Showing papers on "Optimal asymmetric encryption padding published in 2009"

A Public Key Encryption Scheme Secure against Key Dependent Chosen Plaintext and Adaptive Chosen Ciphertext Attacks

Abstract: Recently, at Crypto 2008, Boneh, Halevi, Hamburg, and Ostrovsky (BHHO) solved the long-standing open problem of "circular encryption," by presenting a public key encryption scheme and proving that it is semantically secure against key dependent chosen plaintext attack (KDM-CPA security) under standard assumptions (and without resorting to random oracles). However, they left as an open problem that of designing an encryption scheme that simultaneously provides security against both key dependent chosen plaintext and adaptive chosen ciphertext attack (KDM-CCA2 security). In this paper, we solve this problem. First, we show that by applying the Naor-Yung "double encryption" paradigm, one can combine any KDM-CPA secure scheme with any (ordinary) CCA2 secure scheme, along with an appropriate non-interactive zero-knowledge proof, to obtain a KDM-CCA2 secure scheme. Second, we give a concrete instantiation that makes use the above KDM-CPA secure scheme of BHHO, along with a generalization of the Cramer-Shoup CCA2 secure encryption scheme, and recently developed pairing-based NIZK proof systems. This instantiation increases the complexity of the BHHO scheme by just a small constant factor.

A Secure Channel Free Public Key Encryption with Keyword Search Scheme without Random Oracle

Abstract: The public key encryption with keyword Search (PEKS) scheme, proposed by Boneh, Di Crescenzo, Ostrovsky and Persiano, enables one to search for encrypted keywords without compromising the security of the original data. Baek et al. noticed that the original notion of PEKS requires the existence of a secure channel, and they further extended this notion by proposing an efficient secure channel free public key encryption scheme with keyword search in the random oracle model. In this paper, we take one step forward by adopting Baek et al. 's model and propose a new and efficient scheme that does not require any secure channels, and furthermore, its security does not use random oracles.

On the Security of Padding-Based Encryption Schemes --- or --- Why We Cannot Prove OAEP Secure in the Standard Model

Abstract: We investigate the security of "padding-based" encryption schemes in the standard model. This class contains all public-key encryption schemes where the encryption algorithm first applies some invertible public transformation to the message (the "padding"), followed by a trapdoor permutation. In particular, this class contains OAEP and its variants. Our main result is a black-box impossibility result showing that one cannot prove any such padding-based scheme chosen-ciphertext secure even assuming the existence of ideal trapdoor permutations. The latter is a strong ideal abstraction of trapdoor permutations which inherits all security properties of uniform random permutations.

Cascade Encryption Revisited

Abstract: The security of cascade blockcipher encryption is an important and well-studied problem in theoretical cryptography with practical implications. It is well-known that double encryption improves the security only marginally, leaving triple encryption as the shortest reasonable cascade. In a recent paper, Bellare and Rogaway showed that in the ideal cipher model, triple encryption is significantly more secure than single and double encryption, stating the security of longer cascades as an open question. In this paper, we propose a new lemma on the indistinguishability of systems extending Maurer's theory of random systems. In addition to being of independent interest, it allows us to compactly rephrase Bellare and Rogaway's proof strategy in this framework, thus making the argument more abstract and hence easy to follow. As a result, this allows us to address the security of longer cascades. Our result implies that for blockciphers with smaller key space than message space (e.g. DES), longer cascades improve the security of the encryption up to a certain limit. This partially answers the open question mentioned above.

Formal Certification of ElGamal Encryption

Abstract: CertiCrypt [1] is a framework that assists the construction of machine-checked cryptographic proofs that can be automatically verified by third parties To date, CertiCrypt has been used to prove formally the exact security of widely studied cryptographic systems, such as the OAEP padding scheme and the Full Domain Hash digital signature scheme The purpose of this article is to provide a gentle introduction to CertiCrypt For concreteness, we focus on a simple but illustrative example, namely the semantic security of the Hashed ElGamal encryption scheme in both, the standard and the random oracle model

Secure Convertible Authenticated Encryption Scheme Based on RSA

Abstract: A convertible authenticated encryption (CAE) scheme is a better way to simultaneously provide cryptographic schemes with the properties of confidentiality, authenticity and non-repudiation. The authors propose a RSA based secure CAE scheme which is different from previously proposed ones based on the discrete logarithms or elliptic curve discrete logarithms. The proposed scheme has the nice arbitration mechanism allowing the designated recipient to convert the authenticated ciphertext into an ordinary signature without any extra computation efforts or communication overheads for the public arbitration. Additionally, the security requirement of confidentiality against adaptive chosen ciphertext attacks (IND-CCA2) and that of unforgeability against existential forgery on adaptive chosen-message attacks (EU-CMA2) are proved in the random oracle model.

RSA-Based Certificateless Public Key Encryption

Abstract: Certificateless Public Key Cryptography was first introduced by Al-Riyami and Paterson in order to eliminate the inherent key-escrow problem of Identity-Based Cryptography. In this paper, we present a new practical construction of certificateless public key encryption scheme without paring. Our scheme is, in the random oracle model, provably secure under the assumption that the RSA problem is intractable.

Strengthening Security of RSA-OAEP

Abstract: OAEP is one of the few standardized and widely deployed public-key encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSA-OAEP is standardized in RSA's PKCS #1 v2.1 and is part of several standards. RSA-OAEP was shown to be IND-CCA secure in the random oracle model under the standard RSA assumption. However, the reduction is not tight, meaning that the guaranteed level of security is not very high for a practical parameter choice. We first observe that the situation is even worse because the analysis was done in the single-query setting, i.e. where an adversary gets a single challenge ciphertext. This does not take into account the fact that in reality an adversary can observe multiple ciphertexts of related messages. The results about the multi-query setting imply that the guaranteed concrete security can degrade by a factor of q , which is the number of challenge ciphertexts an adversary can get. We re-visit a very simple but not well-known modification of the RSA-OAEP encryption which asks that the RSA function is only applied to a part of the OAEP transform. We show that in addition to the previously shown fact that security of this scheme is tightly related to the hardness of the RSA problem, security does not degrade as the number of ciphertexts an adversary can see increases. Moreover, this scheme can be used to encrypt long messages without using hybrid encryption. We believe that this modification to the RSA-OAEP is easy to implement, and the benefits it provides deserves the attention of standard bodies.

Chosen-Ciphertext Secure RSA-Type Cryptosystems

Abstract: This paper explains how to design fully secure RSA-type cryptosystems from schemes only secure against passive attacks, in the standard model. We rely on instance-independence assumptions, which, roughly speaking, conjecture that for certain problems, an interactive access to a solver for another problem does not help the challenger. Previously, instance-independence assumptions were used in a "negative" way, to prove that certain schemes proven in the random oracle model were not provable in the standard model. Our paradigm applies virtually to all (weakly secure) RSA-type encryption schemes for which public-key RSA exponent can be arbitrarily chosen. As an illustration, we present a chosen-ciphertext secure variant of the Naccache-Stern encryption scheme.

How to Confirm Cryptosystems Security: The Original Merkle-Damgård Is Still Alive!

Abstract: At Crypto 2005, Coron et al. showed that Merkle-Damgard hash function (MDHF) with a fixed input length random oracle is not indifferentiable from a random oracle RO due to the extension attack. Namely MDHF does not behave like RO. This result implies that there exists some cryptosystem secure in the RO model but insecure under MDHF. However, this does not imply that no cryptosystem is secure under MDHF. This fact motivates us to establish a criteria methodology for confirming cryptosystems security under MDHF. In this paper, we confirm cryptosystems security by using the following approach: 1 Find a variant, $\widetilde{\mathsf{RO}}$, of RO which leaks the information needed to realize the extension attack. 1 Prove that MDHF is indifferentiable from $\widetilde{\mathsf{RO}}$. 1 Prove cryptosystems security in the $\widetilde{\mathsf{RO}}$ model. From the indifferentiability framework, a cryptosystem secure in the $\widetilde{\mathsf{RO}}$ model is also secure under MDHF. Thus we concentrate on finding $\widetilde{\mathsf{RO}}$, which is weaker than RO. We propose the Traceable Random Oracle (TRO) which leaks enough information to permit the extension attack. By using TRO, we can easily confirm the security of OAEP and variants of OAEP. However, there are several practical cryptosystems whose security cannot be confirmed by TRO (e.g. RSA-KEM). This is because TRO leaks information that is irrelevant to the extension attack. Therefore, we propose another $\widetilde{\mathsf{RO}}$, the Extension Attack Simulatable Random Oracle, ERO, that leaks just the information needed for the extension attack. Fortunately, ERO is necessary and sufficient to confirm the security of cryptosystems under MDHF. This means that the security of any cryptosystem under MDHF is equivalent to that under the ERO model. We prove that RSA-KEM is secure in the ERO model.

Searchable Encryption with Keyword-Recoverability

Abstract: Searchable encryption has many applications including e-mail systems and storage systems. The usefulness of searchable encryption derives from its support of keyword-testability. Keyword-testability means that a receiver of a ciphertext can test whether the ciphertext contains a specific keyword. Recently, Bellare et al. suggested an efficiently-searchable encryption scheme with keyword-recoverability as well as keyword-testability. Keyword-recoverability means that a receiver can extract the keyword from a ciphertext. All of the previous searchable encryption schemes have provided only keyword-testability. However, as explained by Bellare et al., no efficiently-searchable encryption scheme can provide even security against chosen keyword attacks. That is, Bellare et al.'s scheme assumes that no useful partial information about the keyword is known to the adversaries. In this paper, we suggest an SEKR (searchable encryption with keyword-recoverability) scheme which is secure even if the adversaries have any useful partial information about the keyword. Our scheme provides security against chosen ciphertext attacks which are stronger attacks than chosen keyword attacks. We also suggest an SEKR scheme for multi-keywords.

How to Prove the Security of Practical Cryptosystems with Merkle-Damgård Hashing by Adopting Indifferentiability.

Abstract: In this paper, we show that major cryptosystems such as FDH, OAEP, and RSA-KEM are secure under a hash function MD with Merkle-Damgard (MD) construction that uses a random oracle compression function h. First, we propose two new ideal primitives called Traceable Random Oracle (T RO) and Extension Attack Simulatable Random Oracle (ERO) which are weaker than a random oracle (RO). Second, we show that MD is indifferentiable from LRO, T RO and ERO, where LRO is Leaky Random Oracle proposed by Yoneyama et al. This result means that if a cryptosystem is secure in these models, then the cryptosystem is secure under MD following the indifferentiability theory proposed by Maurer et al. Finally, we prove that OAEP is secure in the T RO model and RSAKEM is secure in the ERO model. Since it is also known that FDH is secure in the LRO model, as a result, major cryptosystems, FDH, OAEP and RSA-KEM, are secure under MD, though MD is not indifferentiable from RO.

Advances in cryptology : EUROCRYPT 2009 : 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26-30, 2009 : proceedings

Abstract: Security, Proofs and Models (1).- Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening.- Breaking RSA Generically Is Equivalent to Factoring.- Resettably Secure Computation.- On the Security Loss in Cryptographic Reductions.- Hash Cryptanalysis.- On Randomizing Hash Functions to Strengthen the Security of Digital Signatures.- Cryptanalysis of MDC-2.- Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC.- Finding Preimages in Full MD5 Faster Than Exhaustive Search.- Group and Broadcast Encryption.- Asymmetric Group Key Agreement.- Adaptive Security in Broadcast Encryption Systems (with Short Ciphertexts).- Traitors Collaborating in Public: Pirates 2.0.- Cryptosystems (1).- Key Agreement from Close Secrets over Unsecured Channels.- Order-Preserving Symmetric Encryption.- A Double-Piped Mode of Operation for MACs, PRFs and PROs: Security beyond the Birthday Barrier.- Cryptanalysis.- On the Security of Cryptosystems with Quadratic Decryption: The Nicest Cryptanalysis.- Cube Attacks on Tweakable Black Box Polynomials.- Smashing SQUASH-0.- Cryptosystems (2).- Practical Chosen Ciphertext Secure Encryption from Factoring.- Realizing Hash-and-Sign Signatures under Standard Assumptions.- A Public Key Encryption Scheme Secure against Key Dependent Chosen Plaintext and Adaptive Chosen Ciphertext Attacks.- Invited Talk.- Cryptography without (Hardly Any) Secrets ?.- Security, Proofs and Models (2).- Salvaging Merkle-Damgard for Practical Applications.- On the Security of Padding-Based Encryption Schemes - or - Why We Cannot Prove OAEP Secure in the Standard Model.- Simulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters' IBE Scheme.- On the Portability of Generalized Schnorr Proofs.- Side Channels.- A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks.- A Leakage-Resilient Mode of Operation.- Curves.- ECM on Graphics Cards.- Double-Base Number System for Multi-scalar Multiplications.- Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves.- Generating Genus Two Hyperelliptic Curves over Large Characteristic Finite Fields.- Randomness.- Verifiable Random Functions from Identity-Based Key Encapsulation.- Optimal Randomness Extraction from a Diffie-Hellman Element.- A New Randomness Extraction Paradigm for Hybrid Encryption.

Application of RSA Asymmetrical Encryption Algorithm in Digital Signature

Abstract: With development of the computer network communication technology,information encryption technology needs to be further improved while the demand for information security becomes even strongerIn order to improve security of data transmission in computer network,the RSA asymmetrical encryption algorithm,the RSA operation and padding are appliedThis paper also gives the application scheme of the RSA non-encryption algorithm in the digital signatureExperiment indicates that the scheme could further enhance the security of data in the transmission process

Security of Practical Cryptosystems Using Merkle-Damgard Hash Function in the Ideal Cipher Model.

Abstract: Since the Merkle-Damgard (MD) type hash functions are differentiable from ROs even when compression functions are modeled by ideal primitives, there is no guarantee as to the security of cryptosystems when ROs are instantiated with structural hash functions. In this paper, we study the security of the instantiated cryptosystems whereas the hash functions have the well known structure of Merkle-Damgard construction with Stam’s type-II compression function (denoted MDTypeII) in the Ideal Cipher Model (ICM). Note that since the Type-II scheme includes the DaviesMeyer compression function, SHA-256 and SHA-1 have the MD-TypeII structure. We show that OAEP, RSA-KEM, PSEC-KEM, ECIES-KEM and many other encryption schemes are secure when using the MD-TypeII hash function. In order to show this, we customize the indifferentiability framework of Maurer, Renner and Holenstein. We call the customized framework “indifferentiability with condition”. In this framework, for some condition α that cryptosystem C satisfies, if hash function H is indifferentiable from RO under condition α, C is secure when RO is instantiated with H. We note the condition of “prefix-free” that the above schemes satisfy. We show that the MD-TypeII hash function is indifferentiable from RO under this condition. When the output length of RO is incompatible with that of the hash function, the output size is expanded by Key Derivation Functions (KDFs). Since a KDF is specified as MGF1 in RSA’s PKCS #1 V2.1, its security discussion is important in practice. We show that, KDFs using the MD-TypeII hash function (KDF-MD-TypeII) are indifferentiable from ROs under this condition of “prefix-free”. Therefore, we can conclude that the above practical encryption schemes are secure even when ROs are instantiated with (KDF-)MD-TypeII hash functions. Dodis, Ristenpart and Shrimpton showed that FDH, PSS, Fiat-Shamir, and so on are secure when RO is instantiated with the MD-TypeII hash function in the ICM, their analyses use the different approach from our approach called indifferentiability from public-use RO (pub-RO). They showed that the above cryptosystems are secure in the pub-RO model and the MD-TypeII hash function is indifferentiable from pub-RO. Since their analyses did not consider the structure of KDFs, there might exist some attack using a KDF’s structure. We show that KDFs using pub-RO (KDF-pubRO) is differentiable from pub-RO. Thus, we cannot trivially extend the result of Dodis et al to the indifferentiability for KDF-MD-TypeII hash functions. We propose a new oracle called private interface leak RO (privleak-RO). We show that KDF-pub-ROs are indifferentiable from privleakROs and the above cryptosystems are secure in the privleak-RO model. Therefore, by combining the result of Dodis et al. with our result, we can conclude that the above cryptosystems are secure when ROs are instantiated with KDF-MD-TypeII hash functions. Since OAEP, RSA-KEM, PSEC-KEM, ECIES-KEM and many other encryption schemes are insecure in the pub-RO (privleak-RO) model, we cannot confirm the security of these encryption schemes from the approach of Dodis et al. Therefore, the result of Dodis et al can be supplemented with our result. Consequently, from the two results we can confirm the security of almost practical cryptosystems when ROs are instantiated with (KDF-)MD-TypeII hash functions.

Public key encryption without random oracle made truly practical

Abstract: An important research area in the past decade is to search for efficient cryptographic schemes that do not rely for their security on the controversial random oracle assumption. In this paper, we continue this line of endeavors and report our success in identifying a very efficient public key encryption scheme whose formal security proof does not require a random oracle. Specifically, we show how to modify a universal hash based public key encryption scheme proposed by Zheng and Seberry at Crypto'92, in such a way that the resultant scheme not only preserves efficiency but also admits provable security against adaptive chosen ciphertext attack without a random oracle. We also compare the modified Zheng-Seberry scheme with related encryption schemes in terms of efficiency and underlying assumptions, supporting our conclusion that the modified Zheng-Seberry scheme is preferable to its competitors.

Security Proof of Public-key Encryption Algorithm Rabin-OAEP

Abstract: This paper discuses about the security against adaptive chosen-ciphertext attack aiming at Rabin-OAEP algorithmConstruction of reasonable interaction between Adversary and Simulator is used to provide the inverse proposition of "Decomposition of large integer N=pq is difficult(for p,q are two large prime numbers),the Rabin-OAEP is secure against adaptive algorithm chosen-ciphertext attack" Result proves claim that Rabin-OAEP is an security algorithm

Tag-KEM from Set Partial Domain One-Way Permutations

Abstract: Recently a framework called Tag-KEM/DEM was introduced to construct efficient hybrid encryption schemes. Although it is known that generic encode-then-encrypt construction of chosen ciphertext secure public-key encryption also applies to secure Tag-KEM construction and some known encoding method like OAEP can be used for this purpose, it is worth pursuing more efficient encoding method dedicated for Tag-KEM construction. This paper proposes an encoding method that yields efficient Tag-KEM schemes when combined with set partial one-way permutations such as RSA and Rabin's encryption scheme. To our knowledge, this leads to the most practical hybrid encryption scheme of this type. We also present an efficient Tag-KEM which is CCA-secure under general factoring assumption rather than Blum factoring assumption.

Constructing better KEMs with partial message recovery

Abstract: In this paper, we consider the problem of building effcient key encapsulation mechanism (KEM) with partial message recovery, in brief, PKEM, which aims at providing better bandwidth for standard KEM. We demonstrate several practical issues that were not considered by the previous research, e.g., the additional security loss due to loose reduction of OAEP, and the ciphertext overhead caused by the corresponding data encapsulation mechanism (DEM). We give solutions to these problems, furthermore, we consider the multichallenge model for PKEMs, where an adversary can obtain up to multiple challenge ciphertexts. Apparently, this is a more severe and more realistic model for PKEM. We then show two generic constructions of PKEMs and prove their security in the multi-challenge model. Our constructions are natural and simple. Finally, we give some instantiations of our generic constructions, and compare their effciency. Our results demonstrate that there are strong ties between PKEM and public key encryption.