## A Proposal for an ISO Standard for Public Key Encryption (version 2.0) (2001)

### Cached

### Download Links

Citations: | 111 - 3 self |

### BibTeX

@MISC{Shoup01aproposal,

author = {Victor Shoup},

title = {A Proposal for an ISO Standard for Public Key Encryption (version 2.0)},

year = {2001}

}

### Years of Citing Articles

### OpenURL

### Abstract

This document should be viewed less as a first draft of a standard for public-key encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed.

### Citations

1332 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...adversary and the algorithms implementing the cryptosystem have “oracle access.” This approach has been used implicitly and informally for some time; however, it was formalized by Bellare and Rogaway =-=[BR93]-=-, and has subsequently been used quite a bit in the cryptographic research community. We should stress, however, that the random oracle model is not just “another assumption,” like assuming that a has... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ... and a few other specific assumptions about the hash and key derivation functions. The security reduction is quite tight. One can easily verify the following, using following the line of reasoning in =-=[CS98]-=- and [Sho00]. where: Advantage ACE-KEM(A) = O( Advantage DDH(A1) + Advantage Hash(A2) + Advantage KDF(A3) + qD · µ −1 ), • A1, A2, A3 denote adversaries that run in time essentially the same as A. • A... |

449 | Relations Among Notions of Security for Public-Key Encryption Schemes - Bellare, Desai, et al. - 1998 |

448 | Nonmalleable cryptography - Dolev, Dwork, et al. - 2006 |

339 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ...mes, it is widely agreed that the “right” notion of security for a scheme intended for general-purpose use is that of security against adaptive chosen ciphertext attack. This notion was introduced in =-=[RS91]-=-, and implies other useful properties, like non-malleability. See [DDN91, DDN98, BDPR98] for further discussion. In this document, this will be the relevant notion of security used for judging the sec... |

238 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...ose to be included in the standard. 1.4.1 RSA-OAEP, RSA-OAEP+, and RSA-KEM RSA-OAEP is the fairly well-established RSA encryption scheme, using the padding scheme OAEP invented by Bellare and Rogaway =-=[BR94]-=-, with enhancements and refinements due to Johnson and Matyas [JM96]. The submission coincides with the standards PKCS #1 v2.0 and IEEE P1363. 1 One of the main supposed virtues of this scheme was an ... |

220 | bounds for discrete logarithms and related problems
- Shoup, Lower
- 1997
(Show Context)
Citation Context ... for the CDH problem that produces a list of length at most l, we let Advantage CDH(A, l) denote the probability that this list contains a correct solution to the input problem instance. Note that in =-=[Sho97]-=-, it is shown how to take an algorithm A with ɛ = Advantage CDH(A, l), and transform this into an algorithm A ′ that produces a single output that for all inputs is correct with probability 1 − δ. The... |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ...H(A) = | Pr[A(XR) = 1] − Pr[A(XD) = 1]|. The DDH assumption is that this advantage is negligible for all efficient algorithms. The DDH problem is “random self-reducible” (see [Sta96] and [NR97]). See =-=[Bon98]-=- and [NR97] for further discussion of the DDH. 14.3 The Gap-CDH Problem The submitters of the PSEC scheme have proposed a new computational assumption, called the gap-CDH assumption. This is the assum... |

189 | Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...ility must be added into this estimate as well. It follows that if KEM and DEM are secure, then so is H-PKE. For a detailed proof of a slight variant of this security claim, the reader is referred to =-=[CS01]-=-. The situation in that paper is slightly different from the one here, because the notion corresponding to a DEM in that paper does not incorporate the use of a label. Nevertheless, the security proof... |

172 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...ickey encryption scheme. While the scheme we present here differs in numerous details from the original PSEC-2, we believe it is similar in spirit to the PSEC-2 submission, preserves the main idea of =-=[FO99]-=- on which it is based, and provides very nearly the same security/efficiency trade-off. 16.1 Key Generation A fully specified group Group = (H, G, g, µ, ν, E, D, E ′ , D ′ ). Additionally, a key deriv... |

148 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ... Advantage DDH(A) = | Pr[A(XR) = 1] − Pr[A(XD) = 1]|. The DDH assumption is that this advantage is negligible for all efficient algorithms. The DDH problem is “random self-reducible” (see [Sta96] and =-=[NR97]-=-). See [Bon98] and [NR97] for further discussion of the DDH. 14.3 The Gap-CDH Problem The submitters of the PSEC scheme have proposed a new computational assumption, called the gap-CDH assumption. Thi... |

128 | RSA-OAEP is secure under the RSA assumption
- Fujisaki, Okamoto, et al.
(Show Context)
Citation Context ...ut — essentially by accident, rather than design — RSA-OAEP is indeed secure in the random oracle model. This was proven for encryption exponent 3 in [Sho01], and for arbitrary encryption exponent in =-=[FOPS01]-=-. The security reduction is the latter paper is highly inefficient, however. Another problem with RSA-OAEP is that it only encrypts messages of short length. As such, many applications that use RSA-OA... |

122 | The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes
- Okamoto, Pointcheval
- 1992
(Show Context)
Citation Context ...that the CDH problem is hard, even when given access to an oracle for the Decisional Diffie-Hellman (DDH) problem. This latter assumption is called the gap-CDH assumption, and is studied in detail in =-=[OP01]-=-. As for efficiency, encryption takes two group exponentiations, and decryption takes one or two (depending on the group, but usually one for elliptic curves). 1.4.3 PSEC PSEC is a family of Diffie-He... |

119 | Publicly verifiable secret sharing - Stadler - 1996 |

104 | Public-key encryption in a multi-user setting: Security proofs and improvements
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ...ecurity reduction than RSA-OAEP+ (or RSA-OAEP). This advantage becomes even more pronounced when one analyzes the security of many messages encrypted under a single public key (as formally modeled in =-=[BBM00]-=-). In this setting, one can exploit the well-known random self-reducibility property of the 53sRSA inversion problem to easily show that the security of RSA-KEM key encapsulation mechanism does not de... |

96 | OAEP Reconsidered
- Shoup
- 2001
(Show Context)
Citation Context ...del of security against adaptive chosen ciphertext attack, assuming RSA inversion is hard. This “proof” was published in [BR94], and despite years of public scrutiny, it was only recently observed in =-=[Sho01]-=- that not only is the proof invalid, but that there can be no standard proof via “black box” reduction for the OAEP construction in general, given an arbitrary one-way trapdoor permutation. This negat... |

67 | Using Hash function s as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ...his scheme differs in only very minor ways from schemes that have been rigorously analyzed in the literature. It most closely resembles the variation of the Cramer-Shoup scheme discussed in detail in =-=[Sho00]-=-. The security of the scheme is based on the DDH (see §14.2), and a few other specific assumptions about the hash and key derivation functions. The security reduction is quite tight. One can easily ve... |

65 | Separating decision Diffie-Hellman from Diffie-Hellman in cryptographic groups
- Joux, Nguyen
(Show Context)
Citation Context ...me and success probability of the latter attack are essentially the same as for the former attack. This is discussed in detail in §17.6.2. Thus, any fears that the DDH assumption is “too strong” (see =-=[JN01]-=-) can be safely put to rest. 1.4.5 EPOC EPOC is a family of encryption schemes based on factoring integers of the form n = p 2 q. There are three variants: EPOC-1, EPOC-2, and EPOC-3. Security of thes... |

53 | Rogaway: “DHAES: an encryption scheme based on the Diffie-Hellman problem”, preprint
- Abdalla, Bellare, et al.
- 1999
(Show Context)
Citation Context ...-Hellman-based scheme. It is a hybrid encryption scheme based on the hardness of the Computational Diffie-Hellman (CDH) problem for elliptic curves. It is closely related to the DHAES construction in =-=[ABR99]-=-. The current draft of IEEE P1363a 2 also contains a version of ECIES, but this version differs in some significant respects from the submitted version of ECIES. As we shall point out, this scheme is ... |

51 |
A chosen ciphertext attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as standardized
- Manger
(Show Context)
Citation Context ...ormation. In particular, it is recommended that both steps 5 and 6 should be performed, even if step 5 fails. If such precautions are not taken, an implementation may be vulnerable to Manger’s attack =-=[Man01]-=-. 18.4 Defects of RSA-OAEP RSA-OAEP suffers from two defects. The first is a security defect. It was a widely held belief that the general OAEP construction was secure against adaptive chosen cipherte... |

38 | The Decision Die-Hellman Problem - Boneh - 1998 |

36 | Reingold.Number-theoretic construc-tions of efficient pseudo-random functions - Naor, O - 2004 |

22 | Seperating decision Di#e-Hellman from Di#e-Hellman in cryptographic groups", J. Cryptology Online First, available from http://eprint.iacr.org/2001/003 - Joux, Nguyen |

20 | The random oracle model revisited - Canetti, Goldreich, et al. - 1998 |

17 | Publicly veri secret sharing - Stadler - 1996 |

14 | Secure Length-Saving ElGamal Encryption under the Computational Diffie-Hellman Assumption
- Baek, Lee, et al.
- 2000
(Show Context)
Citation Context ...st subgroups of elliptic curves. We should also mention that the scheme we have proposed here bears some similarities not only to the PSEC-2 submission, but also to a very similar scheme presented in =-=[BLK00]-=-. 16.6 Security considerations Since this proposed scheme differs significantly from PSEC-2 and other schemes in the literature, we sketch a security proof in the random oracle model assuming the CDH ... |

13 | DHAES: an encryption scheme based on the Die-Hellma problem. Cryptology ePrint Archive, Report 1999/007 - Abdalla, Bellare, et al. - 1999 |

12 | Asymmetric encryption: evolution and enhancements - Johnson, Matyas - 1996 |

9 | The sum of PRPs is a secure PRF
- Lucks
- 2000
(Show Context)
Citation Context ... An alternative is to use a block cipher in counter mode, but to output the XOR of consecutive pairs of block cipher outputs. This approach yields a higher level of security when l is very large (see =-=[Luc00]-=-). 17 i=0s8 Symmetric key encryption 8.1 Abstract interface A symmetric key encryption scheme SKE specifies a key length SKE.KeyLen, along with encryption and decryption algorithms: • The encryption a... |

9 | The random oracle model, revisted - Canetti, Goldreich, et al. - 1998 |

5 | Oaep reconsidered. Cryptology ePrint Archive, Report 2000/060 - Shoup - 2000 |

4 | RSA–OAEP is Still Alive. Cryptology ePrint Archive 2000/061. November 2000. Available from http://eprint.iacr.org - Fujisaki, Okamoto, et al. |