1 / 17

OAEP Reconsidered

OAEP Reconsidered. Tae-Joon Kim Jong yun Jun 2010. 2. 25. Introduction. RSA-OAEP is industry-wide standard for public key encryption (PKCS) OAEP is secure? This paper claims that OAEP may insecure in certain environments OAEP+. Contents. Introduction Attack Scenario OAEP

gbrian
Download Presentation

OAEP Reconsidered

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OAEP Reconsidered Tae-Joon KimJong yun Jun 2010. 2. 25

  2. Introduction • RSA-OAEP is industry-wide standard for public key encryption (PKCS) • OAEP is secure? • This paper claims that OAEP may insecure in certain environments • OAEP+

  3. Contents • Introduction • Attack Scenario • OAEP • OAEP Insecurity • OAEP+ • Conclusion

  4. Chosen Ciphertext Attack (CCA) • CCA1 : Lunchtime attack • CCA2 : Adaptive Chosen Ciphertext Attack Decryption Oracle Analysis C0,C1 , …,Cn P0,P1 , …,Pn Decryption Oracle Ci,Ci+1 , … Pi,Pi+1 , … Analysis

  5. Attack Scenario • Stage1 • Key generator → public key, private key • Stage2 • Adv. chooses ciphertexts, y • Decryption oracle gives plaintexts using private key

  6. Attack Scenario • Stage3 Random Selection x0,x1 xb b ∈ {0, 1} Encryption Oracle y*

  7. Attack Scenario • Stage4 • Adv. continues to submit y to decryption oracle • y ≠ y* • Stage5 • Adv. outputs b’ ∈ {0, 1} • Adversary’s advantage • | Pr[b’=b] – ½ |

  8. Malleability • Malleable • if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext • Security against adaptive chosen ciphertext attacks (CCA2) is equivalent to non-malleability • Indistinguishable (IND) • IND-CCA2

  9. OAEP(Optimal Asymmetric Encryption Padding) • Encrypt message into • Make two functions • Key generation • Run the one-way trapdoor permutation scheme • Obtain public key f and private key g

  10. OAEP Encryption

  11. OAEP Decryption

  12. OAEP Insecurity • Suppose we can invert f • Except the permutation, OAEP is XOR-malleable y* x* DecryptionOracle y x

  13. OAEP Insecurity • In attack scenario, • Choose two messages with • Transform y* into y (∵malleability) • Submit y to decryption oracle to obtain x • It definitely different to y* • x equals to x0 or x1, and choose other one • Adversary always find correct answer • Adversary’s advantage = 1/2

  14. OAEP Insecurity • OAEP may insecure under IND-CCA2 • XOR-malleable permutation • RSA-OAEP • Adapt RSA permutation to OAEP • Secure under IND-CCA2

  15. OAEP+ • Advanced version of OAEP • Use another hash rather than padding 0’s • As efficiency as OAEP • Secure on IND-CCA2

  16. Conclusion • OAEP is not always secure on IND-CCA2 • RSA-OAEP/OAEP+ are secure on IND-CCA2 • Malleability • Attack on relationship between ciphertexts • Introduce methodology of ‘secure’

  17. Q & A

More Related