OAEP Is Secure under Key-Dependent Messages

Backes, Michael; Dürmuth, Markus; Unruh, Dominique

doi:10.1007/978-3-540-89255-7_31

Cited by 29 publications

(39 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We note that the definition of security by Backes et al [BDU08] is somewhat stronger in that it allows the adversary to obtain some secret keys. To benefit from this in practice, the users need to carefully keep track of which keys were compromised, and which keys are related to each other via key-wrap.…”

Section: Kdm-cpamentioning

confidence: 98%

See 1 more Smart Citation

A Public Key Encryption Scheme Secure against Key Dependent Chosen Plaintext and Adaptive Chosen Ciphertext Attacks

Camenisch¹,

Chandran²,

Shoup³

2009

Advances in Cryptology - EUROCRYPT 2009

121

139

View full text Add to dashboard Cite

Recently, at Crypto 2008, Boneh, Halevi, Hamburg, and Ostrovsky (BHHO) solved the longstanding open problem of "circular encryption," by presenting a public key encryption scheme and proving that it is semantically secure against key dependent chosen plaintext attack (KDM-CPA security) under standard assumptions (and without resorting to random oracles). However, they left as an open problem that of designing an encryption scheme that simultaneously provides security against both key dependent chosen plaintext and adaptive chosen ciphertext attack (KDM-CCA2 security). In this paper, we solve this problem. First, we show that by applying the Naor-Yung "double encryption" paradigm, one can combine any KDM-CPA secure scheme with any (ordinary) CCA2 secure scheme, along with an appropriate non-interactive zero-knowledge proof, to obtain a KDM-CCA2 secure scheme. Second, we give a concrete instantiation that makes use the above KDM-CPA secure scheme of BHHO, along with a generalization of the Cramer-Shoup CCA2 secure encryption scheme, and recently developed pairing-based NIZK proof systems. This instantiation increases the complexity of the BHHO scheme by just a small constant factor.

show abstract

Section: Kdm-cpamentioning

confidence: 98%

“…Backes, Pfitzmann and Scedrov [BPS07] and Backes, Dürmuth and Unruh [BDU08] considered KDM-CCA2 security of symmetric and asymmetric encryption schemes, respectively. They in fact define a notion of security stronger than we consider in our paper, by allowing the adversary to obtain some of the secret keys.…”

Section: Introductionmentioning

confidence: 99%

A Public Key Encryption Scheme Secure against Key Dependent Chosen Plaintext and Adaptive Chosen Ciphertext Attacks

Camenisch¹,

Chandran²,

Shoup³

2009

Advances in Cryptology - EUROCRYPT 2009

121

139

View full text Add to dashboard Cite

show abstract

“…Researchers then asked for what classes of message-deriving functions one could achieve KDM security in the standard model, providing results for both symmetric and asymmetric encryption under different assumptions [19,36,4,21,23,20,7,25,17,3,38]. On the more practical side, Backes, Dürmuth and Unruh [5] show that RSA-OAEP [13,28] is KDM-secure in the RO model. Backes, Pfitzmann and Scedrov [6] treat active attacks and provide and relate a number of different notions of security.…”

Section: Impossibility Resultsmentioning

confidence: 99%

Authenticated and Misuse-Resistant Encryption of Key-Dependent Data

Bellare

Keelveedhi

2011

Advances in Cryptology – CRYPTO 2011

View full text Add to dashboard Cite

Abstract. This paper provides a comprehensive treatment of the security of authenticated encryption (AE) in the presence of key-dependent data, considering the four variants of the goal arising from the choice of universal nonce or random nonce security and presence or absence of a header. We present attacks showing that universal-nonce security for key-dependent messages is impossible, as is security for key-dependent headers, not only ruling out security for three of the four variants but showing that currently standarized and used schemes (all these target universal nonce security in the presence of headers) fail to provide security for key-dependent data. To complete the picture we show that the final variant (random-nonce security in the presence of key-dependent messages but key-independent headers) is efficiently achievable. Rather than a single dedicated scheme, we present a RO-based transform RHtE that endows any AE scheme with this security, so that existing implementations may be easily upgraded to have the best possible seurity in the presence of key-dependent data. RHtE is cheap, software-friendly, and continues to provide security when the key is a password, a setting in which key-dependent data is particularly likely. We go on to give a key-dependent data treatment of the goal of misuse resistant AE. Implementations are provided and show that RHtE has small overhead.

show abstract

“…Over the last few years we have seen a large number of sophisticated schemes to address the (challenging) problem of encryption of key-dependent data (e.g., [22,28,5,4,32,33,21,7,59,3,30,31,13,46,55]). The most touted application is secure outsourced storage, where Alice's decryption key, or some function thereof, is in a file she is encrypting and uploading to the cloud.…”

Section: Introductionmentioning

confidence: 99%

Key-Versatile Signatures and Applications: RKA, KDM and Joint Enc/Sig

Bellare

Meiklejohn

Thomson

2014

Advances in Cryptology – EUROCRYPT 2014

View full text Add to dashboard Cite

This paper introduces key-versatile signatures. Key-versatile signatures allow us to sign with keys already in use for another purpose, without changing the keys and without impacting the security of the original purpose. This allows us to obtain advances across a collection of challenging domains including joint Enc/Sig, security against related-key attack (RKA) and security for key-dependent messages (KDM). Specifically we can (1) Add signing capability to existing encryption capability with zero overhead in the size of the public key (2) Obtain RKA-secure signatures from any RKA-secure one-way function, yielding new RKA-secure signature schemes (3) Add integrity to encryption while maintaining KDM-security.

show abstract

OAEP Is Secure under Key-Dependent Messages

Cited by 29 publications

References 36 publications

A Public Key Encryption Scheme Secure against Key Dependent Chosen Plaintext and Adaptive Chosen Ciphertext Attacks

A Public Key Encryption Scheme Secure against Key Dependent Chosen Plaintext and Adaptive Chosen Ciphertext Attacks

Authenticated and Misuse-Resistant Encryption of Key-Dependent Data

Key-Versatile Signatures and Applications: RKA, KDM and Joint Enc/Sig

Contact Info

Product

Resources

About