OAEP Is Secure under Key-Dependent Messages

  • Michael Backes
  • Markus Dürmuth
  • Dominique Unruh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5350)

Abstract

Key-dependent message security, short KDM security, was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. We extend this definition to include the cases of adaptive corruptions and arbitrary active attacks, called adKDM security incorporating several novel design choices and substantially differing from prior definitions for public-key security. We also show that the OAEP encryption scheme (using a partial-domain one-way function) satisfies the strong notion of adKDM security in the random oracle model.The OAEP construction thus constitutes a suitable candidate for implementating symbolic abstractions of encryption schemes in a computationally sound manner under active adversaries.

Keywords

Key-dependent message security chosen ciphertext attacks RSA-OAEP 

References

  1. 1.
    Abadi, M., Jürjens, J.: Formal eavesdropping and its computational interpretation. In: Proc. 4th International Symposium on Theoretical Aspects of Computer Software (TACS), pp. 82–94 (2001)Google Scholar
  2. 2.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography: The computational soundness of formal encryption. In: Watanabe, O., Hagiya, M., Ito, T., van Leeuwen, J., Mosses, P.D. (eds.) TCS 2000. LNCS, vol. 1872, pp. 3–22. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Backes, M., Dürmuth, M., Unruh, D.: OAEP is secure under key-dependent messages (2008), http://www.infsec.cs.uni-sb.de/~unruh/publications/backes08oaep.html
  4. 4.
    Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: Proc. 17th IEEE Computer Security Foundations Workshop (CSFW), pp. 204–218 (2004)Google Scholar
  5. 5.
    Backes, M., Pfitzmann, B., Scedrov, A.: Key-dependent message security under active attacks – BRSIM/UC-soundness of symbolic encryption with key cycles. In: Proc. of 20th IEEE Computer Security Foundation Symposium (CSF) (June 2007); Preprint on IACR ePrint 2005/421Google Scholar
  6. 6.
    Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations (extended abstract). In: Proc. 10th ACM Conference on Computer and Communications Security, pp. 220–230 (January 2003); Full version in IACR Cryptology ePrint Archive 2003/015Google Scholar
  7. 7.
    Beaver, D., Haber, S.: Cryptographic protocols provably secure against dynamic adversaries. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 307–323. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proc. 38th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 394–403 (1997)Google Scholar
  9. 9.
    Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  11. 11.
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  12. 12.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient constructions. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  13. 13.
    Black, J., Rogaway, P., Shrimpton, T.: Encryption-scheme security in the presence of key-dependent messages. In: Proc. 9th Annual Workshop on Selected Areas in Cryptography (SAC), pp. 62–75 (2002)Google Scholar
  14. 14.
    Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision diffie-hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), pp. 136–145 (2001); Extended version in Cryptology ePrint Archive, Report 2000/67Google Scholar
  17. 17.
    Canetti, R., Herzog, J.: Universally composable symbolic analysis of mutual authentication and key exchange protocols. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 380–403. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Cortier, V., Warinschi, B.: Computationally sound, automated proofs for security protocols. In: Proc. 14th European Symposium on Programming (ESOP), pp. 157–171 (2005)Google Scholar
  19. 19.
    Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM Journal on Computing 30(2), 391–437 (2000)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. Journal of Cryptology 17(2), 81–104 (2004)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Goldreich, O.: Foundations of Cryptography. Basic Applications, vol. 2. Cambridge University Press, Cambridge (May 2004)CrossRefMATHGoogle Scholar
  23. 23.
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–299 (1984)MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Halevi, S., Krawczyk, H.: Security under key-dependent inputs. In: Proc. of the 14th ACM Conference on Computer and Communications Security (to appear, 2007); Preprint on IACR ePrint 2007/315Google Scholar
  25. 25.
    Hofheinz, D., Unruh, D.: Towards key-dependent message security in the standard model (August 2007); Preprint on IACR ePrint 2007/333Google Scholar
  26. 26.
    Laud, P.: Semantics and program analysis of computationally secure information flow. In: Proc. 10th European Symposium on Programming (ESOP), pp. 77–91 (2001)Google Scholar
  27. 27.
    Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proc. 25th IEEE Symposium on Security & Privacy, pp. 71–85 (2004)Google Scholar
  28. 28.
    Luby, M.: Pseudorandomness and Cryptographic Applications. Princeton Computer Society Notes, Princeton (1996)MATHGoogle Scholar
  29. 29.
    Micciancio, D., Warinschi, B.: Soundness of formal encryption in the presence of active adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  30. 30.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  31. 31.
    Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28(4), 656–715 (1949)MathSciNetCrossRefMATHGoogle Scholar
  32. 32.
    Yao, A.C.: Theory and applications of trapdoor functions. In: Proc. 23rd IEEE Symposium on Foundations of Computer Science (FOCS), pp. 80–91 (1982)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Michael Backes
    • 1
    • 2
  • Markus Dürmuth
    • 1
  • Dominique Unruh
    • 1
  1. 1.Saarland UniversitySaarbrückenGermany
  2. 2.Max-Planck-Institute for Software SystemsSaarbrückenGermany

Personalised recommendations