, with a unique padding, optimal encryption and optimal signature: first, in the random-permutation model, and then in the random-oracle model. In both cases, we study the concrete sizes of the parameters, for a specific security level: The former achieves an optimal bandwidth.

Encryption Algorithm Based on RSA

Abstract: RSA is the first quite perfect Public Key Algorithm,and one possible approach which an adversary can employ to solving the RSA problem is to first factor n, and then computeφ and d.Through analysing RSA encryption technique and knapsack encryption technique,we present a variant of RSA algorithm to which the idea of knapsack encryption technique and RSA algorithm are combined .This encryption technique is stronger than the pure RSA, because it not only lessens the characteristicof safty of RSA which RSA will be broken through factoring n,but also can validate the user’s credit throughout encrypting ,so as to resist the man-in-the-middle attack.Finally ,we also introduce the application for improved algorithm in Smart Cards.

A generic conversion with optimal redundancy

Abstract: In this paper, we present a generic asymmetric encryption conversion ROC, namely Redundancy Optimal Conversion, which has the optimal message redundancy for one-way trapdoor function in the random oracle model To our best knowledge, it is the first generic conversion to achieve such an optimal redundancy result for both one-way trapdoor permutation and not length-preserving function To obtain IND-CCA security, the conversion only needs the weaker requirement of the one-wayness, than the partial-domain one-wayness, which succeeds to greatly extend the application area of the generic conversion Further, plaintext awareness property of the encryption is not required any more, which also contributes to reduce the message redundancy and hence removes the re-encryption step of the decryption process, considerably reducing the computational burden Finally, it has simple construction of two cryptographic hash functions and two bitwise XORs, as same as the widely used OAEP conversion, but more generally useful

Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings

Abstract: Efficient Collision Search Attacks on SHA-0.- Finding Collisions in the Full SHA-1.- Pebbling and Proofs of Work.- Composition Does Not Imply Adaptive Security.- On the Discrete Logarithm Problem on Algebraic Tori.- A Practical Attack on a Braid Group Based Cryptographic Protocol.- The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption.- Unconditional Characterizations of Non-interactive Zero-Knowledge.- Impossibility and Feasibility Results for Zero Knowledge with Public Keys.- Communication-Efficient Non-interactive Proofs of Knowledge with Online Extractors.- A Formal Treatment of Onion Routing.- Simple and Efficient Shuffling with Provable Correctness and ZK Privacy.- Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions.- Private Searching on Streaming Data.- Privacy-Preserving Set Operations.- Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys.- Generic Transformation for Scalable Broadcast Encryption Schemes.- Authenticating Pervasive Devices with Human Protocols.- Secure Communications over Insecure Channels Based on Short Authenticated Strings.- On Codes, Matroids and Secure Multi-party Computation from Linear Secret Sharing Schemes.- Black-Box Secret Sharing from Primitive Sets in Algebraic Number Fields.- Secure Computation Without Authentication.- Constant-Round Multiparty Computation Using a Black-Box Pseudorandom Generator.- Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems.- Analysis of Random Oracle Instantiation Scenarios for OAEP and Other Practical Schemes.- Merkle-Damgard Revisited: How to Construct a Hash Function.- On the Generic Insecurity of the Full Domain Hash.- New Monotones and Lower Bounds in Unconditional Two-Party Computation.- One-Way Secret-Key Agreement and Applications to Circuit Polarization and Immunization of Public-Key Encryption.- A Quantum Cipher with Near Optimal Key-Recycling.- An Efficient CDH-Based Signature Scheme with a Tight Security Reduction.- Improved Security Analyses for CBC MACs.- HMQV: A High-Performance Secure Diffie-Hellman Protocol.

A New Rabin-type Trapdoor Permutation Equivalent to Factoring and Its Applications.

Abstract: Public key cryptography has been invented to overcome some key management problems in open networks. Although nearly all aspects of public key cryptography rely on the existence of trapdoor one-way functions, only a very few candidates of this primitive have been observed yet. In this paper, we introduce a new trapdoor one-way permutation based on the hardness of factoring integers of pq-type. We also propose a variant of this function with a different domain that provides some advantages for practical applications. To confirm this statement, we develop a simple hybrid encryption scheme based on our proposed trapdoor permutation that is CCA-secure in the random oracle model.

Padding application method ensuring security of cryptosystem and encryptor/decryptor

Abstract: An encryptor/decryptor capable of achieving secure cryptographic communication by applying appropriate padding to a cryptosystem such as NTRU cryptosystems. When an n-bit plaintext M is received, the OAEP+ padding is applied thereto. According to a conversion rule or a conversion function A that satisfies the conditions as described below, two bit strings m and r are obtained from the result of the OAEP+ padding. The conversion function A is a map to map a bit string consisting of k bits or less to the element of Lm×Lr, where Lm is the scope of m and Lr is the scope of r. The conversion function A should satisfy the following conditions: A is injective; A and the inverse map thereof can be computed by a polynomial time; and if an encryption function is denoted by E(m,r), a map E: A(X)→Le is a one-way function, where X is the scope of (m,r) and Le is the space of the entire ciphertext. After a bit string is divided into the two bit strings m and r, e=Er(m) is computed to be encrypted. Thus, a ciphertext e is transmitted to a receiver.

Encryption and signature method, and device and program

Abstract: PROBLEM TO BE SOLVED: To make compatible random function arithmetic operations to be fewer than three times and tight security. SOLUTION: Since an encrypted text y=(c is parallel to t) or a signature σ=(c' is parallel to t) is produced as connected data, by connecting two pieces of data and the connected data is created using a public key encryption system only for one piece of data (a necessary part s), the tight security is realized with respect to unidirectional nature of unidirectional function with a falling door of the public key encryption system. Furthermore, since a random function G for bit expansion in the conventional OAEP ++-ES system is dispensed with, by restricting output size of a first random function H', use of the random function is reduced to twice. COPYRIGHT: (C)2005,JPO&NCIPI

OAEP: Optimal Asymmetric Encryption Padding.

Abstract: THE RSA–PKCS #1 V1.5 ENCRYPTION: A widely deployed padding for RSA-based encryption is defined in the PKCS #1 v1.5 standard: for any modulus 28(k−1) ≤ n < 28k, in order to encrypt a message m, one defines the k-byte long string M = 02 ‖ r ‖ 0 ‖ m, where r is a string of randomly chosen non-zero bytes (at least 8). This block is thereafter encrypted with the RSA permutation, C = Me mod n (see modular arithmetic). When decrypting a ciphertext C, the decryptor applies RSA inversion by computing M = Cd mod n and then checks that the result M matches the expected’ format. If so, the decryptor outputs the last part as the plaintext. Otherwise, the ciphertext is rejected. Intuitively, this padding seems sufficient to rule out all the well-known weaknesses of the plain RSA system, but without any formal proof or guarantee. Surprisingly, in 1998, Bleichenbacher [3] showed that a simple active attack can completely break RSA–PKCS #1. This attack applies to real systems such as a Web server using SSL v3.0.

Padding application method guaranteeing safety of encryption method

Abstract: There is provided an encryption/decryption device achieving a safe encryption communication by performing an appropriate padding to a method such as an NTRU encryption method. An n-bit plain text M is received and subjected to OAEP+ padding. The result is subjected to a conversion A satisfying the following condition so as to obtain two bit strings m and r. The conversion A is mapping for correlating elements Lm × Lr to a bit string of k bits or below. When Lm represents a range of m and Lr represents a range of r, the next condition should be satisfied: the mapping is an injection; A and its inverse mapping can be calculated by polynomial time; when the encryption function is E(m, r), the mapping E:A(X) →Le is a uni-directional function. The X represents a range of (m, r) and Le represents a space of the entire encrypted text. After division into m and r, e = Er(m) is calculated and encrypted and the e is transmitted to a receiver of the encrypted text.