nach oben

Journal of Cryptology

Erschienen in:

19.09.2016

Instantiability of RSA-OAEP Under Chosen-Plaintext Attack

verfasst von: Eike Kiltz, Adam O’Neill, Adam Smith

Erschienen in: Journal of Cryptology | Ausgabe 3/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash ( i.e., round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called “padding-based” encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a “fooling" condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently lossy as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satisfies condition (1) if its hash function is t-wise independent for t roughly proportional to the allowed message length. We clarify that this result requires the hash function to be keyed, and for its key to be included in the public key of RSA-OAEP. We also show that RSA satisfies condition (2) under the \(\Phi \)-Hiding Assumption of Cachin et al. (Eurocrypt 1999). This is the first positive result about the instantiability of RSA-OAEP. In particular, it increases confidence that chosen-plaintext attacks are unlikely to be found against the scheme. In contrast, RSA-OAEP’s predecessor in PKCS #1 v1.5 was shown to be vulnerable to such attacks by Coron et al. (Eurocrypt 2000).

Vorheriger Artikel Differential-Linear Cryptanalysis Revisited

Nächster Artikel Integral Cryptanalysis on Full MISTY1

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

We often use the same terminology for ‘f-OAEP,’ which refers to OAEP using an abstract TDP f, with the meaning hopefully clear from context.

Such schemes were called “simple embedding schemes” by Bellare and Rogaway [5], who discussed them only on an intuitive level.

In the formal definition, we actually consider an “external” distinguisher who gets the extractor seed; see Sect. 3 for details.

In particular, this result requires that G is a keyed hash function whose key is included in the public key for OAEP. On the other hand, cryptographic hash functions are typically unkeyed. But see “Using unkeyed hash functions” below.

We remark that the recent attacks on \(\Phi \)A [56] are for moduli of a special form that does not include RSA.

Note, however, that their result does not rule out such a proof based on other properties of the TDP, non-black-box assumptions on the hash functions, or in the case of a specific TDP like RSA.

In particular, their security notion does not imply IND-CPA since they consider random messages. We also point out that it remains an open question whether NM-PRGs can be constructed.

We note that [49] actually defines lossy trapdoor functions, but the extension to permutations is straightforward.

This is done by choosing a uniform \((1/2-c)k\)-bit number x until \(p = x e + 1\) is a prime.

Additionally, in practice the encryption exponent e is usually fixed. This can be addressed by parameterizing E\(\Phi \)A by a fixed e instead of choosing it at random. Note that for \(e = 3\) one should make both \(e~|~p-1\) and \(e~|~q-1\) in the lossy case (otherwise the assumption is false [16]).

M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie–Hellman assumptions and an analysis of DHIES, in D. Naccache, editor, CT-RSA 2001. LNCS, vol. 2020 (Springer, Heidelberg, April 2001), pp. 143–158

B. Barak, R. Shaltiel, E. Tromer, True random number generators secure in a changing environment, in C.D. Walter, Ç.K. Koç, C. Paar, editors, CHES 2003. LNCS, vol. 2779 (Springer, Heidelberg, September 2003), pp. 166–180

M. Bellare, A. Boldyreva, A. O’Neill, Deterministic and efficiently searchable encryption, in A. Menezes, editor, CRYPTO 2007. LNCS, vol. 4622 (Springer, Heidelberg, August 2007), pp. 535–552

M. Bellare, V.T. Hoang, S. Keelveedhi, Instantiating random oracles via UCEs, in R. Canetti, J.A. Garay, editors, CRYPTO 2013, Part II. LNCS, vol. 8043 (Springer, Heidelberg, August 2013), pp. 398–415

M. Bellare, A. Palacio, Towards plaintext-aware public-key encryption without random oracles, in P.J. Lee, editor, ASIACRYPT 2004. LNCS, vol. 3329 (Springer, Heidelberg, December 2004), pp. 48–62

M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols. in V. Ashby, editor, ACM CCS 93. (ACM Press, November 1993), pp. 62–73

M. Bellare, P. Rogaway, Optimal asymmetric encryption, in A. De Santis, editor, EUROCRYPT’94. LNCS, vol. 950 (Springer, Heidelberg, May 1995), pp. 92–111

M. Bellare, J. Rompel, Randomness-efficient oblivious sampling, in 35th FOCS. (IEEE Computer Society Press, November 1994), pp. 276–287

M. Blum, P. Feldman, S. Micali, Proving security against chosen cyphertext attacks, in S. Goldwasser, editor, CRYPTO’88. LNCS, vol. 403 (Springer, Heidelberg, August 1990), pp. 256–268

10.

A. Boldyreva, D. Cash, M. Fischlin, B. Warinschi, Foundations of non-malleable hash and one-way functions, in M. Matsui, editor, ASIACRYPT 2009. LNCS, vol. 5912 (Springer, Heidelberg, December 2009), pp. 524–541

11.

A. Boldyreva, S. Fehr, A. O’Neill, On notions of security for deterministic encryption, and efficient constructions without random oracles, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 335–359

12.

A. Boldyreva, M. Fischlin, Analysis of random oracle instantiation scenarios for OAEP and other practical schemes, in V. Shoup, editor, CRYPTO 2005. LNCS, vol. 3621 (Springer, Heidelberg, August 2005), pp. 412–429

13.

A. Boldyreva, M. Fischlin, On the security of OAEP, in X. Lai, K. Chen, editors, ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Heidelberg, December 2006), pp. 210–225

14.

D. Boneh, Simplified OAEP for the RSA and Rabin functions, in J. Kilian, editor, CRYPTO 2001. LNCS, vol. 2139 (Springer, Heidelberg, August 2001), pp. 275–291

15.

D.R.L. Brown, What hashes make RSA-OAEP secure? Cryptology ePrint Archive. Report 2006/223. http://eprint.iacr.org/ (2006)

16.

C. Cachin, Efficient private bidding and auctions with an oblivious third party, in ACM CCS 99. (ACM Press, November 1999), pp. 120–127

17.

C. Cachin, S. Micali, M. Stadler, Computationally private information retrieval with polylogarithmic communication, in J. Stern, editor, EUROCRYPT’99. LNCS, vol. 1592 (Springer, Heidelberg, May 1999), pp. 402–414

18.

R. Canetti, Towards realizing random oracles: hash functions that hide all partial information, in B.S. Kaliski Jr., editor, CRYPTO’97. LNCS, vol. 1294 (Springer, Heidelberg, August 1997), pp. 455–469

19.

R. Canetti, R.R. Dakdouk, Extractable perfectly one-way functions, in L. Aceto, I. Damgård, L.A. Goldberg, M.M. Halldórsson, A. Ingólfsdóttir, I. Walukiewicz, editors, ICALP 2008, Part II. LNCS, vol. 5126 (Springer, Heidelberg, July 2008), pp. 449–460

20.

R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. J. ACM, 51(4), 557–594 (2004)

21.

R. Canetti, D. Micciancio, O. Reingold, Perfectly one-way probabilistic hash functions (preliminary version), in 30th ACM STOC. (ACM Press, May 1998), pp. 131–140MathSciNetCrossRefMATH

22.

D. Coppersmith, Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol., 10(4), 233–260 (1997)

23.

J.-S. Coron, M. Joye, D. Naccache, P. Paillier, New attacks on PKCS#1 v1.5 encryption, in B. Preneel, editor, EUROCRYPT 2000. LNCS, vol. 1807 (Springer, Heidelberg, May 2000), pp. 369–381

24.

J.-S. Coron, M. Joye, D. Naccache, P. Paillier, Universal padding schemes for RSA, in M. Yung, editor, CRYPTO 2002. LNCS, vol. 2442 (Springer, Heidelberg, August 2002), pp. 226–241

25.

Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash, in V. Shoup, editor, CRYPTO 2005. LNCS, vol. 3621 (Springer, Heidelberg, August 2005), pp. 449–466

26.

Y. Dodis, A. Sahai, A. Smith, On perfect and adaptive security in exposure-resilient cryptography, in B. Pfitzmann, editor, EUROCRYPT 2001. LNCS, vol. 2045 (Springer, Heidelberg, May 2001), pp. 301–324

27.

Y. Dodis, A. Smith, Correcting errors without leaking partial information, in H.N. Gabow, R. Fagin, editors, 37th ACM STOC. (ACM Press, May 2005), pp. 654–663

28.

D.M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, G. Segev, More constructions of lossy and correlation-secure trapdoor functions. J. Cryptol., 26(1), 39–74 (2013)

29.

E. Fujisaki, T. Okamoto, D. Pointcheval, J. Stern, RSA-OAEP is secure under the RSA assumption. J. Cryptol., 17(2), 81–104 (2004)

30.

C. Gentry, P.D. Mackenzie, Z. Ramzan, Password authenticated key exchange using hidden smooth subgroups, in V. Atluri, C. Meadows, A. Juels, editors, ACM CCS 05. (ACM Press, November 2005), pp. 299–309CrossRefMATH

31.

O. Goldreich, Foundations of Cryptography: Basic Applications, vol. 2 (Cambridge University Press, Cambridge, UK, 2004)

32.

S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci., 28(2), 270–299 (1984)

33.

B. Harris, RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol. RFC 4432

34.

B. Hemenway, R. Ostrovsky, Public-key locally-decodable codes, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 126–143

35.

B. Hemenway, R. Ostrovsky, A. Rosen, Non-committing encryption from \(\phi \)-hiding, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part I. LNCS, vol. 9014 of (Springer, Heidelberg, March 2015), pp. 591–608

36.

M. Herrmann, Improved cryptanalysis of the multi-prime \(\phi \)-hiding assumption. in A. Nitaj, D. Pointcheval, editors, AFRICACRYPT 11. LNCS, vol. 6737 (Springer, Heidelberg, July 2011), pp. 92–99

37.

D. Hofheinz, E. Kiltz, The group of signed quadratic residues and applications, in S. Halevi, editor, CRYPTO 2009. LNCS, vol. 5677 (Springer, Heidelberg, August 2009), pp. 637–653

38.

E. Kiltz, K. Pietrzak, Personal communication (2009)

39.

E. Kiltz, A. O’Neill, A. Smith, Instantiability of RSA-OAEP under chosen-plaintext attack, in T. Rabin, editor, CRYPTO 2010. LNCS, vol. 6223 (Springer, Heidelberg, August 2010), pp. 295–313

40.

E. Kiltz, K. Pietrzak, On the security of padding-based encryption schemes- or -why we cannot prove OAEP secure in the standard model, in A. Joux, editor, EUROCRYPT 2009. LNCS, vol. 5479 (Springer, Heidelberg, April 2009), pp. 389–406

41.

K. Kobara, H. Imai, OAEP++ : a very simple way to apply oaep to deterministic ow-cpa primitives. Cryptology ePrint Archive, Report 2002/130. http://eprint.iacr.org/ (2002)

42.

A.K. Lenstra, Unbelievable security. Matching AES security using public key systems (invited talk), in C. Boyd, editor, ASIACRYPT 2001. LNCS, vol. 2248 (Springer, Heidelberg, December 2001), pp. 67–86

43.

M. Lewko, A. O’Neill, A. Smith, Regularity of lossy RSA on subdomains and its applications, in T. Johansson, P.Q. Nguyen, editors, EUROCRYPT 2013. LNCS, vol. 7881 (Springer, Heidelberg, May 2013), pp. 55–75

44.

A. May, Using lll-reduction for solving rsa and factorization problems: a survey, in LLL+25 Conference in Honour of the 25th Birthday of the LLL Algorithm (2007)

45.

S. Micali, C. Rackoff, B. Sloan, The notion of security for probabilistic cryptosystems, in A.M. Odlyzko, editor, CRYPTO’86. LNCS, vol. 263 (Springer, Heidelberg, August 1987), pp. 381–392

46.

P. Mol, S. Yilek, Chosen-ciphertext security from slightly lossy trapdoor functions, in P.Q. Nguyen, D. Pointcheval, editors, PKC 2010. LNCS, vol. 6056 (Springer, Heidelberg, May 2010), pp. 296–311MathSciNetCrossRefMATH

47.

N. Nisan, D. Zuckerman, Randomness is linear in space. J. Comput. Syst. Sci., 52(1), 43–52 (1996)

48.

P. Paillier, J.L. Villar, Trading one-wayness against chosen-ciphertext security in factoring-based encryption, in X. Lai, K. Chen, editors, ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Heidelberg, December 2006), pp. 252–266

49.

O. Pandey, R. Pass, V. Vaikuntanathan, Adaptive one-way functions and applications, in D. Wagner, editor, CRYPTO 2008. LNCS, vol. 5157 (Springer, Heidelberg, August 2008), pp. 57–74MathSciNetCrossRefMATH

50.

C. Peikert, B. Waters, Lossy trapdoor functions and their applications. SIAM J. Comput., 40(6), 1803–1844 (2011)

51.

Rsa public-key cryptography standards (pkcs). http://www.rsa.com/rsalabs/node.asp?id=2124

52.

M.O. Rabin, Digitalized signatures and public-key functions as intractable as factorization. Technical report (1979)

53.

C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in J. Feigenbaum, editor, CRYPTO’91. LNCS. vol. 576 (Springer, Heidelberg, August 1992), pp. 433–444

54.

R.L. Rivest, A. Shamir, L. Adelman, U.S. patent 4405829: cryptographic communications system and method

55.

R.L. Rivest, A. Shamir, L. Adelman, A method for obtaining public-key cryptosystems and digital signatures. Technical Memo MIT/LCS/TM-82, Massachusetts Institute of Technology, Laboratory for Computer Science (1977)

56.

C. Schridde, B. Freisleben, On the validity of the phi-hiding assumption in cryptographic protocols, in J. Pieprzyk, editor, ASIACRYPT 2008. LNCS, vol. 5350 (Springer, Heidelberg, December 2008), pp. 344–354

57.

Y. Seurin, On the lossiness of the Rabin trapdoor function, in H. Krawczyk, editor, PKC 2014. LNCS, vol. 8383 (Springer, Heidelberg, March 2014), pp. 380–398

58.

V. Shoup, OAEP reconsidered. J. Cryptol., 15(4), 223–249 (2002)

59.

A. Smith, Y. Zhang, On the regularity of lossy RSA—improved bounds and applications to padding-based encryption, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part I. LNCS, vol. 9014 (Springer, Heidelberg, March 2015), pp. 609–628

60.

K. Tosu, N. Kunihiro, Optimal bounds for multi-prime phi-hiding assumption, in Information Security and Privacy—17th Australasian Conference, ACISP 2012, Wollongong, NSW, Australia, July 9–11, 2012. Proceedings (2012), pp. 1–14

61.

L. Trevisan, S.P. Vadhan, Extracting randomness from samplable distributions, in 41st FOCS (IEEE Computer Society Press, November 2000), pp. 32–42

62.

M.N. Wegman, L. Carter, New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)

63.

S. Yilek, E. Rescorla, H. Shacham, B. Enright, S. Savage, When private keys are public: results from the 2008 debian openssl vulnerability, in Internet Measurement Conference

64.

P. Zimmerman, Integer factoring records. http://www.loria.fr/~zimmerma/records/factor.html

Titel: Instantiability of RSA-OAEP Under Chosen-Plaintext Attack
verfasst von: Eike Kiltz
Adam O’Neill
Adam Smith
Publikationsdatum: 19.09.2016
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 3/2017
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-016-9238-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2017

Differential-Linear Cryptanalysis Revisited

Locally Computable UOWHF with Linear Shrinkage

Integral Cryptanalysis on Full MISTY1

Lattices with Symmetry

Merkle’s Key Agreement Protocol is Optimal: An Attack on Any Key Agreement from Random Oracles

More Efficient Oblivious Transfer Extensions