Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tae-Joon Kim Jong yun Jun

Published byElmer Abraham Thompson Modified over 8 years ago

Similar presentations

Presentation on theme: "Tae-Joon Kim Jong yun Jun"— Presentation transcript:

1 Tae-Joon Kim Jong yun Jun
OAEP Reconsidered Tae-Joon Kim Jong yun Jun 1

2 Introduction RSA-OAEP is industry-wide standard for public key encryption (PKCS) OAEP is secure? This paper claims that OAEP may insecure in certain environments OAEP+

3 Contents Introduction Attack Scenario OAEP OAEP Insecurity OAEP+
Conclusion

4 Chosen Ciphertext Attack (CCA)
CCA1 : Lunchtime attack CCA2 : Adaptive Chosen Ciphertext Attack Decryption Oracle Analysis C0, C1 , …, Cn P0, P1 , …, Pn Decryption Oracle Ci, Ci+1 , … Pi, Pi+1 , … Analysis

5 Attack Scenario Stage1 Stage2 Key generator → public key, private key
Adv. chooses ciphertexts, y Decryption oracle gives plaintexts using private key

6 Attack Scenario Stage3 Random Selection x0, x1 xb Encryption Oracle y*

7 Attack Scenario Stage4 Stage5 Adversary’s advantage
Adv. continues to submit y to decryption oracle y ≠ y* Stage5 Adv. outputs b’ ∈ {0, 1} Adversary’s advantage | Pr[b’=b] – ½ |

8 Malleability Malleable
if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext Security against adaptive chosen ciphertext attacks (CCA2) is equivalent to non-malleability Indistinguishable (IND) IND-CCA2

9 OAEP (Optimal Asymmetric Encryption Padding)
Encrypt message into Make two functions Key generation Run the one-way trapdoor permutation scheme Obtain public key f and private key g

10 OAEP Encryption

11 OAEP Decryption

12 OAEP Insecurity Suppose we can invert f
Except the permutation, OAEP is XOR-malleable y* y x x* Decryption Oracle

13 OAEP Insecurity In attack scenario, Adversary’s advantage = 1/2
Choose two messages with Transform y* into y (∵malleability) Submit y to decryption oracle to obtain x It definitely different to y* x equals to x0 or x1, and choose other one Adversary always find correct answer Adversary’s advantage = 1/2

14 OAEP Insecurity OAEP may insecure under IND-CCA2 RSA-OAEP
XOR-malleable permutation RSA-OAEP Adapt RSA permutation to OAEP Secure under IND-CCA2

15 OAEP+ Advanced version of OAEP
Use another hash rather than padding 0’s As efficiency as OAEP Secure on IND-CCA2

16 Conclusion OAEP is not always secure on IND-CCA2
RSA-OAEP/OAEP+ are secure on IND-CCA2 Malleability Attack on relationship between ciphertexts Introduce methodology of ‘secure’

17 Q & A

Download ppt "Tae-Joon Kim Jong yun Jun"

Similar presentations

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.

Efficient fault-tolerant scheme based on the RSA system Author: N.-Y. Lee and W.-L. Tsai IEE Proceedings Presented by 詹益誌 2004/03/02.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Similar presentations

Ads by Google