Results 1  10
of
245
Instantiability of rsaoaep under chosenplaintext attack
 In CRYPTO
, 2010
"... We show that the widely deployed RSAOAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash(i.e., round)functions aremodeledasrandomoracles,meets indistinguishabilityunderchosenplaintext attack (INDCPA) in the s ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
wise independent for appopriate t and that RSA satisfies condition (2) under the ΦHiding Assumption of Cachin et al. (Eurocrypt 1999). This appears to be the first nontrivial positive result about the instantiability ofRSAOAEP. In particular, it increases our confidence that chosenplaintext attacks
RSAOAEP is Secure under the RSA Assumption
, 2002
"... Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes another ..."
Abstract

Cited by 149 (20 self)
 Add to MetaCart
Recently Victor Shoup noted that there is a gap in the widelybelieved security result of OAEP against adaptive chosenciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the onewayness of the underlying trapdoor permutation. This paper establishes
Relations among notions of security for publickey encryption schemes
, 1998
"... Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove e ..."
Abstract

Cited by 517 (69 self)
 Add to MetaCart
Abstract. We compare the relative strengths of popular notions of security for public key encryption schemes. We consider the goals of privacy and nonmalleability, each under chosen plaintext attack and two kinds of chosen ciphertext attack. For each of the resulting pairs of definitions we prove
A WeakRandomizer Attack on RSAOAEP with e = 3
, 2005
"... Coppersmith's heuristic algorithm for finding small roots of bivariate modular equations can be applied against lowexponent RSAOAEP if its randomizer is weak. An adversary that knows the randomizer can recover the entire plaintext message, provided it is short enough for Coppersmith's ..."
Abstract
 Add to MetaCart
Coppersmith's heuristic algorithm for finding small roots of bivariate modular equations can be applied against lowexponent RSAOAEP if its randomizer is weak. An adversary that knows the randomizer can recover the entire plaintext message, provided it is short enough for Coppersmith
New ChosenPlaintext Attacks on the OneWayness of the Modified McEliece PKC Proposed at Asiacrypt 2000
"... Abstract. McEliece PKC (PublicKey Cryptosystem), whose security is based on the decoding problem, is one of a few alternatives for the current PKCs that are mostly based on either IFP (Integer Factoring Problem) or DLP (Discrete Logarithm Problem), which would be solved in polynomialtime after the ..."
Abstract
 Add to MetaCart
Wayness against ChosenPlaintext Attacks) of the underlying McEliece PKC, i.e. the McEliece PKC with no conversion, is infeasible. Breaking OWCPA of it is still infeasible if an appropriate parameter, n ≥ 2048 with optimum t and k, is chosen since the binary work factor to break it with the best CPA is around 2
From KnownPlaintext to ChosenCiphertext Security
, 2006
"... Motivated by the quest of reducing assumptions in security proofs in cryptography, this paper is concerned with designing e#cient symmetric encryption and authentication schemes based on weak pseudorandom functions (WPRF), which can potentially be much more e#ciently implemented than PRFs. Damga ..."
Abstract
 Add to MetaCart
. Damgard and Nielsen (Crypto '02) showed how to construct a symmetric encryption scheme based on any WPRF that is provably secure under a chosenplaintext attack. The main ingredient is a construction of a variableoutputlength WPRF from any WPRF.
A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James
"... Abstract. An adaptive chosen ciphertext attack against PKCS #1 v2.0 RSA OAEP encryption is described. It recovers the plaintext – not the private key – from a given ciphertext in a little over log 2 n queries of an oracle implementing the algorithm, where n is the RSA modulus. The high likelihood of ..."
Abstract
 Add to MetaCart
Abstract. An adaptive chosen ciphertext attack against PKCS #1 v2.0 RSA OAEP encryption is described. It recovers the plaintext – not the private key – from a given ciphertext in a little over log 2 n queries of an oracle implementing the algorithm, where n is the RSA modulus. The high likelihood
A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James
"... Abstract. An adaptive chosen ciphertext attack against PKCS #1 v2.0 RSA OAEP encryption is described. It recovers the plaintext – not the private key – from a given ciphertext in a little over log 2 n queries of an oracle implementing the algorithm, where n is the RSA modulus. The high likelihood of ..."
Abstract
 Add to MetaCart
Abstract. An adaptive chosen ciphertext attack against PKCS #1 v2.0 RSA OAEP encryption is described. It recovers the plaintext – not the private key – from a given ciphertext in a little over log 2 n queries of an oracle implementing the algorithm, where n is the RSA modulus. The high likelihood
A Fast and KeyEfficient Reduction of ChosenCiphertext to KnownPlaintext Security?
"... 1 Introduction 1.1 Weakening of Cryptographic Assumptions A general goal in cryptography is to prove the security of cryptographic systemsunder assumptions that are as weak as possible. Provably secure encryption and authentication schemes based on a pseudorandom function (PRF) [11] have beenstudied ..."
Abstract
 Add to MetaCart
beenstudied extensively [10]. Informally, a PRF is an efficient function with a secret key that cannot be efficiently distinguished from a uniform random function evenwhen it can be queried adaptively (i.e., under a chosenplaintext attack (CPA)).
Keywords: Cipher Block Chaining, Adaptive Chosen Plaintext Attack, InputOutput Masked CBC
"... Abstract: In the literature, several encryption modes of operation based on cipher block chaining (CBC) has been proven to be secure under nonadaptive chosen plaintext attack (CPA1) in the leftorright (LOR) or findthenguess (FTG) security models. However, it was shown by Joux et. al. at Crypto ..."
Abstract
 Add to MetaCart
Abstract: In the literature, several encryption modes of operation based on cipher block chaining (CBC) has been proven to be secure under nonadaptive chosen plaintext attack (CPA1) in the leftorright (LOR) or findthenguess (FTG) security models. However, it was shown by Joux et. al
Results 1  10
of
245