OAEP++ : A Very Simple Way to Apply OAEP to Deterministic OW-CPA Primitives
نویسندگان
چکیده
We prove in the random oracle model that OAEP++, which was proposed by us at the rump session of Asiacrypt 2000, can generate IND-CCA2 ciphers using deterministic OW-CPA cryptographic primitives. Note that OAEP++ differs from OAEP proposed by Jonsson in [4]. While OAEP requires a non-malleable block cipher, OAEP++ does not require such additional functions. The security reduction of OAEP++ is as tight as that of OAEP.
منابع مشابه
What Hashes Make RSA-OAEP Secure?
Firstly, we demonstrate a pathological hash function choice that makes RSA-OAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSAOAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions are actually necessary for the security of RSA-OAEP. Secondly, we consider certain types of reductions that ...
متن کاملUnprovable Security of RSA-OAEP in the Standard Model
Consider the provable security of RSA-OAEP when not instantiated with random oracles. Suppose a security reduction exists to show that finding a plaintext from a RSA-OAEP ciphertext (breaking the basic OW-CPA security) is as hard as the RSA problem. • The reduction can be used in an adaptive chosen ciphertext text (IND-CCA2) attack against RSA-OAEP. • The reduction cannot succeed in the random ...
متن کاملOn the Security of OAEP
Currently, the best and only evidence of the security of the OAEP encryption scheme is a proof in the contentious random oracle model. Here we give further arguments in support of the security of OAEP. We first show that partial instantiations, where one of the two random oracles used in OAEP is instantiated by a function family, can be provably secure (still in the random oracle model). For va...
متن کاملAn OAEP Variant With a Tight Security Proof – Draft 1.0
We introduce the OAEP encoding method, which is an adaptation of the OAEP encoding method, replacing the last step of the encoding operation with an application of a block cipher such as AES. We demonstrate that if f is a one-way trapdoor function that is hard to invert, then OAEP combined with f is secure against an INDCCA2 adversary in the random oracle model. Moreover, the security reduction...
متن کاملAnalysis of Random Oracle Instantiation Scenarios for OAEP and Other Practical Schemes
We investigate several previously suggested scenarios of instantiating random oracles (ROs) with “realizable” primitives in cryptographic schemes. As candidates for such “instantiating” primitives we pick perfectly one-way hash functions (POWHFs) and verifiable pseudorandom functions (VPRFs). Our analysis focuses on the most practical encryption schemes such as OAEP and its variant PSS-E and th...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2002 شماره
صفحات -
تاریخ انتشار 2002