A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2018; you can also visit the original URL.
The file type is `application/pdf`

.

## Filters

##
###
Instantiability of RSA-OAEP under Chosen-Plaintext Attack
[chapter]

2010
*
Lecture Notes in Computer Science
*

This appears to be the first non-trivial positive result about the

doi:10.1007/978-3-642-14623-7_16
fatcat:ntdcqiimfvdbrcd3xetpiq74hu
*instantiability**of**RSA*-*OAEP*. ... are modeled as random oracles, meets indistinguishability*under**chosen*-*plaintext**attack*(IND-CPA) in the standard model based on simple, non-interactive, and non-interdependent assumptions on*RSA*and ... In particular, we thank Dan for reminding us*of*[13, Remark 2, p. 6], Alex for pointing out the improved*attack*in Section 5.3, and Phil for encouraging us to consider the case*of*small e more closely. ...##
###
OAEP Reconsidered
[chapter]

2001
*
Lecture Notes in Computer Science
*

*OAEP*is widely believed to provide resistance against adaptive

*chosen*ciphertext

*attack*. ... It should be stressed that these results do not imply that a particular

*instantiation*

*of*

*OAEP*, such as

*RSA*-

*OAEP*, is insecure. They simply undermine the original justification for its security. ... Namely, it was claimed that the the variant

*OAEP*briefly discussed in §7.1 could also be proven secure, but this is not so. ...

##
###
Minimizing the use of random oracles in authenticated encryption schemes
[chapter]

1997
*
Lecture Notes in Computer Science
*

T h e s c hemes achieve s e m a n tic security a n d

doi:10.1007/bfb0028457
fatcat:ysm6fh5wbrcdddsu7kp7jnzfui
*plaintext*awareness*under*assumptions we will specify. One scheme uses the*RSA*primitive the other uses Di e-Hellman. ... A cryptographic scheme is \provably secure" if an*attack*o n t h e s c heme implies an*attack*on the underlying primitive w h i c h it uses. ... Security*of*new*instantiation**of**OAEP*We n o w l o o k a t h o w the new*instantiation**of**OAEP*has the above properties. ...##
###
RSA-OAEP Is Secure under the RSA Assumption
[chapter]

2001
*
Lecture Notes in Computer Science
*

It proves that

doi:10.1007/3-540-44647-8_16
fatcat:w55uyv3t4vfdbea7ylk7hb2cpq
*OAEP*offers semantic security against adaptive*chosen*-ciphertext*attacks*, in the random oracle model,*under*the partial-domain one-wayness*of*the underlying permutation. ... Recently Victor Shoup noted that there is a gap in the widely-believed security result*of**OAEP*against adaptive*chosen*-ciphertext*attacks*. ... IND-CPA 6 q i IND -Indistinguishability NM -Non-Malleability CPA -*Chosen*-*Plaintext**Attack*CCA1 -*Chosen*-Ciphertext*Attack*(non-adaptive) CCA2 -*Chosen*-Ciphertext*Attack*(adaptive)*Plaintext*-Awareness A ...##
###
RSA-OAEP Is Secure under the RSA Assumption

2004
*
Journal of Cryptology
*

It proves that

doi:10.1007/s00145-002-0204-y
fatcat:r5u6xo37zzhl3hmedjbf57mbni
*OAEP*offers semantic security against adaptive*chosen*-ciphertext*attacks*, in the random oracle model,*under*the partial-domain one-wayness*of*the underlying permutation. ... Recently Victor Shoup noted that there is a gap in the widely-believed security result*of**OAEP*against adaptive*chosen*-ciphertext*attacks*. ... IND-CPA 6 q i IND -Indistinguishability NM -Non-Malleability CPA -*Chosen*-*Plaintext**Attack*CCA1 -*Chosen*-Ciphertext*Attack*(non-adaptive) CCA2 -*Chosen*-Ciphertext*Attack*(adaptive)*Plaintext*-Awareness A ...##
###
OAEP Reconsidered

2002
*
Journal of Cryptology
*

*OAEP*is widely believed to provide resistance against adaptive

*chosen*ciphertext

*attack*. ... It should be stressed that these results do not imply that a particular

*instantiation*

*of*

*OAEP*, such as

*RSA*-

*OAEP*, is insecure. They simply undermine the original justification for its security. ... Namely, it was claimed that the the variant

*OAEP*briefly discussed in §7.1 could also be proven secure, but this is not so. ...

##
###
Strengthening Security of RSA-OAEP
[chapter]

2009
*
Lecture Notes in Computer Science
*

*RSA*-

*OAEP*is standardized in RSA's PKCS #1 v2.1 and is part

*of*several standards.

*RSA*-

*OAEP*was shown to be IND-CCA secure in the random oracle model

*under*the standard

*RSA*assumption. ... We re-visit a very simple but not well-known modification

*of*the

*RSA*-

*OAEP*encryption which asks that the

*RSA*function is only applied to a part

*of*the

*OAEP*transform. ... We only consider the definitions addressing

*chosen*-ciphertext

*attack*(as opposed to a weaker version for

*chosen*-

*plaintext*

*attack*). We present two variants

*of*the standard IND-CCA definition. ...

##
###
Why Provable Security Matters?
[chapter]

2003
*
Lecture Notes in Computer Science
*

One example covers the public key encryption formatting scheme

doi:10.1007/3-540-39200-9_28
fatcat:wqiofc3fvndv5bcmifeevrc2ty
*OAEP*originally proposed in [3] . ... The other comes from the area*of*signature schemes and is related to the security proof*of*ESIGN [43] . ... The present paper describes the author's view*of*prov- ...##
###
Practice-Oriented Provable-Security
[chapter]

1999
*
Lecture Notes in Computer Science
*

It does little good to use a proven secure scheme that is only proven secure against

doi:10.1007/3-540-48969-x_1
fatcat:hawely3rmrgapgahiu3hiu5ivm
*chosen*-*plaintext**attack*. ... The rationale for that move is that our protocol had been proven to resist*chosen*-ciphertext*attacks*(indeed Bleichenbacher's*attacks*do not work on*OAEP*, even though at the time*of*the design*of**OAEP*...##
###
On the Security of OAEP
[chapter]

2006
*
Lecture Notes in Computer Science
*

Namely, we show that

doi:10.1007/11935230_14
fatcat:7sexexxrtneztlagkrff2mutwa
*instantiating*both random oracles in*OAEP*by modest functions implies non-malleability*under**chosen**plaintext**attacks*for random messages. ... Here we give further arguments in support*of*the security*of**OAEP*. ... Part*of*the work done while both authors were visiting Centre de Recerca Matematica (CRM) and Technical ...##
###
Fully automated analysis of padding-based encryption in the computational model

2013
*
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS '13
*

Using a novel methodology to combine computational and symbolic cryptography, we present proof systems for analyzing the

doi:10.1145/2508859.2516663
dblp:conf/ccs/BartheCGKLSB13
fatcat:r5esat4qcbda3lt4izque4mshi
*chosen*-*plaintext*and*chosen*-ciphertext security*of*such schemes in the random oracle ... Using the toolset in batch mode, we build a comprehensive database*of*encryption schemes that records*attacks*against insecure schemes, and proofs with concrete bounds for secure ones. ... For illustrative purposes, we use*OAEP*[10] as a running example.*RSA*-*OAEP*, which*instantiates**OAEP*with*RSA*as trapdoor permutation is recommended by several international standards. ...##
###
Towards RSA-OAEP without Random Oracles
[article]

2018
*
IACR Cryptology ePrint Archive
*

We show new partial and full

dblp:journals/iacr/CaoOZ18
fatcat:v3emdyihejde3foy3fh7fg2amm
*instantiation*results*under**chosen*-ciphertext security for the widely implemented and standardized*RSA*-*OAEP*encryption scheme*of*Bellare and Rogaway (EUROCRYPT 1994) and two ... More precisely, recall that*RSA*-*OAEP*adds redundancy and randomness to a message before composing two rounds*of*an underlying Feistel transform, whose round functions are modeled as random oracles (ROs ... Part*of*this work was carried out when he was a Mercator fellow at TU Darmstadt, and he thanks them for their hospitality. ...##
###
Verified security of redundancy-free encryption from Rabin and RSA

2012
*
Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12
*

We then prove that the Rabin function and

doi:10.1145/2382196.2382272
dblp:conf/ccs/BarthePB12
fatcat:vylm4kib5zbi3cgiok63v3dbsi
*RSA*with short exponent enjoy these properties, and thus can be used to*instantiate*the construction we propose to obtain efficient encryption schemes. ... Somewhat surprisingly, we show that even with a zero-length redundancy, Boneh's SAEP scheme (an*OAEP*-like construction with a singleround Feistel network rather than two) converts a trapdoor one-way permutation ... Furthermore,*plaintext*-awareness is achieved by cryptographic transformations [25, 26, 35] that convert encryption schemes that are just semantically secure*under**chosen*-*plaintext**attacks*[28] into ...##
###
Securely combining public-key cryptosystems

2001
*
Proceedings of the 8th ACM conference on Computer and Communications Security - CCS '01
*

*chosen*-message

*attacks*. ... We demonstrate this for a variety

*of*public-key encryption schemes that are secure against

*chosen*-ciphertext

*attacks*, and for a variety

*of*digital signature schemes that are secure against forgery

*under*... The

*OAEP*scheme [2] was proven to have the PA1 property, and its

*instantiation*with the

*RSA*cryptosystem,

*RSA*-

*OAEP*, is part

*of*two industry standards, PKCS #1, version 2 and IEEE P1363. ...

##
###
Practical Security in Public-Key Cryptography
[chapter]

2002
*
Lecture Notes in Computer Science
*

A recent trend consists in providing very efficient reductions, with a practical meaning: with usual parameters (such as 1024-bit

doi:10.1007/3-540-45861-1_1
fatcat:sr4t3dgpirbvtps3rt2fnptqt4
*RSA*moduli) the computational cost*of*any*attack*is actually 2 72 , given ... Indeed, for many people, the simple fact that a cryptographic algorithm withstands cryptanalytic*attacks*for several years is considered as a kind*of*validation. ... , granted the public key, hence the*chosen*-*plaintext**attack*(CPA). ...
« Previous

*Showing results 1 — 15 out of 166 results*