Download - Tae-Joon Kim Jong yun Jun
![Page 1: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/1.jpg)
OAEP Reconsidered
Tae-Joon KimJong yun Jun
2010. 2. 25
![Page 2: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/2.jpg)
2
Introduction● RSA-OAEP is industry-wide standard
for public key encryption (PKCS)
● OAEP is secure?
● This paper claims that OAEP may insecure in certain environments
● OAEP+
![Page 3: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/3.jpg)
3
Contents● Introduction● Attack Scenario
● OAEP● OAEP Insecurity● OAEP+
● Conclusion
![Page 4: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/4.jpg)
4
Chosen Ciphertext Attack (CCA)● CCA1 : Lunchtime attack
● CCA2 : Adaptive Chosen Ciphertext Attack
Decryption Oracle
C0, C1 , …, Cn AnalysisP0, P1 , …, Pn
Decryption Oracle
Ci, Ci+1 , …
Analysis
Pi, Pi+1 , …
![Page 5: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/5.jpg)
5
Attack Scenario● Stage1
● Key generator → public key, private key
● Stage2● Adv. chooses ciphertexts, y● Decryption oracle gives plaintexts using
private key
![Page 6: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/6.jpg)
6
Attack Scenario● Stage3
EncryptionOracle
x0, x1Random Selection
xb
b ∈ {0, 1}
y*
![Page 7: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/7.jpg)
7
Attack Scenario● Stage4
● Adv. continues to submit y to decryption oracle
● y ≠ y*
● Stage5● Adv. outputs b’ ∈ {0, 1}
● Adversary’s advantage● | Pr[b’=b] – ½ |
![Page 8: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/8.jpg)
8
Malleability● Malleable
● if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext
● Security against adaptive chosen ciphertext attacks (CCA2) is equivalent to non-malleability
● Indistinguishable (IND)● IND-CCA2
![Page 9: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/9.jpg)
9
OAEP (Optimal Asymmetric Encryption Padding)
● Encrypt message into
● Make two functions● ●
● Key generation● Run the one-way trapdoor permutation
scheme● Obtain public key f and private key g
nx }1,0{ ,}1,0{ ky 10 kknk
10 }1,0{ }1,0{: knkG 01 }1,0{}1,0{: kknH
![Page 10: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/10.jpg)
10
OAEP Encryption
![Page 11: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/11.jpg)
11
OAEP Decryption
![Page 12: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/12.jpg)
12
● Suppose we can invert f
● Except the permutation, OAEP is XOR-malleable
OAEP Insecurity*)(* 1 yfw
**||* wts
y*
y x
x*
DecryptionOracle
xx*
)(||
)(*)(*)0||(* 1
wfytsw
sHsHttss k
![Page 13: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/13.jpg)
13
OAEP Insecurity● In attack scenario,
● Choose two messages with ● Transform y* into y (∵malleability)● Submit y to decryption oracle to obtain x
●It definitely different to y*● x equals to x0 or x1, and choose other
one●Adversary always find correct answer
● Adversary’s advantage = 1/2
10 xx
![Page 14: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/14.jpg)
14
OAEP Insecurity● OAEP may insecure under IND-CCA2
● XOR-malleable permutation
● RSA-OAEP● Adapt RSA permutation to OAEP ● Secure under IND-CCA2
![Page 15: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/15.jpg)
15
OAEP+● Advanced version of OAEP
● Use another hash rather than padding 0’s● As efficiency as OAEP● Secure on IND-CCA2
![Page 16: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/16.jpg)
16
Conclusion● OAEP is not always secure on IND-
CCA2
● RSA-OAEP/OAEP+ are secure on IND-CCA2
● Malleability● Attack on relationship between
ciphertexts● Introduce methodology of ‘secure’
![Page 17: Tae-Joon Kim Jong yun Jun](https://reader036.vdocuments.site/reader036/viewer/2022062401/5a4d1af57f8b9ab059980f6d/html5/thumbnails/17.jpg)
17
Q & A