Random oracles are practical: a paradigm for designing efficient protocols
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Perfectly one-way probabilistic hash functions (preliminary version)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
Efficient private bidding and auctions with an oblivious third party
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Universal Padding Schemes for RSA
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Unbelievable Security. Matching AES Security Using Public Key Systems
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Simplified OAEP for the RSA and Rabin Functions
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Extracting randomness from samplable distributions
FOCS '00 Proceedings of the 41st Annual Symposium on Foundations of Computer Science
The random oracle methodology, revisited
Journal of the ACM (JACM)
RSA-OAEP Is Secure under the RSA Assumption
Journal of Cryptology
Correcting errors without leaking partial information
Proceedings of the thirty-seventh annual ACM symposium on Theory of computing
Password authenticated key exchange using hidden smooth subgroups
Proceedings of the 12th ACM conference on Computer and communications security
Lossy trapdoor functions and their applications
STOC '08 Proceedings of the fortieth annual ACM symposium on Theory of computing
Randomness-efficient oblivious sampling
SFCS '94 Proceedings of the 35th Annual Symposium on Foundations of Computer Science
Extractable Perfectly One-Way Functions
ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
Adaptive One-Way Functions and Applications
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Public-Key Locally-Decodable Codes
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
On the Validity of the Φ-Hiding Assumption in Cryptographic Protocols
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
The Group of Signed Quadratic Residues and Applications
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
When private keys are public: results from the 2008 Debian OpenSSL vulnerability
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Computationally private information retrieval with polylogarithmic communication
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
New attacks on PKCS#1 v1.5 encryption
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Trading one-wayness against chosen-ciphertext security in factoring-based encryption
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Analysis of random oracle instantiation scenarios for OAEP and other practical schemes
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
On the generic insecurity of the full domain hash
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
On the impossibility of instantiating PSS in the standard model
PKC'11 Proceedings of the 14th international conference on Practice and theory in public key cryptography conference on Public key cryptography
The equivalence of the random oracle model and the ideal cipher model, revisited
Proceedings of the forty-third annual ACM symposium on Theory of computing
Improved cryptanalysis of the multi-prime φ-hiding assumption
AFRICACRYPT'11 Proceedings of the 4th international conference on Progress in cryptology in Africa
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Lossy functions do not amplify well
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
Identity-Based (lossy) trapdoor functions and applications
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Dual projective hashing and its applications -- lossy trapdoor functions and more
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Optimal security proofs for full domain hash, revisited
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Optimal bounds for multi-prime Φ-hiding assumption
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Reduction in lossiness of RSA trapdoor permutation
SPACE'12 Proceedings of the Second international conference on Security, Privacy, and Applied Cryptography Engineering
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Comparing the pairing efficiency over composite-order and prime-order elliptic curves
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
Hi-index | 0.00 |
We show that the widely deployed RSA-OAEP encryption scheme of Bellare and Rogaway (Eurocrypt 1994), which combines RSA with two rounds of an underlying Feistel network whose hash (i.e., round) functions are modeled as random oracles, meets indistinguishability under chosen-plaintext attack (IND-CPA) in the standard model based on simple, non-interactive, and non-interdependent assumptions on RSA and the hash functions. To prove this, we first give a result on a more general notion called "padding-based" encryption, saying that such a scheme is IND-CPA if (1) its underlying padding transform satisfies a "fooling" condition against small-range distinguishers on a class of high-entropy input distributions, and (2) its trapdoor permutation is sufficiently lossy as defined by Peikert and Waters (STOC 2008). We then show that the first round of OAEP satifies condition (1) if its hash function is t-wise independent for appopriate t and that RSA satisfies condition (2) under the φ-Hiding Assumption of Cachin et al. (Eurocrypt 1999). This appears to be the first non-trivial positive result about the instantiability of RSA-OAEP. In particular, it increases our confidence that chosen-plaintext attacks are unlikely to be found against the scheme. In contrast, RSA-OAEP's predecessor in PKCS #1 v1.5 was shown to be vulnerable to such attacks by Coron et al. (Eurocrypt 2000).