Showing papers on "Optimal asymmetric encryption padding published in 2010"

Advances in cryptology : CRYPTO 2010 : 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010 : proceedings

Abstract: Leakage.- Circular and Leakage Resilient Public-Key Encryption under Subgroup Indistinguishability.- Leakage-Resilient Pseudorandom Functions and Side-Channel Attacks on Feistel Networks.- Protecting Cryptographic Keys against Continual Leakage.- Securing Computation against Continuous Leakage.- Lattice.- An Efficient and Parallel Gaussian Sampler for Lattices.- Lattice Basis Delegation in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE.- Homomorphic Encryption.- Toward Basing Fully Homomorphic Encryption on Worst-Case Hardness.- Additively Homomorphic Encryption with d-Operand Multiplications.- i-Hop Homomorphic Encryption and Rerandomizable Yao Circuits.- Theory and Applications.- Interactive Locking, Zero-Knowledge PCPs, and Unconditional Cryptography.- Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption.- Structure-Preserving Signatures and Commitments to Group Elements.- Efficient Indifferentiable Hashing into Ordinary Elliptic Curves.- Key Exchange, OAEP/RSA, CCA.- Credential Authenticated Identification and Key Exchange.- Password-Authenticated Session-Key Generation on the Internet in the Plain Model.- Instantiability of RSA-OAEP under Chosen-Plaintext Attack.- Efficient Chosen-Ciphertext Security via Extractable Hash Proofs.- Attacks.- Factorization of a 768-Bit RSA Modulus.- Correcting Errors in RSA Private Keys.- Improved Differential Attacks for ECHO and Grostl.- A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony.- Composition.- Universally Composable Incoercibility.- Concurrent Non-Malleable Zero Knowledge Proofs.- Equivalence of Uniform Key Agreement and Composition Insecurity.- Computation Delegation and Obfuscation.- Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers.- Improved Delegation of Computation Using Fully Homomorphic Encryption.- Oblivious RAM Revisited.- On Strong Simulation and Composable Point Obfuscation.- Multiparty Computation.- Protocols for Multiparty Coin Toss with Dishonest Majority.- Multiparty Computation for Dishonest Majority: From Passive to Active Security at Low Cost.- Secure Multiparty Computation with Minimal Interaction.- A Zero-One Law for Cryptographic Complexity with Respect to Computational UC Security.- Pseudorandomness.- On Generalized Feistel Networks.- Cryptographic Extraction and Key Derivation: The HKDF Scheme.- Time Space Tradeoffs for Attacks against One-Way Functions and PRGs.- Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks.- Quantum.- Secure Two-Party Quantum Evaluation of Unitaries against Specious Adversaries.- On the Efficiency of Classical and Quantum Oblivious Transfer Reductions.- Sampling in a Quantum Population, and Applications.

Instantiability of RSA-OAEP under chosen-plaintext attack

Abstract: We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash (i.e., round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called "padding-based" encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a "fooling" condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently lossy as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satifies condition (1) if its hash function is t-wise independent for appopriate t and that RSA satisfies condition (2) under the φ-Hiding Assumption of Cachin et al. (Eurocrypt 1999). This appears to be the first non-trivial positive result about the instantiability of RSA-OAEP. In particular, it increases our confidence that chosen-plaintext attacks are unlikely to be found against the scheme. In contrast, RSA-OAEP's predecessor in PKCS #1 v1.5 was shown to be vulnerable to such attacks by Coron et al. (Eurocrypt 2000).

Practical padding oracle attacks

Abstract: At Eurocrypt 2002, Vaudenay introduced a powerful side-channel attack, which is called padding oracle attack, against CBC-mode encryption with PKCS#5 padding (See [6]). If there is an oracle which on receipt of a ciphertext, decrypts it and then replies to the sender whether the padding is correct or not, Vaudenay shows how to use that oracle to efficiently decrypt data without knowing the encryption key. In this paper, we turn the padding oracle attack into a new set of practical web hacking techniques. We also introduce a new technique that allows attackers to use a padding oracle to encrypt messages of any length without knowing the secret key. Finally, we show how to use that technique to mount advanced padding oracle exploits against popular web development frameworks.

Quantum Public-Key Encryption with Information Theoretic Security

Abstract: We present a definition of information theoretic security of quantum public-key encryption(QPKE) under chosen plaintext attack. Then we introduce two n-qubit quantum states and prove the indistinguishable and trapdoor property of them. We construct a trapdoor one-way function based on the two states, and suggest a bit-oriented quantum public-key encryption scheme which has been proved to be information theoretic security under chosen plaintext attack . Finally, we extend the QPKE scheme to multi-bit-oriented one.

How to Strengthen the Security of RSA-OAEP

Abstract: OAEP is one of the few standardized and widely deployed public-key encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSA-OAEP is standardized in RSA's PKCS #1 v2.1 and is part of several standards. OAEP was shown to be IND-CCA secure assuming the underlying trapdoor permutation is partial one-way, and RSA-OAEP was proven to be IND-CCA under the standard RSA assumption, both in the random oracle model. However, the latter reduction is not tight, meaning that the guaranteed level of security is not very high for a practical parameter choice. We observe that the situation is even worse because both analyses were done in the single-query setting, i.e., where an adversary gets a single challenge ciphertext. This does not take into account the fact that in reality an adversary can observe multiple ciphertexts of related messages. The results about the multiquery setting imply that the guaranteed concrete security can degrade by a factor of q , which is the number of challenge ciphertexts an adversary can get. We propose a very simple modification of the OAEP encryption, which asks that the trapdoor permutation instance is only applied to a part of the OAEP transform. We show that IND-CCA security of this scheme is tightly related to the hardness of one-wayness of the trapdoor permutation in the random oracle model. This implies tight security for RSA-OAEP under the RSA assumption. We also show that security does not degrade as the number of ciphertexts an adversary can see increases. Moreover, OAEP can be used to encrypt long messages without using hybrid encryption. We believe that this modification is easy to implement, and the benefits it provides deserves the attention of standard bodies.

Security of encryption schemes in weakened random oracle models

Abstract: Liskov proposed several weakened versions of the random oracle model, called weakened random oracle models (WROMs), to capture the vulnerability of ideal compression functions, which are expected to have the standard security of hash functions, i.e., collision resistance, second-preimage resistance, and one-wayness properties. The WROMs offer additional oracles to break such properties of the random oracle. In this paper, we investigate whether public-key encryption schemes in the random oracle model essentially require the standard security of hash functions by the WROMs. In particular, we deal with four WROMs associated with the standard security of hash functions; the standard, collision tractable, second-preimage tractable, first-preimage tractable ones (ROM, CT-ROM, SPT-ROM, and FPT-ROM, respectively), done by Numayama et al. for digital signature schemes in the WROMs. We obtain the following results: (1) The OAEP is secure in all the four models. (2) The encryption schemes obtained by the Fujisaki-Okamoto conversion (FO) are secure in the SPT-ROM. However, some encryption schemes with FO are insecure in the FPT-ROM. (3) We consider two artificial variants wFO and dFO of FO for separation of the WROMs in the context of encryption schemes. The encryption schemes with wFO (dFO, respectively) are secure in the CT-ROM (ROM, respectively). However, some encryption schemes obtained by wFO (dFO, respectively) are insecure in the SPT-ROM (CT-ROM, respectively). These results imply that standard encryption schemes such as the OAEP and FO-based one do not always require the standard security of hash functions. Moreover, in order to make our security proofs complete, we construct an efficient sampling algorithm for the binomial distribution with exponentially large parameters, which was left open in Numayama et al.’s paper.

On the broadcast and validity-checking security of PKCS#1 v1.5 encryption

Abstract: This paper describes new attacks on pkcs#1 v1.5, a deprecated but still widely used rsa encryption standard. The first cryptanalysis is a broadcast attack, allowing the opponent to reveal an identical plaintext sent to different recipients. This is nontrivial because different randomizers are used for different encryptions (in other words, plaintexts coincide only partially). The second attack predicts, using a single query to a validity checking oracle, which of two chosen plaintexts corresponds to a challenge ciphertext. The attack's success odds are very high. The two new attacks rely on different mathematical tools and underline the need to accelerate the phase out of pkcs#1 v1.5.

Automated proofs for asymmetric encryption

Abstract: Chosen-ciphertext security is by now a standard security property for asymmetric encryption. Many generic constructions for building secure cryptosystems from primitives with lower level of security have been proposed. Providing security proofs has also become standard practice. There is, however, a lack of automated verification procedures that analyze such cryptosystems and provide security proofs. This paper presents an automated procedure for analyzing generic asymmetric encryption schemes in the random oracle model. It has been applied to several examples of encryption schemes among which the construction of Bellare-Rogaway 1993, of Pointcheval at PKC'2000 and REACT.

A Rational Secret-Sharing Scheme Based on RSA-OAEP

Abstract: In this paper, we propose a rational m-out-of-n secret sharing scheme, a dealer wishes to entrust a secret with a group of n players such that any subset of m or more players can reconstruct the secret, but a subset of less than m players cannot learn anything about the secret. The reconstruction protocol of our scheme is fair and stable in the rational settings, allowing all players to obtain the designated secret. Our scheme is based on RSA-OAEP with the distributed decryption. The security of our scheme relies on a computational assumption and uses the random oracles. The size of each share in our scheme is independent of the utility function and the computation cost of the reconstruction protocol is constant. Moreover, our scheme prevents the attacks with at most m-1 coalitions.

Manger's attack revisited

Abstract: In this work we examine a number of different open source implementations of the RSA Optimal Asymmetric Encryption Padding (OAEP) and generally RSA with respect to the message-aimed timing attack introduced by James Manger in CRYPTO 2001. We show the shortcomings concerning the countermeasures in two libraries for personal computers, and address potential flaws in previously proposed countermeasures. Furthermore, we point out a new source of timing differences that has not been addressed previously. We also investigate a new class of related problems in the multi-precision integer arithmetic that in principle allows a variant of Manger's attack to be launched against RSA implementations on 8-bit and possibly 16-bit platforms.

Updates for RSAES-OAEP and RSASSA-PSS Algorithm Parameters

Abstract: This document updates RFC 4055. It updates the conventions for using the RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) key transport algorithm in the Internet X.509 Public Key Infrastructure (PKI). Specifically, it updates the conventions for algorithm parameters in an X.509 certificate's subjectPublicKeyInfo field. [STANDARDS-TRACK]

Matlab implementation, analysis & comparison of some RSA family cryptosystems

Abstract: This paper implements various Asymmetric encryption techniques of RSA family ie RSA, RSA-PKCS1 v15, RSA-SAEP+, RSA-OAEP & RSA-OAEP+ in MATLAB software After the implementation, we compare these techniques on various points These points are avalanche effect due to one bit variation in plaintext keeping the key constant, memory required for implementation, input block size, output buffer size and simulation time required for different length of messages This paper also discusses the application of these implemented techniques

Stronger security notions for trapdoor functions and applications

Abstract: Trapdoor functions, introduced in the seminal paper of Diffie and Hellman [34], are a fundamental notion in modern cryptography Informally, trapdoor functions are (injective) functions that are easy to evaluate but hard to invert unless given an additional input called the trapdoor Specifically, the classical security notion considered for trapdoor functions is one-wayness, which asks that it be hard to invert (except with very small probability) a uniformly random point in the range without the trapdoor Motivated by the demands of emerging applications of cryptography as well as stronger security properties desired from higher-level cryptographic primitives constructed out of trapdoor functions, this thesis studies new strengthenings to the classical notion of one-way trapdoor functions and their applications Our results are organized along two separate threads, wherein we introduce two new cryptographic primitives that strengthen the notion of one-wayness for trapdoor functions in different ways: Deterministic Encryption: Our notion of deterministic (public-key) encryption addresses the weaknesses of using trapdoor functions directly for encryption articulated by Goldwasser and Micali [47], to the extent possible without randomizing the encryption function (whereas Goldwasser and Micali address them using randomized encryption) Specifically, deterministic encryption ensures no partial information is leaked about a high-entropy plaintext or even multiple correlated such plaintexts Deterministic encryption has applications to fast search on encrypted data, securing legacy protocols, and “hedging” randomized encryption against bad randomness (cf [6]) We design a conceptually appealing semantic-security style definition of security for deterministic encryption as well as an easier-to-work-with but equivalent indistinguishability style definition In the random oracle model of Bellare and Rogaway [11], we show a secure construction of deterministic encryption for an unbounded number of arbitrarily correlated high-entropy plaintexts based on any randomized encryption scheme, as well as length-preserving such construction based on RSA In the standard model, we develop a general framework for constructing deterministic encryption schemes based on a new notion of “robust” hardcore functions We show a secure construction of deterministic for a single high-entropy plaintext based on exponentially-hard one-way trapdoor functions; single-message security is equivalent to security for an unbounded number of messages drawn from a block-source (where each subsequent message has high entropy conditioned on the previous) by a result of Fehr [41] We also show a secure construction of deterministic encryption for a bounded number of arbitrarily correlated high-entropy plaintexts (or an unbounded number of messages drawn from a q-block-source, where the “blocks” consists of q messages and within each block are arbitrarily correlated high-entropy plaintexts) based on the notion of lossy trapdoor functions introduced by Peikert and Waters [68] Adaptive Trapdoor Functions: Our notion of adaptive trapdoor functions asks that one-wayness be preserved in the presence of an inversion oracle that can be queried on some range points The main application we give is the construction of black-box chosen-ciphertext secure public-key encryption from weaker general assumptions (“Black-box” means that the specific code implementing the trapdoor function is not used in the construction, which typically incurs a huge efficiency cost) Namely, we show such a construction of chosen-ciphertext secure public-key encryption from adaptive trapdoor functions We then show that adaptive trapdoor functions can be realized from the recently introduced notions of lossy trapdoorfunctions by Peikert and Waters [68] and correlated-product secure trapdoor functions by Rosen and Segev [72] In fact, by extending a recent result of Vahlis [76] we show adaptivity is strictly weaker than the latter notions (in a black-box sense) As a consequence, adaptivity is the weakest security property of trapdoor functions known to imply black-box chosen-ciphertext security Additionally, by slightly extending our framework and considering “tag-based” adaptive trapdoor functions, we obtain exactly the chosen-ciphertext secure encryption schemes proposed in [68, 72], thereby unifying them, although the schemes we obtain via adaptive trapdoor functions are actually more efficient Finally, we show that adaptive trapdoor functions can be realized from a (non-standard) computational assumption on RSA inversion, leading to a very efficient RSA-based chosen-ciphertext secure encryption scheme in the standard model

New constructions of hierarchical identity-based encryption in the standard model

Abstract: In this paper, a new hierarchical identity-based encryption scheme(HIBE) is proposed at first. The proposed scheme is constructed in the generalized selective-ID model without using the random oracles. Under the decision bilinear Diffie-Hellman inversion (decision BDHI) assumption, the scheme is provably secure against chosen plaintext attacks(CPA). Furthermore, we convert it to a constant size ciphertext scheme and reduce its security to the l-DBDHI problem.

Towards automating code-based game-based cryptographic proofs

Abstract: CertiCrypt [1] is a general framework built on top on the Coq proof assistant to certify the security of cryptographic primitives. It has been used to verify the exact security of encryption schemes such as OAEP and signature schemes such as FDH. CertiCrypt adopts the code-based game-based paradigm of Bellare and Rogaway, in which the security statement, and the hypotheses under which it is proved, are expressed using probabilistic programs. Consequently, many proof steps involve establishing observational equivalence between two programs, or a relational Hoare statement. At present these statements are established formally using an equational theory for observational equivalence or a relational Hoare logic. The talk will report on using standard verification methods (generating verification conditions and sending them to an automatic tool) for establishing these statements automatically. The long-term goal of this work is to increase the automation of CertiCrypt, to the point that the user can submit a proof sketch of a code-based game-based cryptographic proof, consisting of a sequence of games, and relational invariants, and that CertiCrypt can automatically complete the proof sketch.

Security of Encryption Schemes in Weakened Random Oracle Models.

Abstract: Liskov proposed several weakened versions of the random oracle model, called weakened random oracle models (WROMs), to capture the vulnerability of ideal compression functions, which are expected to have the standard security of hash functions, i.e., collision resistance, second-preimage resistance, and one-wayness properties. The WROMs offer additional oracles to break such properties of the random oracle. In this paper, we investigate whether public-key encryption schemes in the random oracle model essentially require the standard security of hash functions by the WROMs. In particular, we deal with four WROMs associated with the standard security of hash functions; the standard, collision tractable, second-preimage tractable, first-preimage tractable ones (ROM, CT-ROM, SPT-ROM, and FPT-ROM, respectively), done by Numayama et al. for digital signature schemes in the WROMs. We obtain the following results: (1) The OAEP is secure in all the four models. (2) The encryption schemes obtained by the Fujisaki-Okamoto conversion (FO) are secure in the SPT-ROM. However, some encryption schemes with FO are insecure in the FPT-ROM. (3) We consider two artificial variants wFO and dFO of FO for separation of the WROMs in the context of encryption schemes. The encryption schemes with wFO (dFO, respectively) are secure in the CT-ROM (ROM, respectively). However, some encryption schemes obtained by wFO (dFO, respectively) are insecure in the SPT-ROM (CT-ROM, respectively). These results imply that standard encryption schemes such as the OAEP and FO-based one do not always require the standard security of hash functions. Moreover, in order to make our security proofs complete, we construct an efficient sampling algorithm for the binomial distribution with exponentially large parameters, which was left open in Numayama et al.’s paper.

A hyper chaos based encryption algorithm for data of network risk assessment

Abstract: A hyper chaos based encryption algorithm for data of network risk assessment is designed in this paper. The size of plain group is variable and determined by the encryption rounds in the algorithm. In encryption procedure of the algorithm, the plaintext is first divided into groups of size k × 2n byte, then the plaintext is encryption group by group. For every plaintext group of k × 2n bytes, it is divided into 2n blocks of k bytes, after n rounds encryption transformation and one round permutation, the ciphertext group of k × 2n bytes is obtained. To improve the security of the algorithm, Chen's system is iterated for several times before the encryption of every plaintext group. It's from experiments and analysis that the algorithm is secure and valid.