RSA–REACT: An Alternative to RSA–OAEP
نویسندگان
چکیده
The last few months, several new results appeared about the OAEP construction, and namely the RSA–OAEP cryptosystem. Whereas OAEP was believed to provide the highest security level (IND-CCA2), with an efficient exact security level, the effective security result had been showed to be incomplete. Nevertheless, the particular instantiation with RSA (which is anyway almost the sole application) had been eventually proven secure, but the security reduction appears to be quite inefficient. Therefore, with respect to the provable security result, RSA–OAEP with a 1024-bit modulus just provides a 2 security level. Several alternatives have been recently proposed, but most of them face the same problem with a quadratic time security reduction. Excepted the recent generic conversion, called REACT, which admits a linear time reduction. Consequently, RSA–REACT appears to be the best alternative to RSA–OAEP, granted the high security level, even with real world parameters. RSA–REACT with a 1024-bit modulus indeed guarantees a 2 security level (IND-CCA2 under the RSA assumption). Furthermore, the full construction is already proven secure when integrating symmetric encryption, which guarantees the security of the overall communication.
منابع مشابه
RSA { REACT : An Alternative to RSA {
The last few months, several new results appeared about the OAEP construction , and namely the RSA{OAEP cryptosystem. Whereas OAEP was believed to provide the highest security level (IND-CCA2), with an eecient exact security level, the eeective security result had been showed to be incomplete. Nevertheless, the particular instantiation with RSA (which is anyway almost the sole application) had ...
متن کاملUnprovable Security of RSA-OAEP in the Standard Model
Consider the provable security of RSA-OAEP when not instantiated with random oracles. Suppose a security reduction exists to show that finding a plaintext from a RSA-OAEP ciphertext (breaking the basic OW-CPA security) is as hard as the RSA problem. • The reduction can be used in an adaptive chosen ciphertext text (IND-CCA2) attack against RSA-OAEP. • The reduction cannot succeed in the random ...
متن کاملREACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform
Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosen-ciphertext secure encryption scheme from any trapdoor one-way permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. In...
متن کاملWhat Hashes Make RSA-OAEP Secure?
Firstly, we demonstrate a pathological hash function choice that makes RSA-OAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSAOAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions are actually necessary for the security of RSA-OAEP. Secondly, we consider certain types of reductions that ...
متن کاملStrengthening Security of RSA-OAEP
OAEP is one of the few standardized and widely deployed public-key encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSA-OAEP is standardized in RSA’s PKCS #1 v2.1 and is part of several standards. RSA-OAEP was shown to be IND-CCA secure in the random oracle model under the standard RSA assumption. However, the reduction is not t...
متن کامل