Filters








166 Hits in 3.0 sec

Instantiability of RSA-OAEP under Chosen-Plaintext Attack [chapter]

Eike Kiltz, Adam O'Neill, Adam Smith
2010 Lecture Notes in Computer Science  
This appears to be the first non-trivial positive result about the instantiability of RSA-OAEP.  ...  are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, and non-interdependent assumptions on RSA and  ...  In particular, we thank Dan for reminding us of [13, Remark 2, p. 6], Alex for pointing out the improved attack in Section 5.3, and Phil for encouraging us to consider the case of small e more closely.  ... 
doi:10.1007/978-3-642-14623-7_16 fatcat:ntdcqiimfvdbrcd3xetpiq74hu

OAEP Reconsidered [chapter]

Victor Shoup
2001 Lecture Notes in Computer Science  
OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack.  ...  It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security.  ...  Namely, it was claimed that the the variant OAEP briefly discussed in §7.1 could also be proven secure, but this is not so.  ... 
doi:10.1007/3-540-44647-8_15 fatcat:hhmwt35xprfgloo434gljoz2he

Minimizing the use of random oracles in authenticated encryption schemes [chapter]

Mihir Bellare, Phillip Rogaway
1997 Lecture Notes in Computer Science  
T h e s c hemes achieve s e m a n tic security a n d plaintext awareness under assumptions we will specify. One scheme uses the RSA primitive the other uses Di e-Hellman.  ...  A cryptographic scheme is \provably secure" if an attack o n t h e s c heme implies an attack on the underlying primitive w h i c h it uses.  ...  Security of new instantiation of OAEP We n o w l o o k a t h o w the new instantiation of OAEP has the above properties.  ... 
doi:10.1007/bfb0028457 fatcat:ysm6fh5wbrcdddsu7kp7jnzfui

RSA-OAEP Is Secure under the RSA Assumption [chapter]

Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, Jacques Stern
2001 Lecture Notes in Computer Science  
It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation.  ...  Recently Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-ciphertext attacks.  ...  IND-CPA 6 q i IND -Indistinguishability NM -Non-Malleability CPA -Chosen-Plaintext Attack CCA1 -Chosen-Ciphertext Attack (non-adaptive) CCA2 -Chosen-Ciphertext Attack (adaptive) Plaintext-Awareness A  ... 
doi:10.1007/3-540-44647-8_16 fatcat:w55uyv3t4vfdbea7ylk7hb2cpq

RSA-OAEP Is Secure under the RSA Assumption

Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, Jacques Stern
2004 Journal of Cryptology  
It proves that OAEP offers semantic security against adaptive chosen-ciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation.  ...  Recently Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-ciphertext attacks.  ...  IND-CPA 6 q i IND -Indistinguishability NM -Non-Malleability CPA -Chosen-Plaintext Attack CCA1 -Chosen-Ciphertext Attack (non-adaptive) CCA2 -Chosen-Ciphertext Attack (adaptive) Plaintext-Awareness A  ... 
doi:10.1007/s00145-002-0204-y fatcat:r5u6xo37zzhl3hmedjbf57mbni

OAEP Reconsidered

Victor Shoup
2002 Journal of Cryptology  
OAEP is widely believed to provide resistance against adaptive chosen ciphertext attack.  ...  It should be stressed that these results do not imply that a particular instantiation of OAEP, such as RSA-OAEP, is insecure. They simply undermine the original justification for its security.  ...  Namely, it was claimed that the the variant OAEP briefly discussed in §7.1 could also be proven secure, but this is not so.  ... 
doi:10.1007/s00145-002-0133-9 fatcat:pxq5ajru5bcljmqhlqrl64bg5i

Strengthening Security of RSA-OAEP [chapter]

Alexandra Boldyreva
2009 Lecture Notes in Computer Science  
RSA-OAEP is standardized in RSA's PKCS #1 v2.1 and is part of several standards. RSA-OAEP was shown to be IND-CCA secure in the random oracle model under the standard RSA assumption.  ...  We re-visit a very simple but not well-known modification of the RSA-OAEP encryption which asks that the RSA function is only applied to a part of the OAEP transform.  ...  We only consider the definitions addressing chosen-ciphertext attack (as opposed to a weaker version for chosen-plaintext attack). We present two variants of the standard IND-CCA definition.  ... 
doi:10.1007/978-3-642-00862-7_27 fatcat:xccanil5cnhulf4s6xr7iu6b5i

Why Provable Security Matters? [chapter]

Jacques Stern
2003 Lecture Notes in Computer Science  
One example covers the public key encryption formatting scheme OAEP originally proposed in [3] .  ...  The other comes from the area of signature schemes and is related to the security proof of ESIGN [43] .  ...  The present paper describes the author's view of prov-  ... 
doi:10.1007/3-540-39200-9_28 fatcat:wqiofc3fvndv5bcmifeevrc2ty

Practice-Oriented Provable-Security [chapter]

Mihir Bellare
1999 Lecture Notes in Computer Science  
It does little good to use a proven secure scheme that is only proven secure against chosen-plaintext attack.  ...  The rationale for that move is that our protocol had been proven to resist chosen-ciphertext attacks (indeed Bleichenbacher's attacks do not work on OAEP, even though at the time of the design of OAEP  ... 
doi:10.1007/3-540-48969-x_1 fatcat:hawely3rmrgapgahiu3hiu5ivm

On the Security of OAEP [chapter]

Alexandra Boldyreva, Marc Fischlin
2006 Lecture Notes in Computer Science  
Namely, we show that instantiating both random oracles in OAEP by modest functions implies non-malleability under chosen plaintext attacks for random messages.  ...  Here we give further arguments in support of the security of OAEP.  ...  Part of the work done while both authors were visiting Centre de Recerca Matematica (CRM) and Technical  ... 
doi:10.1007/11935230_14 fatcat:7sexexxrtneztlagkrff2mutwa

Fully automated analysis of padding-based encryption in the computational model

Gilles Barthe, Juan Manuel Crespo, Benjamin Grégoire, César Kunz, Yassine Lakhnech, Benedikt Schmidt, Santiago Zanella-Béguelin
2013 Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS '13  
Using a novel methodology to combine computational and symbolic cryptography, we present proof systems for analyzing the chosen-plaintext and chosen-ciphertext security of such schemes in the random oracle  ...  Using the toolset in batch mode, we build a comprehensive database of encryption schemes that records attacks against insecure schemes, and proofs with concrete bounds for secure ones.  ...  For illustrative purposes, we use OAEP [10] as a running example. RSA-OAEP, which instantiates OAEP with RSA as trapdoor permutation is recommended by several international standards.  ... 
doi:10.1145/2508859.2516663 dblp:conf/ccs/BartheCGKLSB13 fatcat:r5esat4qcbda3lt4izque4mshi

Towards RSA-OAEP without Random Oracles [article]

Nairen Cao, Adam O'Neill, Mohammad Zaheri
2018 IACR Cryptology ePrint Archive  
We show new partial and full instantiation results under chosen-ciphertext security for the widely implemented and standardized RSA-OAEP encryption scheme of Bellare and Rogaway (EUROCRYPT 1994) and two  ...  More precisely, recall that RSA-OAEP adds redundancy and randomness to a message before composing two rounds of an underlying Feistel transform, whose round functions are modeled as random oracles (ROs  ...  Part of this work was carried out when he was a Mercator fellow at TU Darmstadt, and he thanks them for their hospitality.  ... 
dblp:journals/iacr/CaoOZ18 fatcat:v3emdyihejde3foy3fh7fg2amm

Verified security of redundancy-free encryption from Rabin and RSA

Gilles Barthe, David Pointcheval, Santiago Zanella Béguelin
2012 Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12  
We then prove that the Rabin function and RSA with short exponent enjoy these properties, and thus can be used to instantiate the construction we propose to obtain efficient encryption schemes.  ...  Somewhat surprisingly, we show that even with a zero-length redundancy, Boneh's SAEP scheme (an OAEP-like construction with a singleround Feistel network rather than two) converts a trapdoor one-way permutation  ...  Furthermore, plaintext-awareness is achieved by cryptographic transformations [25, 26, 35] that convert encryption schemes that are just semantically secure under chosen-plaintext attacks [28] into  ... 
doi:10.1145/2382196.2382272 dblp:conf/ccs/BarthePB12 fatcat:vylm4kib5zbi3cgiok63v3dbsi

Securely combining public-key cryptosystems

Stuart Haber, Benny Pinkas
2001 Proceedings of the 8th ACM conference on Computer and Communications Security - CCS '01  
chosen-message attacks.  ...  We demonstrate this for a variety of public-key encryption schemes that are secure against chosen-ciphertext attacks, and for a variety of digital signature schemes that are secure against forgery under  ...  The OAEP scheme [2] was proven to have the PA1 property, and its instantiation with the RSA cryptosystem, RSA-OAEP, is part of two industry standards, PKCS #1, version 2 and IEEE P1363.  ... 
doi:10.1145/501983.502013 dblp:conf/ccs/HaberP01 fatcat:2arxeim56zgg7jkvtjurswrafu

Practical Security in Public-Key Cryptography [chapter]

David Pointcheval
2002 Lecture Notes in Computer Science  
A recent trend consists in providing very efficient reductions, with a practical meaning: with usual parameters (such as 1024-bit RSA moduli) the computational cost of any attack is actually 2 72 , given  ...  Indeed, for many people, the simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is considered as a kind of validation.  ...  , granted the public key, hence the chosen-plaintext attack (CPA).  ... 
doi:10.1007/3-540-45861-1_1 fatcat:sr4t3dgpirbvtps3rt2fnptqt4
« Previous Showing results 1 — 15 out of 166 results