RSA-OAEP Is Secure under the RSA Assumption

Fujisaki, Eiichiro; Okamoto, Tatsuaki; Pointcheval, David; Stern, Jacques

doi:10.1007/s00145-002-0204-y

Cited by 182 publications

(234 citation statements)

References 16 publications

(42 reference statements)

Supporting

Mentioning

226

Contrasting

Unclassified

Order By: Relevance

“…However, he proved that, when instantiated with low-exponent RSA, OAEP was IND-CCA2. This result was extended to arbitrary exponent RSA in [42].…”

Section: Defined By the Public-private Key Pair (P K Sk) A Public Kmentioning

confidence: 85%

“…Construction 2 and Theorem 2 offer a simple method to construct multicast schemes with guaranteed security using a whole class of existing primitives. For instance, both RSA-OAEP [42] and E G,H BR [39], which have been shown to be difficult to obtain threshold implementations with the same level of security, can be used to build multicast scheme with CCA2 security. This has never been achieved before.…”

Section: Decryption D: Given a Secret Key γ I And A Ciphertext ψ Thementioning

confidence: 99%

See 1 more Smart Citation

How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack

Duan

Canny

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this paper we present a general framework for constructing efficient multicast cryptosystems with provable security and show that a line of previous work on multicast encryption are all special cases of this general approach. We provide new methods for building such cryptosystems with various levels of security (e.g., IND-CPA, IND-CCA2). The results we obtained enable the construction of a whole class of new multicast schemes with guaranteed security using a broader range of common primitives such as OAEP. Moreover, we show that multicast cryptosystems with high level of security (e.g. IND-CCA2) can be based upon public key cryptosystems with weaker (e.g. CPA) security as long as the decryption can be securely and efficiently "shared". Our constructions feature truly constant-size decryption keys whereas the lengths of both the encryption key and ciphertext are independent of group size.

show abstract

“…However, he proved that, when instantiated with low-exponent RSA, OAEP was IND-CCA2. This result was extended to arbitrary exponent RSA in [42].…”

Section: Defined By the Public-private Key Pair (P K Sk) A Public Kmentioning

confidence: 85%

Section: Decryption D: Given a Secret Key γ I And A Ciphertext ψ Thementioning

confidence: 99%

How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack

Duan

Canny

2006

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Fujisaki, Okamoto, Pointcheval, and Stern [7] showed that the θ-partial one-wayness of RSA is equivalent to the (1-partial) one-wayness of RSA for θ > 0.5.…”

Section: The Rsa Family Of Trap-door Permutationsmentioning

confidence: 99%

“…Fujisaki, Okamoto, Pointcheval, and Stern [7] proved that OAEP with partial one-way permutations is secure in the sense of IND-CCA2 in the random oracle model. They also showed that RSA is one-way if and only if RSA is θ-partial one-way for θ > 0.5.…”

Section: Rsa-oaep and Its Universal Anonymizabilitymentioning

confidence: 99%

See 1 more Smart Citation

Universally Anonymizable Public-Key Encryption

Hayashi

Tanaka

2005

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We first propose the notion of universally anonymizable publickey encryption. Suppose that we have the encrypted data made with the same security parameter, and that these data do not satisfy the anonymity property. Consider the situation that we would like to transform these encrypted data to those with the anonymity property without decrypting these encrypted data. In this paper, in order to formalize this situation, we propose a new property for public-key encryption called universal anonymizability. If we use a universally anonymizable public-key encryption scheme, not only the person who made the ciphertexts, but also anyone can anonymize the encrypted data without using the corresponding secret key. We then propose universally anonymizable public-key encryption schemes based on the ElGamal encryption scheme, the Cramer-Shoup encryption scheme, and RSA-OAEP, and prove their security.

show abstract

Symmetric Cryptography

2003

Security in Fixed and Wireless Networks

View full text Add to dashboard Cite

Overall Objectives PresentationCryptographic algorithms are the equivalent of locks, seals, security stamps and identification documents on the Internet. They are essential to protect our on-line bank transactions, credit cards, medical and personal information and to support e-commerce and e-government. They come in different flavors. Encryption algorithms are essential to protect sensitive information such as medical data, financial information and Personal Identification Numbers (PINs) from prying eyes. Digital signature algorithms (in combination with hash functions) replace hand-written signatures in electronic transactions. A similar role can be played by MAC algorithms. Identification protocols allow to securely verify the identity of the party at the other end of the line. Therefore, cryptology is a research area with a high strategic impact for industries, individuals, and for the society as a whole.

show abstract

RSA-OAEP Is Secure under the RSA Assumption

Cited by 182 publications

References 16 publications

How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack

How to Construct Multicast Cryptosystems Provably Secure Against Adaptive Chosen Ciphertext Attack

Universally Anonymizable Public-Key Encryption

Symmetric Cryptography

Contact Info

Product

Resources

About