Beyond Provable Security Verifiable IND-CCA Security of OAEP
نویسندگان
چکیده
OAEP is a widely used public-key encryption scheme based on trapdoor permutations. Its security proof has been scrutinized and amended repeatedly. Fifteen years after the introduction of OAEP, we present a machine-checked proof of its security against adaptive chosenciphertext attacks under the assumption that the underlying permutation is partial-domain one-way. The proof can be independently verified by running a small and trustworthy proof checker and fixes minor glitches that have subsisted in published proofs. We provide an overview of the proof, highlight the differences with earlier works, and explain in some detail a crucial step in the reduction: the elimination of indirect queries made by the adversary to random oracles via the decryption oracle. We also provide—within the limits of a conference paper—a broader perspective on independently verifiable security proofs.
منابع مشابه
Unprovable Security of RSA-OAEP in the Standard Model
Consider the provable security of RSA-OAEP when not instantiated with random oracles. Suppose a security reduction exists to show that finding a plaintext from a RSA-OAEP ciphertext (breaking the basic OW-CPA security) is as hard as the RSA problem. • The reduction can be used in an adaptive chosen ciphertext text (IND-CCA2) attack against RSA-OAEP. • The reduction cannot succeed in the random ...
متن کاملRSA–REACT: An Alternative to RSA–OAEP
The last few months, several new results appeared about the OAEP construction, and namely the RSA–OAEP cryptosystem. Whereas OAEP was believed to provide the highest security level (IND-CCA2), with an efficient exact security level, the effective security result had been showed to be incomplete. Nevertheless, the particular instantiation with RSA (which is anyway almost the sole application) ha...
متن کاملRSA { REACT : An Alternative to RSA {
The last few months, several new results appeared about the OAEP construction , and namely the RSA{OAEP cryptosystem. Whereas OAEP was believed to provide the highest security level (IND-CCA2), with an eecient exact security level, the eeective security result had been showed to be incomplete. Nevertheless, the particular instantiation with RSA (which is anyway almost the sole application) had ...
متن کاملChosen-Ciphertext Security without Redundancy
We propose asymmetric encryption schemes for which all ciphertexts are valid (which means here “reachable”: the encryption function is not only a probabilistic injection, but also a surjection). We thus introduce the Full-Domain Permutation encryption scheme which uses a random permutation. This is the first IND-CCA cryptosystem based on any trapdoor one-way permutation without redundancy, and ...
متن کاملOAEP++ : A Very Simple Way to Apply OAEP to Deterministic OW-CPA Primitives
We prove in the random oracle model that OAEP++, which was proposed by us at the rump session of Asiacrypt 2000, can generate IND-CCA2 ciphers using deterministic OW-CPA cryptographic primitives. Note that OAEP++ differs from OAEP proposed by Jonsson in [4]. While OAEP requires a non-malleable block cipher, OAEP++ does not require such additional functions. The security reduction of OAEP++ is a...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2011