170 likes | 268 Views
OAEP Reconsidered. Tae-Joon Kim Jong yun Jun 2010. 2. 25. Introduction. RSA-OAEP is industry-wide standard for public key encryption (PKCS) OAEP is secure? This paper claims that OAEP may insecure in certain environments OAEP+. Contents. Introduction Attack Scenario OAEP
E N D
OAEP Reconsidered Tae-Joon KimJong yun Jun 2010. 2. 25
Introduction • RSA-OAEP is industry-wide standard for public key encryption (PKCS) • OAEP is secure? • This paper claims that OAEP may insecure in certain environments • OAEP+
Contents • Introduction • Attack Scenario • OAEP • OAEP Insecurity • OAEP+ • Conclusion
Chosen Ciphertext Attack (CCA) • CCA1 : Lunchtime attack • CCA2 : Adaptive Chosen Ciphertext Attack Decryption Oracle Analysis C0,C1 , …,Cn P0,P1 , …,Pn Decryption Oracle Ci,Ci+1 , … Pi,Pi+1 , … Analysis
Attack Scenario • Stage1 • Key generator → public key, private key • Stage2 • Adv. chooses ciphertexts, y • Decryption oracle gives plaintexts using private key
Attack Scenario • Stage3 Random Selection x0,x1 xb b ∈ {0, 1} Encryption Oracle y*
Attack Scenario • Stage4 • Adv. continues to submit y to decryption oracle • y ≠ y* • Stage5 • Adv. outputs b’ ∈ {0, 1} • Adversary’s advantage • | Pr[b’=b] – ½ |
Malleability • Malleable • if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext • Security against adaptive chosen ciphertext attacks (CCA2) is equivalent to non-malleability • Indistinguishable (IND) • IND-CCA2
OAEP(Optimal Asymmetric Encryption Padding) • Encrypt message into • Make two functions • Key generation • Run the one-way trapdoor permutation scheme • Obtain public key f and private key g
OAEP Insecurity • Suppose we can invert f • Except the permutation, OAEP is XOR-malleable y* x* DecryptionOracle y x
OAEP Insecurity • In attack scenario, • Choose two messages with • Transform y* into y (∵malleability) • Submit y to decryption oracle to obtain x • It definitely different to y* • x equals to x0 or x1, and choose other one • Adversary always find correct answer • Adversary’s advantage = 1/2
OAEP Insecurity • OAEP may insecure under IND-CCA2 • XOR-malleable permutation • RSA-OAEP • Adapt RSA permutation to OAEP • Secure under IND-CCA2
OAEP+ • Advanced version of OAEP • Use another hash rather than padding 0’s • As efficiency as OAEP • Secure on IND-CCA2
Conclusion • OAEP is not always secure on IND-CCA2 • RSA-OAEP/OAEP+ are secure on IND-CCA2 • Malleability • Attack on relationship between ciphertexts • Introduce methodology of ‘secure’