Tae-Joon Kim Jong yun Jun

Slides:

Advertisements

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

Advertisements

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Identity Based Encryption

1 Identity-Based Encryption form the Weil Pairing Author ： Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date ：

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

A Designer’s Guide to KEMs Alex Dent

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

1 Secure Indexes Author ： Eu-Jin Goh Presented by Yi Cheng Lin.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Anonymity and Robustness in Encryption Schemes Payman Mohassel University of Calgary.

CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack Yitao Duan Computer Science Division, University of.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

0x1A Great Papers in Computer Security

Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.

8. Data Integrity Techniques

The RSA Algorithm Rocky K. C. Chang, March

Status of Draft ANSI X9.44 (& More) Burt Kaliski and Jakob Jonsson RSA Laboratories NIST Key Management Workshop November 1–2, 2001 (Rev. November 6, 2001)

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

10.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Symmetric-Key Cryptography.

Cryptography Lecture 8 Stefan Dziembowski

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Optimal Asymmetric Encryption based on a paper by Mihir Bellare and Phillip Rogaway Team Members  Chris Kellogg  Doug Wagers  Angela Johnston  Kris.

1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.

Dan Boneh Public Key Encryption from trapdoor permutations PKCS 1 Online Cryptography Course Dan Boneh.

Cryptography Lecture 11 Stefan Dziembowski

IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes.

NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

Computer Security Lecture 5 Ch.9 Public-Key Cryptography And RSA Prepared by Dr. Lamiaa Elshenawy.

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

Lecture 3 (Chapter 9) Public-Key Cryptography and RSA Prepared by Dr. Lamiaa M. Elshenawy 1.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

Attacks on Public Key Encryption Algorithms

B504/I538: Introduction to Cryptography

B504/I538: Introduction to Cryptography

Authenticated encryption

Group theory exercise.

Cryptography Lecture 26.

Cryptography and Security Fall 2009 Steve Lai

Cryptography Lecture 10.

Cryptography Lecture 25.

Cryptography Lecture 22.

Cryptography Lecture 21.

Presentation transcript:

Tae-Joon Kim Jong yun Jun OAEP Reconsidered Tae-Joon Kim Jong yun Jun 2010. 2. 25 1

Introduction RSA-OAEP is industry-wide standard for public key encryption (PKCS) OAEP is secure? This paper claims that OAEP may insecure in certain environments OAEP+

Contents Introduction Attack Scenario OAEP OAEP Insecurity OAEP+ Conclusion

Chosen Ciphertext Attack (CCA) CCA1 : Lunchtime attack CCA2 : Adaptive Chosen Ciphertext Attack Decryption Oracle Analysis C0, C1 , …, Cn P0, P1 , …, Pn Decryption Oracle Ci, Ci+1 , … Pi, Pi+1 , … Analysis

Attack Scenario Stage1 Stage2 Key generator → public key, private key Adv. chooses ciphertexts, y Decryption oracle gives plaintexts using private key

Attack Scenario Stage3 Random Selection x0, x1 xb Encryption Oracle y*

Attack Scenario Stage4 Stage5 Adversary’s advantage Adv. continues to submit y to decryption oracle y ≠ y* Stage5 Adv. outputs b’ ∈ {0, 1} Adversary’s advantage | Pr[b’=b] – ½ |

Malleability Malleable if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext Security against adaptive chosen ciphertext attacks (CCA2) is equivalent to non-malleability Indistinguishable (IND) IND-CCA2

OAEP (Optimal Asymmetric Encryption Padding) Encrypt message into Make two functions Key generation Run the one-way trapdoor permutation scheme Obtain public key f and private key g

OAEP Encryption

OAEP Decryption

OAEP Insecurity Suppose we can invert f Except the permutation, OAEP is XOR-malleable y* y x x* Decryption Oracle

OAEP Insecurity In attack scenario, Adversary’s advantage = 1/2 Choose two messages with Transform y* into y (∵malleability) Submit y to decryption oracle to obtain x It definitely different to y* x equals to x0 or x1, and choose other one Adversary always find correct answer Adversary’s advantage = 1/2

OAEP Insecurity OAEP may insecure under IND-CCA2 RSA-OAEP XOR-malleable permutation RSA-OAEP Adapt RSA permutation to OAEP Secure under IND-CCA2

OAEP+ Advanced version of OAEP Use another hash rather than padding 0’s As efficiency as OAEP Secure on IND-CCA2

Conclusion OAEP is not always secure on IND-CCA2 RSA-OAEP/OAEP+ are secure on IND-CCA2 Malleability Attack on relationship between ciphertexts Introduce methodology of ‘secure’

Q & A