Download - Tae-Joon Kim Jong yun Jun
OAEP Reconsidered
Tae-Joon KimJong yun Jun
2010. 2. 25
2
Introduction● RSA-OAEP is industry-wide standard
for public key encryption (PKCS)
● OAEP is secure?
● This paper claims that OAEP may insecure in certain environments
● OAEP+
3
Contents● Introduction● Attack Scenario
● OAEP● OAEP Insecurity● OAEP+
● Conclusion
4
Chosen Ciphertext Attack (CCA)● CCA1 : Lunchtime attack
● CCA2 : Adaptive Chosen Ciphertext Attack
Decryption Oracle
C0, C1 , …, Cn AnalysisP0, P1 , …, Pn
Decryption Oracle
Ci, Ci+1 , …
Analysis
Pi, Pi+1 , …
5
Attack Scenario● Stage1
● Key generator → public key, private key
● Stage2● Adv. chooses ciphertexts, y● Decryption oracle gives plaintexts using
private key
6
Attack Scenario● Stage3
EncryptionOracle
x0, x1Random Selection
xb
b ∈ {0, 1}
y*
7
Attack Scenario● Stage4
● Adv. continues to submit y to decryption oracle
● y ≠ y*
● Stage5● Adv. outputs b’ ∈ {0, 1}
● Adversary’s advantage● | Pr[b’=b] – ½ |
8
Malleability● Malleable
● if it is possible for an adversary to transform a ciphertext into another ciphertext which decrypts to a related plaintext
● Security against adaptive chosen ciphertext attacks (CCA2) is equivalent to non-malleability
● Indistinguishable (IND)● IND-CCA2
9
OAEP (Optimal Asymmetric Encryption Padding)
● Encrypt message into
● Make two functions● ●
● Key generation● Run the one-way trapdoor permutation
scheme● Obtain public key f and private key g
nx }1,0{ ,}1,0{ ky 10 kknk
10 }1,0{ }1,0{: knkG 01 }1,0{}1,0{: kknH
10
OAEP Encryption
11
OAEP Decryption
12
● Suppose we can invert f
● Except the permutation, OAEP is XOR-malleable
OAEP Insecurity*)(* 1 yfw
**||* wts
y*
y x
x*
DecryptionOracle
xx*
)(||
)(*)(*)0||(* 1
wfytsw
sHsHttss k
13
OAEP Insecurity● In attack scenario,
● Choose two messages with ● Transform y* into y (∵malleability)● Submit y to decryption oracle to obtain x
●It definitely different to y*● x equals to x0 or x1, and choose other
one●Adversary always find correct answer
● Adversary’s advantage = 1/2
10 xx
14
OAEP Insecurity● OAEP may insecure under IND-CCA2
● XOR-malleable permutation
● RSA-OAEP● Adapt RSA permutation to OAEP ● Secure under IND-CCA2
15
OAEP+● Advanced version of OAEP
● Use another hash rather than padding 0’s● As efficiency as OAEP● Secure on IND-CCA2
16
Conclusion● OAEP is not always secure on IND-
CCA2
● RSA-OAEP/OAEP+ are secure on IND-CCA2
● Malleability● Attack on relationship between
ciphertexts● Introduce methodology of ‘secure’
17
Q & A