RSA Laboratories, "The Public-Key Cryptography Standards (PKCS)", RSA Data Security Inc., Redwood City, California, November 1993 Release.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....complexity of the overall reduction is t = t q G Delta q H Delta (T f O(1) where T f denotes the time complexity for evaluating function f . 6 Application to RSA OAEP The main application of OAEP is certainly the famous RSA OAEP, which has been used to update the PKCS #1 standard [14]. In his paper [15] Shoup was able to repair the security result for a small exponent, e = 3, using Coppersmith s algorithm from [5] However, our result can be applied to repair RSA OAEP, regardless of the exponent; thanks to the random self reducibility of RSA, the partial domain one wayness ....

....of the whole RSA problem, as soon as a constant fraction of the most significant bits (or the least significant bits) of the pre image can be recovered. We note that, in the original RSA OAEP [3] the most significant bits are involved in the H function, but in PKCS #1 standards v2.0 and v2.1 [14] and 12 RFC2437, the least significant bits are used: the value maskedSeedkmaskedDB is the input to f , the RSA function, where maskedSeed plays the role of t, and maskedDB the role of s. But we insist on the fact that the following result holds in both situations (and can be further extended) ....

RSA Data Security, Inc. Public Key Cryptography Standards -- PKCS.

....functions. Thus, the time complexity of the overall reduction is t = t qG q (Tf O(1) where Tf denotes the time complexity for evaluating function f. 6 Application to RSA OAEP The main application of OAEP is certainly the famous RSA OAEP, which has been used to update the PKCS #1 standard [14]. In his paper [15] Shoup was able to repair the security result for a small exponent, e 3, using Coppersmith s algorithm from [5] However, our result can be applied to repair RSA OAEP, regardless of the exponent; thanks to the random self reducibility of RSA, the partial domain one wayness ....

....of the whole RSA problem, as soon as a constant fraction of the most significant bits (or the least significant bits) of the pre image can be recovered. We note that, in the original RSA OAEP [3] the most significant bits are involved in the H function, but in PKCS #1 standards v2.0 and v2.1 [14] and RFC2437, the least significant bits are used: the value maskedSeed[ maskedDB is the input to f, the RSA function, where maskedSeed plays the role of t, and maskedDB the role of s. But we insist on the fact that the following result holds in both situations (and can be further extended) One ....

RSA Data Security, Inc. Public Key Cryptography Standards - PKCS.

....OAEP conversion method [5] was introduced by Bellare and Rogaway in 1994 and was believed to provide semantic security against adaptive chosenciphertext attacks [17, 27] based on the one wayness of a trapdoor permutation. Therefore, when Bleichenbacher published his attack on RSA PKCS #1 v1.5 [28, 7], OAEP was the only efficient and provably secure construction. RSA OAEP thus became the natural successor, the RSA PKCS #1 v2.0. Unfortunately, Shoup [30] recently showed that the security result was incomplete. More precisely, he gave a strong argument against the chosen ciphertext security ....

....respectively. Then, Succ (q H ; t ) is greater than where t t qG Delta q H Delta (T f O(1) and T f denotes the time complexity of function f . 4 RSA OAEP The main application of OAEP is certainly the famous RSA OAEP, which has been used to update the PKCS #1 standard [28], granted the believed security result. 4.1 Description: the RSAES OAEP The description of RSA OAEP seems straightforward, but one problem had to be dealt with, since the RSA function does not map any f0; 1g into f0; 1g . The RSAES OAEP proposal (in the PKCS #1 v2.0 standard, and in the ....

RSA Data Security, Inc. Public Key Cryptography Standards -- PKCS.

....scheme known until now. In spite of a recent paper [9] making people to be careful with the random oracle model, the security of OAEP has been widely agreed and became the new RSA encryption standard PKCS #1 v2.0 [27] Moreover, one can also remark that other IEEE P1363a candidates, namely EPOC [21] and PSEC [22] are also proven secure in the random oracle model. About, DHAES [1] the adaptive HDH independence assumption is quite non standard, and is somewhat similar to the random oracle model. Furthermore, an important feature of the random oracle model is to provide efficient reductions ....

....More recently, Fujisaki and Okamoto [16, 17] and Pointcheval [24] have presented other generic conversions from any weakly secure encryption scheme into chosen ciphertext secure ones. However the efficiency of the resulting scheme is not optimal. This drawback can be seen in the EPOC proposal [21]: the decryption phase requires a new encryption. However those schemes are the only encryption schemes provably secure relative to factorization or RSA. The present work describes the main scheme among those proposed in the paper published in Eurocrypt 99 [23] which are all provably secure ....

[Article contains additional citation context not shown here]

RSA Data Security, Inc. Public Key Cryptography Standards -- PKCS. Available from http://www.rsa.com/rsalabs/pubs/PKCS/.

....of the overall reduction is t 0 = t q G Delta q H Delta (T f O(1) where T f denotes the time complexity for evaluating function f . 13 6 Application to RSA OAEP The main application of OAEP is certainly the famous RSA OAEP, which has been used to update the PKCS #1 standard [14]. In his paper [15] Shoup was able to repair the security result for a small exponent, e = 3, using Coppersmith s algorithm from [5] However, our result can be applied to repair RSA OAEP, regardless of the exponent; thanks to the random self reducibility of RSA, the partial domain one wayness ....

....of the whole RSA problem, as soon as a constant fraction of the most significant bits (or the least significant bits) of the pre image can be recovered. We note that, in the original RSA OAEP [3] the most significant bits are involved in the H function, but in PKCS #1 standards v2.0 and v2.1 [14] and RFC2437, the least significant bits are used: the value maskedSeedkmaskedDB is the input to f , the RSA function, where maskedSeed plays the role of t, and maskedDB the role of s. But we insist on the fact that the following result holds in both situations (and can be further extended) One ....

RSA Data Security, Inc. Public Key Cryptography Standards -- PKCS.

....paper [6] making people to be careful with the random oracle model, the security of OAEP has been widely agreed. Indeed, this scheme is incorporated in SET, the Secure Electronic Transaction system [14] proposed by VISA and MasterCard, and will become the new RSA encryption standard PKCS #1 v2.0 [21]. Furthermore, an important feature of the random oracle model is to provide ecient reductions between a well studied mathematical problem and an attack. Therefore, the reduction validates protocols together with practical parameters. Whereas huge polynomial reductions, which can hardly be ....

RSA Data Security, Inc. Public Key Cryptography Standards { PKCS. Available from http://www.rsa.com/rsalabs/pubs/PKCS/.

....Bellare and Rogaway [3] proposed OAEP, a specific hash based treatment applicable to any one way trapdoor permutation to make it secure in the sense of NM CCA2. Standing in the random oracle model, their security proof is widely recognized and initiated the upcoming RSA based PKCS #1 V2.0 standard [19]. More recently, Fujisaki and Okamoto [10] discovered a generic conversion method which transforms any semantically secure encryption scheme into a scheme secure in the sense of NM CCA2 in the random oracle model. The conversion is low cost for encryption (one additional hash) but appears to be ....

RSA Data Security, Inc. Public Key Cryptography Standards -- PKCS. Available from http://www.rsa.com/rsalabs/pubs/PKCS/.

.... its application domain was restricted to trapdoor permutations, which is a very rare object (RSA seems to be the only one application) Nevertheless, it provided the most efficient RSA variant, the OAEP RSA scheme, provably chosenciphertext secure, and became the new RSA standard PKCS #1 [30]. At PKC 99, Fujisaki and Okamoto [13] proposed another conversion with further improvements [14, 27] It therefore seemed that the expected goal was reached: a generic conversion from any one way cryptosystem into a chosen ciphertext secure encryption scheme. However, the resulting scheme is not ....

....= H(c 1 ;R;m) Otherwise, it outputs Reject . Theorem 6. 1 The OCAC RSA encryption scheme is IND CCA in the random oracle model, under the RSA assumption (and the semantic security of the symmetric encryption scheme under the basic passive attack) This becomes the best alternative to OAEP RSA [3, 30], since E sym can simply be the one time pad but also any semantically secure encryption scheme to provide high speed rates. 6.2 The El Gamal Encryption Scheme 6.2.1 Description of the Original Scheme. In 1985, El Gamal [12] defined an asymmetric encryption scheme based on the Diffie Hellman ....

RSA Data Security, Inc. Public Key Cryptography Standards -- PKCS. Available from http://www.rsa.com/rsalabs/pubs/PKCS/.

....paper [6] making people to be careful with the random oracle model, the security of OAEP has been widely agreed. Indeed, this scheme is incorporated in SET, the Secure Electronic Transaction system [14] proposed by VISA and MasterCard, and will become the new RSA encryption standard PKCS #1 v2.0 [21]. Furthermore, an important feature of the random oracle model is to provide efficient reductions between a well studied mathematical problem and an attack. Therefore, the reduction validates protocols together with practical parameters. Whereas huge polynomial reductions, which can hardly be ....

RSA Data Security, Inc. Public Key Cryptography Standards -- PKCS. Available from http://www.rsa.com/rsalabs/pubs/PKCS/.

....notions of security. Thus, our results show that some recent encryption 12 schemes achieve a high level of multicast security requirement. In the random oracle model, one can mention the RSA base OAEP [3] from Bellare and Rogaway. It was recently adopted as a standard of encryption in the PKCS#1 [21, 5] speci cations. In the standard model of proofs, only the Cramer Shoup scheme [9] achieves proven security and practical e ectiveness. Finally, we point out some practical and straightforward applications of multi user secure encryption. This includes pay per view television, where a part of the ....

RSA Data Security, Inc. Public Key Cryptography Standards { PKCS. Available from http://www.rsa.com/rsalabs/pubs/PKCS/.

....Therefore OAEP RSA has been a long time the only practical cryptosystem secure against chosen ciphertext attacks. Then it has been incorporated in SET, the Secure Electronic Transaction system [19] proposed by VISA and Master Card, and has become the new RSA encryption standard PKCS #1 v2.0 [34]. The last few years, many new schemes has been proposed with proven security relative to decisional problems: the decisional Die Hellman problem [13] at PKC 98, Tsiounis Yung [38] proposed the rst El Gamal [15] based cryptosystem, but using an unproven assumption about the unforgeability ....

RSA Data Security, Inc. Public Key Cryptography Standards { PKCS. Available from http://www.rsa.com/rsalabs/pubs/PKCS/.

....notions of security. Thus, our results show that some recent encryption schemes achieve a high level of multicast security requirement. In the random oracle model, one can mention the RSA base OAEP [2] from Bellare and Rogaway. It was recently adopted as a standard of encryption in the PKCS#1 [19, 3] specifications. In the standard model of proofs, only the Cramer Shoup scheme [7] achieves proven security and practical effectiveness. Finally, we point out some practical and straightforward applications of multi user secure encryption. This includes payper view television, where a part of the ....

RSA Data Security, Inc. Public Key Cryptography Standards -- PKCS. Available from http://www.rsa.com/rsalabs/pubs/PKCS/.

No context found.

RSA Laboratories, "The Public-Key Cryptography Standards (PKCS)", RSA Data Security Inc., Redwood City, California, November 1993 Release.

No context found.

RSA Laboratories, "The Public-Key Cryptography Standards (PKCS)", RSA Data Security Inc., Redwood City, California, November 1993 Release.

No context found.

RSA Laboratories, "The Public-Key Cryptography Standards (PKCS)", RSA Data Security Inc., Redwood City, California, November 1993 Release.

No context found.

RSA Laboratories, "Public Key Cryptography Standards (PKCS)", RSA Data Security Inc. See ftp.rsa.com.

No context found.

RSA Data Security, Inc., "Public-Key Cryptography Standards (PKCS)," Nov 93.

No context found.

RSA Data Security, Inc., "Public-Key Cryptography Standards (PKCS)," Nov 93.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC