Strong Adaptive Chosen-Ciphertext Attacks with Memory Dump (or: The Importance of the Order of Decryption and Validation)
This paper presents a new type of powerful cryptanalytic attacks on public-key cryptosystems, extending the more commonly studied adaptive chosen-ciphertext attacks. In the new attacks, an adversary is not only allowed to submit to a decryption oracle (valid or invalid) ciphertexts of her choice, but also to emit a “dump query” prior to the completion of a decryption operation. The dump query returns intermediate results that have not been erased in the course of the decryption operation, whereby allowing the adversary to gain vital advantages in breaking the cryptosystem.
We believe that the new attack model approximates more closely existing security systems. We examine its power by demonstrating that most existing public-key cryptosystems, including OAEP-RSA, are vulnerable to our extended attacks.
KeywordsEncryption provable security chosen-ciphertext security ciphertext validity OAEP-RSA ElGamal encryption
Unable to display preview. Download preview PDF.
- 3.M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols”, First ACM Conference on Computer and Communications Security, pages 62–73, ACM Press, 1993.Google Scholar
- 6.S. Burnett and S. Paine, “RSA Security’s official guide to cryptography”, RSA Press, 2001.Google Scholar
- 7.D. Campbell “How your privacy is caught in the Net”, http://www.theage.com.au/daily/990808/news/specials/news1.html, 8 August 1999.
- 9.O. Dolev, C. Dwork, and M. Naor, “Non-malleable cryptography”, 23rd ACM Annual Symposium on the Theory of Computing, pages 542–552, ACM Press, 1991.Google Scholar
- 13.E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and symmetric encryption schemes”, Advances in Cryptology — CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 537–544, Springer-Verlag, 1999.Google Scholar
- 15.G. Itkis and L. Reyzin, “Forward-secure signatures with optimal signing and verifying”, Advances in Cryptology — CRYPTO 2001, volume 2139 of Lecture Notes in Computer Science, pages 332–354, Springer-Verlag, 2001.Google Scholar
- 18.M. Naor and M. Yung, “Public-key cryptosystems provably secure against chosen ciphertext attacks”, 22nd Annual ACM Symposium on Theory of Computing, pages 427–437, ACM Press, 1990.Google Scholar
- 20.D. Pointcheval, “Chosen-ciphertext security for any one-way cryptosystem”, Public Key Cryptography, volume 1751 of Lecture Notes in Computer Science, pages 129–146, Springer-Verlag, 2000.Google Scholar
- 21.C. Racko. and D. Simon, “Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack”, Advances in Cryptology — CRYPTO’91, volume 576 of Lecture Notes in Computer Science, pages 433–444, Springer-Verlag, 1992.Google Scholar
- 24.V. Shoup, “On formal models for secure key exchange”, version 4, Revision of IBM Research Report RZ 3120(April 1999), November 15, 1999.Google Scholar
- 26.A. Silberschatz, J. Peterson, and P. Galvin, Operating system concepts, Third edition, Addison-Wesley Publishing Company.Google Scholar