M. Abdalla, M. Bellare, and P.Rogaway, "DHAES: An encryption scheme based on Diffie-Hellman problem", IEEE P1363a Submission, 1998, Available at http://grouper.ieee.org/groups/1363/addendum.html.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... cluding non malleability [9] were formalized and the relationship among them has been shown in [3] Public key encryption schemes secure against the adaptive chosen ciphertext attack proposed so far include OAEP [5] based on the RSA function) the Cramer Shoup scheme [8] based on DDH A) DHAES [1] (based on the hash Diffie Hellman assumption (HDHA) and the Fujisaki Okamoto(F O) scheme [12] based on the security of any semantically secure public key encryption schemes against chosen plaintext attacks and therefore DDHA) Fujisaki and Okamoto [13] also proposed a generic method that ....

M. Abdalla, M. Bellare, and P.Rogaway, "DHAES: An encryption scheme based on Diffie-Hellman problem", IEEE P1363a Submission, 1998, Available at http://grouper.ieee.org/groups/1363/addendum.html.

.... including non malleability [9] were formalized and the relationship among them has been shown in [3] Public key encryption schemes secure against the adaptive chosen ciphertext attack proposed so far include OAEP [5] based on the RSA function) the Cramer Shoup scheme [8] based on DDH A) DHAES [1] (based on the hash Diffie Hellman assumption (HDHA) and the Fujisaki Okamoto(F O) scheme [12] based on the security of any semantically secure public key encryption schemes against chosen plaintext attacks and therefore DDHA) Fujisaki and Okamoto [13] also proposed a generic method that ....

M. Abdalla, M. Bellare, and P.Rogaway, "DHAES: An encryption scheme based on Diffie-Hellman problem", IEEE P1363a Submission, 1998, Available at http://grouper.ieee.org/groups/1363/addendum.html.

.... symmetric key encryption scheme [4] Next, Abdalla, Bellre, and Rogaway presented a more efficient hybrid encryption scheme, called DHAES, and prove that hybrid usage is secure in the IND CCA2 sense in the random oracle model (or a strong assumption in the standard (not random oracle) model) [1]. Their scheme depends on the Diffie Hellman key distribution scheme. Finally, Fujisaki and Okamoto showed a generic method to convert a secure public key encryption scheme and a secure symmetric key encryption scheme into a hybrid encryption scheme which is secure in the sense of IND CCA2 in the ....

M.Abdalla,M.Bellare and P.Rogaway. "DHAES: An encryption scheme based on the Diffie-Hellman problem ", submission to IEEE P1363.

....S = 2 3 S = 3 3 S = 3 1 N 1 N 2 Fig. 6. A discrete log tree. Remark 2. Issues such as a proper padding of K, have been omitted here for the sake of simplicity. Depending on the particular security requirements, we can substitute T with a better encoding of K as suggested, for example in [Abdalla et al. 1998]. The intermediate elements in the tree perform f a i k on their input S i k Gamma1 and send the resulting S i k value to their children, along with T, where: S i k = f a i k (S (i k Gamma1) Gamma S (i k Gamma1) Delta a i k mod p An example of this scheme is illustrated on the ....

Abdalla, M., Bellare, M., and Rogaway, P. 1998. DHAES: An encryption scheme based on the diffie-hellman problem. Submited to IEEE P1363a.

....an active attack is possible (i.e. IND CCA2, especially plaintext awareness does not hold) 12] 1. 4 On the IntractabilityofFactoring n = p 2 q Although it is not known whether n = p 2 q is more tractable to factor than n = pq, some special algorithms to factor n = p 2 q have been studied [16, 17, 18, 1]. However, such techniques are specific on the elliptic curve factoring method (ECM) and the fastest algorithm for factoring both n = pq and n = p 2 q is the number field sieve (NFS) method, whose running time depends 4 only on the composite size, jnj. Even these algorithms based on the ECM ....

.... 1408 OAEP RSA 33 432 1152 1152 Table 3: Comparison of Efficiency (Type B Parameter) Scheme Encryption Decryption Key Length Ciphertext (#M(1152) #M(1152) bits) Length(bits) EPOC 1 364 266 1152 1152 EPOC 2(OTP) 224 188 1152 1280 EPOC 3(OTP) 224 64 1152 1408 OAEP RSA 33 432 1152 1152 References [1] Adleman, L.M. and McCurley, K.S. Open Problems in Number Theoretic Complexity,II (open problems: C7, O7a and O7b) Proc. of ANTS I, LNCS 877, Springer Verlag, pp.291322 (1995) 2] Bellare, M. Desai, A. Pointcheval, D. and Rogaway,P. Relations Among Notions of Security for Public Key ....

[Article contains additional citation context not shown here]

M. Abdalla, M. Bellare, and P.Rogaway. DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem. Submission to IEEE P1363a. September 1998. Available from http://grouper.ieee.org/groups/1363/.

....secure the ciphertext leaks the Legendre symbol of the plaintext. 2 Padding (OAEP) which is known to be secure against a chosen ciphertext attack in the random oracle model [4] Currently, there is no equivalent preprocessing standard for ElGamal encryption, although several proposals exist [1, 10, 16, 13]. Unfortunately, many textbook descriptions of RSA and ElGamal do not view these preprocessing functions as an integral part of the encryption scheme. Instead, common descriptions are content with an explanation of the plain systems. In this paper we give a simple, yet powerful, attack against ....

....The reason we refer to these schemes as plain ElGamal is that messages are encrypted as is. Our attacks show the danger of using the system in this way. For proper security one must pre process the message prior to encryption or modify the encryption mechanism. For example, one could use DHAES [1] or a result due to Fujisaki and Okamoto [10] or even more recently [16, 13] 3 Algorithms for multiplicative subgroup rounding We are given an element u 2 Z p of the form u = z Delta Delta mod p where z is a random element of G q and j Deltaj 2 m . Our goal is to find Delta, which we ....

M. Abdalla, M. Bellare, P. Rogoway, "DHAES: An encryption scheme based on the Diffie-Hellman problem", manuscript, 1998.

....a ciphertext in such a way that the resulting plaintext is meaningfully related to the original one, as formalized in [11] and security against chosen ciphertext attacks. A simple, efficient scheme to achieve such encryption using RSA is OAEP [5] A Diffie Hellman based solution can be found in [1]. Note that the RSA PKCS #1 encryption standard can be broken under chosen ciphertext attacks [6] and is thus not suitable for our purposes. However we stress that plaintext aware encryption does not provide authentication in the manner of a signature, i.e. it does not provide non repudiation. ....

M. Abdalla, M. Bellare and P. Rogaway. DHAES: An encryption scheme based on the Diffie-Hellman problem. Manuscript.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC