Results 1  10
of
48,660
Instantiability of rsaoaep under chosenplaintext attack
 In CRYPTO
, 2010
"... We show that the widely deployed RSAOAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash(i.e., round)functions aremodeledasrandomoracles,meets indistinguishabilityunderchosenplaintext attack (INDCPA) in the s ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
wise independent for appopriate t and that RSA satisfies condition (2) under the ΦHiding Assumption of Cachin et al. (Eurocrypt 1999). This appears to be the first nontrivial positive result about the instantiability ofRSAOAEP. In particular, it increases our confidence that chosenplaintext attacks
Strengthening Security of RSAOAEP
 Proceedings of CTRSA 2009, LNCS 5473
, 2009
"... Abstract—OAEP is one of the few standardized and widely deployed publickey encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSAOAEP is standardized in RSA’s PKCS #1 v2.1 and is part of several standards. OAEP was shown to be INDCC ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
CCA secure assuming the underlying trapdoor permutation is partial oneway, and RSAOAEP was proven to be INDCCA under the standard RSA assumption, both in the random oracle model. However, the latter reduction is not tight, meaning that the guaranteed level of security is not very high for a practical
RSAREACT: An Alternative to RSAOAEP
, 2001
"... The last few months, several new results appeared about the OAEP construction, and namely the RSAOAEP cryptosystem. Whereas OAEP was believed to provide the highest security level (INDCCA2), with an efficient exact security level, the effective security result had been showed to be incomplete. ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
. Nevertheless, the particular instantiation with RSA (which is anyway almost the sole application) had been eventually proven secure, but the security reduction appears to be quite inefficient. Therefore, with respect to the provable security result, RSAOAEP with a 1024bit modulus just provides a 2
Unprovable Security of RSAOAEP in the Standard Model
, 2006
"... Consider the provable security of RSAOAEP when not instantiated with random oracles. ..."
Abstract
 Add to MetaCart
Consider the provable security of RSAOAEP when not instantiated with random oracles.
What Hashes Make RSAOAEP Secure?
, 2007
"... Firstly, we demonstrate a pathological hash function choice that makes RSAOAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSAOAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions are actual ..."
Abstract
 Add to MetaCart
Firstly, we demonstrate a pathological hash function choice that makes RSAOAEP insecure. This shows that at least some security property is necessary for the hash functions used in RSAOAEP. Nevertheless, we conjecture that only some very minimal security properties of the hash functions
full version. Strengthening Security of RSAOAEP
"... OAEP is one of the few standardized and widely deployed publickey encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSAOAEP is standardized in RSA’s PKCS #1 v2.1 and is part of several standards. RSAOAEP was shown to be INDCCA sec ..."
Abstract
 Add to MetaCart
OAEP is one of the few standardized and widely deployed publickey encryption schemes. It was designed by Bellare and Rogaway as a scheme based on a trapdoor permutation such as RSA. RSAOAEP is standardized in RSA’s PKCS #1 v2.1 and is part of several standards. RSAOAEP was shown to be IND
RSAOAEP is Secure under the RSA Assumption
, 2002
"... Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another ..."
Abstract

Cited by 152 (21 self)
 Add to MetaCart
Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes
A WeakRandomizer Attack on RSAOAEP with e = 3
, 2005
"... Coppersmith's heuristic algorithm for finding small roots of bivariate modular equations can be applied against lowexponent RSAOAEP if its randomizer is weak. An adversary that knows the randomizer can recover the entire plaintext message, provided it is short enough for Coppersmith's ..."
Abstract
 Add to MetaCart
Coppersmith's heuristic algorithm for finding small roots of bivariate modular equations can be applied against lowexponent RSAOAEP if its randomizer is weak. An adversary that knows the randomizer can recover the entire plaintext message, provided it is short enough for Coppersmith
Vulnerability of SSL to ChosenPlaintext Attack
, 2004
"... The Secure Sockets Layer (SSL) protocol is widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL standard mandates the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encryp ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
to encrypt. Although the initial IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block
Results 1  10
of
48,660