Public Key Cryptography
-
Upload
gannon-potter -
Category
Documents
-
view
34 -
download
0
description
Transcript of Public Key Cryptography
![Page 1: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/1.jpg)
History Elementary Number Theory RSA DH ECC Others
1
![Page 2: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/2.jpg)
Key management Keep private key in secret Over complete graph with n nodes, nC2 = n(n-1)/2 pairs
secret keys are required. (Ex.) n=100, 99 x 50 = 4,950 keys
2
b
a
c d
e (a,b), (a,c), (a,d), (a,e), (b,c),
(b,d), (b,e), (c,d), (c,e), (d,e)
![Page 3: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/3.jpg)
Merkle registered Fall 1974 for L. Hoffman’s course in computer security at UC, Berkeley.
Hoffman wanted term papers & proposal. Merkle addressed “Establishing secure communications
between separate source sites over insecure communication lines”
Hoffman didn’t understand Merkle’s proposal and asked him to write precisely 2 times.
Merkle dropped the course, but continued working. Key idea : Hiding a key in a large collection of puzzles.
(Later he proposed knapsack PKC) Secure Communication over Insecure Channels” CACM, pp.294-299,1978.
3
![Page 4: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/4.jpg)
4
![Page 5: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/5.jpg)
One-way function Given x, easy to compute f(x). Difficult to compute f-1(x) for given f(x).
5
f(x)
Easy ^^
Difficult ????
Ex) f(x)= 7x21 + 3x3 + 13x2+1 mod (215-1)
![Page 6: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/6.jpg)
Trapdoor one-way function Given x, easy to compute f(x) Given y, difficult to compute f-1(y) in general Easy to compute f-1(y) for given y to only who knows
certain information called as “trapdoor information”
6
x f(x)
Easy ^^
Trapdoor info.
Easy ^^
![Page 7: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/7.jpg)
Use private and public keys Given public key, easy to compute -> anyone can lock. Only those who has private key compute its inverse ->
only those who has it can unlock, vice versa.
7
P DE() D()
Key
Attacker
P
KeKd
C P
C=E(P, Ke) P=D(C, Kd )
Insecure channel
Key
![Page 8: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/8.jpg)
Diffie & Hellman, “New directions in Cryptography”, IEEE Tr. on IT. ,Vol. 22, pp. 644-654, Nov., 1976.(*)
Terminology◦ 2-key or Asymmetric Cryptosystem ◦ PKC (Public-Key Cryptosystem)
- private(secret) key, public key Charateristics
◦ Need Public key directory or CA◦ Slow operation relative to symmetric cryptosystem
* James Ellis, “The possibility of non-secret encryption”, 1970, - released by British GCHQ (Gov’t Comm. Headquarters), Unclassified 1997
8
![Page 9: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/9.jpg)
For Privacy
- Encrypt M with Bob’s public key : C = eK(Bp,M)
- Decrypt C with Bob’s private key : D = dK(Bs,C)
* Anybody can generate C, but only B can recover C to M.
9
ek( , ) M
BP
dk( , ) C
M
BS
Public directory
Alice : Ap
Bob : Bp
Chaum : Cp
. .
![Page 10: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/10.jpg)
10
For authentication (Digital Signature)
dk( , ) M
As
ek( , ) C M
Ap
Alice : Ap
Bob : Bp
Chaum : Cp
. .
Public directory
- Encrypt M with Alice’s private key : C = dK(As,M)
- Decrypt C with Alice’s public key : D = eK(Ap,C)
* Only Alice can generate C, but anybody can verify C.
![Page 11: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/11.jpg)
11
Hybrid use with symmetric cryptosystem ◦ Data encryption – symmetric ◦ Key management - asymmetric
Authentication Identification Non-Repudiation Applicable to other cryptographic protocols (e-
mail, e-cash, e-voting, etc.)
![Page 12: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/12.jpg)
Number theory-based PKC◦ Diffie-Hellman(’77)◦ RSA scheme (‘78) : R.L.Rivest, A.Shamir, L.Adleman, “A Method for Obtaining Digital Signatures and Public Key
Cryptosystems”,CACM, Vol.21, No.2, pp.120-126,Feb,1978 ◦ Rabin scheme (‘79) : breaking = factorization◦ ElGamal scheme (‘85): probabilistic
Knapsack-based PKC (NP problem)◦ Merkle-Hellman(79), Chor-Rivest(’83), etc
McEliece scheme (‘78) : coding theory
Elliptic Curve Cryptosystem(‘85): Koblitz, Miller Polynomial-based PKC
◦ C*(’90-) : Matsumoto-Imai, Patarin◦ Lattice Cryptography(’97-): NTRU
Non Abelian group Cryptography(’00-): Braid group
12
![Page 13: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/13.jpg)
Factorization: Given a positive integer n, find its prime factor. RSA problem (or inversion): Given a positive integer n (=pq),
e holding gcd(e, (p-1)(q-1))=1 and c, find m s.t., me = c mod n.
DLP: Given a prime p, a (generator of Zp* ) and y , find x s.t.
ax = y mod p DHP: Given a prime p, a (generator of Zp
* ), ax mod p and ay mod p. find axy mod p.
QRP: Given an odd composite integer n and a with Jacobian(a/n)=1, decide whether a is QR mod n or not.
SQROOT: Given a composite integer n and a in Q n( set of QR mod n) , find a square root of a mod n i.e., x2 = a mod n
Subset Sum: Given a set of positive integers {a1, a2, …, an} and s, determine whether subset of aj that sums to
* subexponential problem : O(exp c sqrt { log(n) log(log(n) )}
13
![Page 14: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/14.jpg)
14
Symmetric Asymmetric
Key relation
Enc. Key
Dec. key
Algorithm
Typical ex.
Key Distribution
Number of keys
E/D Speed
Enc. key = Dec. key
Secret
Secret
Secret Public
SKIPJACK AES
Req’d(X)
Many(X),keep many partners’ secret key
Fast(O)
Enc. Key Dec. key
Public {private}
Private, {public}
Public
RSA
Not req’d (O)
Small(O), keep his pri. key only
Slow(X)
O : meritX : demerit
![Page 15: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/15.jpg)
15
Elementary Number TheoryElementary Number Theory
![Page 16: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/16.jpg)
Let Z denote the set of all integers. Division Theorem (a,b Z)
◦ For nonzero b, q,r Z s.t. a=qb+r, 0 ≤ r <b Divide
◦ b divides a, or b|a iff cZ s.t. a=bc (i.e. r=0)◦ If a|b, then a|bc◦ If a|b and a|c, then a|(bx+cy)◦ If a|b and b|a then a= b◦ If a|b and b|c, then a|c
Prime◦ An integer p is called prime if its divisors are 1 and p◦ If a prime p divides ab, then p|a or p|b
16
![Page 17: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/17.jpg)
Congruence◦ Def) a b (mod n) iff n|(a-b) (i.e. (a%n)=(b%n))◦ a a◦ a b iff b a◦ If a b and b c then a c
Residue Class Group: Zn={xZ| 0 ≤ x< n}◦ Addition: a+b = (a+b mod n)◦ Multiplication: ab =(ab mod n)◦ Closed under addition, subtraction, and multiplication◦ Closed under division if n is prime
17
![Page 18: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/18.jpg)
a=qb+r gcd(a,b)=gcd(b,r) Find gcd(a,b)
◦ a0=a, b0=b
◦ For j ≥ 0, aj+1=bj, bj+1=aj%bj
◦ When bk=0, stop and return gcd(a,b)=ak
◦ The number of iterations will be at most 1+2log2min{a,b}
◦ E.g.) gcd(4200,1485) Extended Euclidean Algorithm (EEA)
◦ Find s and t such that gcd(a,b)=sa+tb
Multiplicative inverse of a Zm
◦ The multiplicative inverse of a is a-1 Zm s.t.
aa-1=a-1a=1 mod m ◦ a-1=s if sa+tb=1
18
![Page 19: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/19.jpg)
Euler totient function◦ (n)=the number of positive integers < n with gcd(x,n)=1◦ (pe)=pe-1◦ (nm)= (n) (m)◦ (pq)=(p-1)(q-1)◦ m=i=1
n piei, (m)=i=1
n(piei - pi
ei -1)
Fermat Little Theorem◦ ap-1=1 mod p if gcd(a,p)=1
Euler Theorem◦ a(n)=1 mod n if gcd(a,n)=1◦ a(n)-1 is the multiplicative inverse of a mod n
19
![Page 20: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/20.jpg)
20
RSARSA
![Page 21: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/21.jpg)
21
![Page 22: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/22.jpg)
For large 2 primes p,q n=pq , (n)=(p-1)(q-1) : Euler phi ft.
◦ is a one-way function Select random e s.t. gcd((n), e) = 1 Compute ed = 1 mod (n) -> ed = k(n) +1 Public key = {e, n}, private key = {d, p,q} For given M in [0, n-1],
◦ Encryption, C = Me mod n ◦ Decryption, D = Cd mod n (Proof) Cd = (Me)d = Med = Mk(n) +1 = M {M(n)}k = M
* Clifford Cocks, “A note on non-secret encryption”, 1973- Unclassified by British GCHQ (Gov’t Com. Headquarters), 1997
22
![Page 23: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/23.jpg)
p=3, q=11 n = pq = 33, (n) =(p-1)(q-1)=2 x10 = 20 e = 3 s.t. gcd(e, (n) )=(3,20)=1 Choose d s.t. ed =1 mod(n), 3d=1mod 20, d=7 Public key ={e,n}={3,33}, private key ={d}={7}
M =5◦ C = Me mod n = 53 mod 33 =26◦ M =Cd mod n = 267 mod 33= 5
23
![Page 24: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/24.jpg)
p=2357, q=2551 n = pq = 6012707 (n) = (p-1)(q-1) = 6007800 e = 3674911 s.t. gcd(e, (n) )=1 Choose d s.t. ed =1 mod(n), d= 422191 M =5234673
◦ C = Me mod n = 5234673 3674911 mod 6012707 = 3650502 ◦ M =Cd mod n = 3650502 422191 mod 6012707 = 5234673
24
![Page 25: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/25.jpg)
p=2357, q=2551 n = pq = 6012707 (n) = (p-1)(q-1) = 6007800 e = 3674911 s.t. gcd(e, (n) )=1 Choose d s.t. ed =1 mod(n), d= 422191 M =5234673
◦ C = Me mod n = 5234673 3674911 mod 6012707 = 3650502 ◦ M =Cd mod n = 3650502 422191 mod 6012707 = 5234673
25
![Page 26: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/26.jpg)
Square-and-multiplyINPUT : g Zn, e=(etet-1…e1e0)2 Zn-1
OUPTUT : ge mod n
1. A =1 2. For i from t down to 0 do the following 2.1 A = A A mod n 2.2 If ei=1, then A = A g mod n 3. Return(A)
26
![Page 27: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/27.jpg)
(Ex) g283, t=8, 283=(100011011)2
i 8 7 6 5 4 3 2 1 0 ei 1 0 0 0 1 1 0 1 1 A g g2 g4 g8 g17 g35 g70 g141 g283
Complexity◦ t+1 : bit length of e◦ wt(e) : Hamming weight of e
t+1 times: A*A mod n , wt(e)-1 times: g * A mod n 0 ≤ wt(e)-1 < |e| |e|/2 in average
◦ e.g.) |n|=1024 requires 1536 modular multiplication
27
![Page 28: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/28.jpg)
Those who know p and q want to compute M=Cd mod n where n = pq efficiently.
Compute Cd mod p, Cd mod q using Chinese
Remainder Theorem(CRT)◦ d1=d mod (p-1) M1=Cd mod p=Cd1 mod p ◦ d2=d mod (q-1) M2=Cd mod q=Cd2 mod q◦ Use CRT to compute M from M1 and M2
since M=M1 mod p and M=M2 mod q 4 times faster than direct computation
28
![Page 29: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/29.jpg)
29
RSA Parameter GenerationRSA Parameter Generation
![Page 30: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/30.jpg)
(x) : # of primes in [2,x] ~ x / ln(x) Probabilistic Prime Generation (1) Generate candidate random # (2) Test for primality (3) If composite, goto step (1) Pseudo Prime (composite passing Fermat test) Ex) 341=11x31, 2341-1 = 1 mod 341
Agrawal, Kayal and Saxena proved that polynomial time deterministic algorithm for primality testing in 2002, but in practice still by randomized polynomial-time Monte Carlo algorithm such as Solovay-Strassen and Miller-Rabin algorithm. (p.178)
30
![Page 31: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/31.jpg)
Fermat Test(n,t)Input : odd int. n 3, security parameter : tOutput : prime or composite
1. For i=1 to t 1.1 Choose random a, 2 a n-2. 1.2 Compute r=an-1 mod n 1.3 If r 1 then return(“composite”)2. Return(“prime”)
31
![Page 32: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/32.jpg)
Solovay-Strassen Test(n,t)Input : odd int. a 3, security parameter : tOutput : “prime” or “composite”1. For i=1 to t 1.1 Choose random a, 2 a n-2 1.2 Compute r=a(n-1)/2 mod n 1.3 If r 1 and r n-1 then return (“composite”) 1.4 Compute Jacobi symbol s =(a/n) 1.5 If r s mod n then return(“composite”)2. Return(“prime)
32
![Page 33: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/33.jpg)
Miller-Rabin Test(n,t):Input : odd int. a 3, security parameter : tOutput : “prime” or “composite” 1. Write n-1 = 2s r such that r is odd. 2. For i =1 to t 2.1 Choose random integer a, 2 a n-2 2.2 Compute y=ar mod n 2.3 If y 1 and y n-1 then j=1 while j s-1 and y n-1 do compute y = y2 mod n If y=1 then return(“composite”) j=j+1 If y n-1 then return(“composite”) 3. Return(“prime”)
33
![Page 34: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/34.jpg)
Trial Division (or Seive)◦For given n, divide n by every prime number
upto n◦If n < 1012 (=240), this is reasonable. Otherwise, need to use sophisticated tool.
34
![Page 35: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/35.jpg)
Pollard’s p-1 method◦ ap-1=1 mod p p | gcd(N,ap-1-1) when N=pq◦ If p-1 | M!, then p | gcd(N,aM!-1)◦ An integer n is called M-smooth if all prime divisor of n is =<M
AlgorithmInput : composite int. n that is not a prime power.Output : Non-trivial factor d of n 1. Select smoothness bound B 2. Select random integer a, 2 a n-1, compute d = gcd(a,n). If d 2
then return(d) 3. For each prime q B do 3.1 Compute l = ln n / ln q 3.2 Compute a = aql mod n 4. Compute d = gcd(a-1,n) 5. If d=1 or d=n, then terminate with failure. Otherwise, return(d)
35
![Page 36: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/36.jpg)
General Purpose (n = 10120)◦ Random Divide Factoring
Find x and y s.t. x2 = y2 mod n Compute gcd(x-y,n) Since n | (x-y)(x+y), the gcd is neither 1 nor n with prob. ½ for n=pq
◦ Quadratic Sieve O(exp(1+o(1))sqrt{ln n ln ln n})◦ Number Field Sieve O(exp(1+o(1))sqrt{2 ln n ln ln n})
Special Purpose (p=1040)◦ Pollard p-1 method◦ William’s p+1 method
◦ Elliptic Curve : O(exp(1+o(1))sqrt{2 ln n ln ln n}) o(1) : ft of n that approach 0 as n ->
36
![Page 37: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/37.jpg)
37
Digits Year MIPS-year Algorithm
RSA-100
RSA-110
RSA-120
RSA-129
RSA-130
RSA-140
RSA-155
RSA-160
RSA-174*2
‘91.4.
‘92.4.
‘93.6.
‘94.4.(AC94)
‘96.4.(AC96)
‘99.2 (AC99)
’99.8
’03.1
’03.12
7
75
830
5,000
?
?
8,000
Q.S.
Q.S
Q.S.
Q.S.
NFS
NFS
GNFS
Lattice Sieving+HW
Lattice Sieving +HW
•MIPS : 1 Million Instruction Per Second for 1 yr = 3.1 x 1013 instruction. *2: 576bit•http://www.rsasecurity.com./rsalabs , expectation : 768-bit by 2010, 1024-bit by 2018
![Page 38: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/38.jpg)
38
Date: Tue, 1 Apr 2003 14:05:10 +0200 From: Jens Franke Subject: RSA-160 We have factored RSA160 by gnfs. The prime factors are: p=45427892858481394071686190649738831\ 656137145778469793250959984709250004157335359 q=47388090603832016196633832303788951\ 973268922921040957944741354648812028493909367 The prime factors of p-1 are 2 37 41 43 61 541 13951723 7268655850686072522262146377121494569334513 and 104046987091804241291 . The prime factors of p+1 are 2^8 5 3 3 13 98104939 25019146414499357 3837489523921 and 128817892337379461014736577801538358843 . The prime factors of q-1 are 2 9973 165833 11356507337369007109137638293561 369456908150299181 and 3414553020359960488907. The prime factors of q+1 are 2^3 3 3 13 82811 31715129 7996901997270235141 and 2410555174495514785843863322472689176530759197. The computations for the factorization of RSA160 took place at the Bundesamt für Sicherheit in der Informationstechnik (BSI) in Bonn. Lattice sieving took place between Dec. 20, 2002 and Jan. 6, 2003, using 32 R12000 and 72 Alpha EV67. The total yield of lattice sieving was 323778082. Uniqueness checks reduced the number of sieve reports to 289145711. After the filtering step, we obtained an almost square matrix of size with 5037191 columns. Block Lanczos for this matrix took 148 hours on 25 R12000 CPUs. The square root steps took an average of 1.5 hours on a 1.8 GHz P4 CPU, giving the factors of RSA160 after processing the 6-th lanczos solution.
F. Bahr J. Franke T. Kleinjung M. Lochter M. Böhm http://www.loria.fr/~zimmerma/records/rsa160
![Page 39: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/39.jpg)
1. |p| |q| to avoid ECM2. p-q must be large to avoid trial division3. p and q are strong prime
p-1 has large prime factor r (pollard’s p-1) p+1 has large prime factor (William’s p+1) r-1 has large prime factor (cyclic attack)
39
![Page 40: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/40.jpg)
Common modulus attack ◦ use m pairs of (ei, di) given n=pq
(Cryptanalysis)◦ User m1 : C1 = Me1 mod n
◦ User m2 : C2 = Me2 mod n
◦ If gcd(e1,e2)=1, there are a and b s.t. ae1 + be2 = 1.
Then, (C1)a(C2)b mod n = (Me1)a(Me2)b mod n
= Mae1+be2 mod n = M mod n
40
![Page 41: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/41.jpg)
Bit Security : partial information like {Jacobian, LSB, parity, half} of m leaked by the ciphertext c= mb mod n (p.216)
Semantic security : difficulty to get partial information (or distinguishability of 2 ciphertexts) under certain computational assumption
Special Attack◦ Cyclic attack fp(C)=C where f(x) = xe mod n ; if we know cycle p, we can recover the plaintext at collusion point.◦ Special form
Pr{C= k p or m q} = 1/p + 1/q -1/pq Pr{C= M} = 9/pq
◦ Exhaustive search of n or solve quadratic equation ◦ Low encryption exponent(e=3) Lattice attack◦ Multiplicative attack : (M1
e) (M2e) mod n = (M1 x M2 )
e mod n
41
![Page 42: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/42.jpg)
OAEP(Optimal Asymmetric Encryption Padding) by
Bellare and Rogaway in EC94 suggested ad hoc
methods of formatting blocks prior to RSA encryption. OAEP ties the security of RSA encryption closely to
that of the basic RSA operation. While existing message formatting methods for RSA
encryption have no known flaw, the provable security
aspects of OAEP are very appealing. PKC #1 V2.0 (1998)
42
![Page 43: Public Key Cryptography](https://reader035.fdocuments.us/reader035/viewer/2022062517/56813484550346895d9b646e/html5/thumbnails/43.jpg)
Let n=k-k0-k1 and f,G,H be such that f : {0,1}k -> {0,1}k ; trapdoor permutation, G : {0,1}k0 ->{0,1}n+k1 ; random generator, H :{0,1}n+k1 ->{0,1}k0 ; random hash function
To encrypt x {0,1}n, choose a random k0-bit r and compute the ciphertext y as y=f(x0k1 G(r) || r H(x0k1 G(r)))
The above encryption scheme achieves non-malleabibility and chosen-ciphertext security assuming that G and H are ideal (IND-CCA2).
OAEP+ by Schoup’01
43