Optimal asymmetric encryption padding

About: Optimal asymmetric encryption padding is a research topic. Over the lifetime, 299 publications have been published within this topic receiving 43101 citations. The topic is also known as: OAEP.

Optimal Asymmetric Encryption-How to Encrypt with RSA

Abstract: Given an arbitrary k-bit to k-bit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is “ideal.” Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she “knows” the corresponding plaintexts—such a scheme is not only semantically secure but also non-malleable and secure against chosen-ciphertext attack. Department of Computer Science & Engineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093. E-mail: mihir@cs.ucsd.edu † Department of Computer Science, University of California at Davis, Davis, CA 95616, USA. E-mail: rogaway@cs.ucdavis.edu

Secure integration of asymmetric and symmetric encryption schemes

Abstract: This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense- indistinguishability against adaptive chosen-ciphertext attacks in the random oracle model. In particular, this conversion can be applied efficiently to an asymmetric encryption scheme that provides a large enough coin space and, for every message, many enough variants of the encryption, like the ElGamal encryption scheme.

OAEP Reconsidered

Abstract: The OAEP encryption scheme was introduced by Bellare and Rogaway at Eurocrypt '94. It converts any trapdoor permutation scheme into a public-key encryption scheme. OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack. The main justification for this belief is a supposed proof of security in the random oracle model, assuming the underlying trapdoor permutation scheme is one way. This paper shows conclusively that this justification is invalid. First, it observes that there appears to be a non-trivial gap in the OAEP security proof. Second, it proves that this gap cannot be filled, in the sense that there can be no standard "black box" security reduction for OAEP. This is done by proving that there exists an oracle relative to which the general OAEP scheme is insecure. The paper also presents a new scheme OAEP+, along with a complete proof of security in the random oracle model. OAEP+ is essentially just as efficient as OAEP, and even has a tighter security reduction. It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security. In fact, it turns out-- essentially by accident, rather than by design--that RSA-OAEP is secure in the random oracle model; however, this fact relies on special algebraic properties of the RSA function, and not on the security of the general OAEP scheme.

Finding a small root of a univariate modular equation

Abstract: We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3. First, knowledge of all the ciphertext and 2/3 of the plaintext bits for a single message reveals that message. Second, if messages are padded with truly random padding and then encrypted with an exponent 3, then two encryptions of the same message (with different padding) will reveal the message, as long as the padding is less than 1/9 of the length of N. With several encryptions, another technique can (heuristically) tolerate padding up to about 1/6 of the length of N.

How to Enhance the Security of Public-Key Encryption at Minimum Cost

Abstract: This paper presents a simple and efficient conversion from a semantically secure public-key encryption scheme against passive adversaries to a non-malleable (or semantically secure) public-key encryption scheme against adaptive chosen-ciphertext attacks (active adversaries) in the random oracle model. Since our conversion requires only one random (hash) function operation, the converted scheme is almost as efficient as the original one, when the random function is replaced by a practical hash function such as SHA-1 and MD5. We also give a concrete analysis of the reduction for proving its security, and show that our security reduction is (almost) optimally efficient. Finally this paper gives some practical examples of applying this conversion to some practical and semantically secure encryption schemes such as the ElGamal, Blum-Goldwasser and Okamoto-Uchiyama schemes[4, 7, 9].