Embed Size (px)
DESCRIPTION
OAEP Reconsidered. Tae-Joon Kim Jong yun Jun 2010. 2. 25. Introduction. RSA-OAEP is industry-wide standard for public key encryption (PKCS) OAEP is secure? This paper claims that OAEP may insecure in certain environments OAEP+. Contents. Introduction Attack Scenario OAEP - PowerPoint PPT Presentation
Citation preview
OAEP Reconsidered
Tae-Joon KimJong yun Jun
2010. 2. 25
2
Introduction
● RSA-OAEP is industry-wide standard for public key encryption (PKCS)
● OAEP is secure?
● This paper claims that OAEP may insecure in certain environments
● OAEP+
3
Contents
● Introduction● Attack Scenario
● OAEP● OAEP Insecurity● OAEP+
● Conclusion
4
Chosen Ciphertext Attack (CCA)
● CCA1 : Lunchtime attack
● CCA2 : Adaptive Chosen Ciphertext Attack
Decryption Oracle
C0, C1 , …, Cn AnalysisP0, P1 , …, Pn
Decryption Oracle
Ci, Ci+1 , …
Analysis
Pi, Pi+1 , …
5
Attack Scenario
● Stage1● Key generator → public key, private key
● Stage2● Adv. chooses ciphertexts, y● Decryption oracle gives plaintexts using
private key
6
Attack Scenario
● Stage3
EncryptionOracle
x0, x1Random Selection
xb
b ∈ {0, 1}
y*
7
Attack Scenario
● Stage4● Adv. continues to submit y to decryption
oracle● y ≠ y*
● Stage5● Adv. outputs b’ ∈ {0, 1}
● Adversary’s advantage● | Pr[b’=b] – ½ |
8
Malleability
● Malleable ● if it is possible for an adversary to
transform a ciphertext into another ciphertext which decrypts to a related plaintext
● Security against adaptive chosen ciphertext attacks (CCA2) is equivalent to non-malleability
● Indistinguishable (IND)● IND-CCA2
9
OAEP (Optimal Asymmetric Encryption Padding)
● Encrypt message into
● Make two functions● ●
● Key generation● Run the one-way trapdoor permutation
scheme● Obtain public key f and private key g
nx }1,0{ ,}1,0{ ky 10 kknk
10 }1,0{ }1,0{: knkG 01 }1,0{}1,0{: kknH
10
OAEP Encryption
11
OAEP Decryption
12
● Suppose we can invert f
● Except the permutation, OAEP is XOR-malleable
OAEP Insecurity
*)(* 1 yfw **||* wts
y*y*
yy xx
x*x*
DecryptionOracle
DecryptionOracle
xx*
)(
||
)(*)(*
)0||(* 1
wfy
tsw
sHsHtt
ss k
13
OAEP Insecurity
● In attack scenario,● Choose two messages with ● Transform y* into y (∵malleability)● Submit y to decryption oracle to obtain x
●It definitely different to y*● x equals to x0 or x1, and choose other
one●Adversary always find correct answer
● Adversary’s advantage = 1/2
10 xx
14
OAEP Insecurity
● OAEP may insecure under IND-CCA2● XOR-malleable permutation
● RSA-OAEP● Adapt RSA permutation to OAEP ● Secure under IND-CCA2
15
OAEP+
● Advanced version of OAEP● Use another hash rather than padding 0’s● As efficiency as OAEP● Secure on IND-CCA2
16
Conclusion
● OAEP is not always secure on IND-CCA2
● RSA-OAEP/OAEP+ are secure on IND-CCA2
● Malleability● Attack on relationship between
ciphertexts● Introduce methodology of ‘secure’
17
Q & A
