Cryptography Reference
In-Depth Information
Another security notion was proposed: the
nonmalleability
, denoted NM. We have a
security notion for NM-CPA, NM-CCA1, and NM-CCA depending on which adversary
we consider. The nonmalleability is also described by a game which is a little more
complicated than the game for semantic security. What is worth keeping in mind is that
NM-CCA and IND-CCA are equivalent and that NM-CPA and NM-CCA1 are proven
to be stronger security notions than IND-CPA and IND-CCA1 respectively. This leads
us to the following matrix of security notions.
Adversary power
CPA
CCA1
CCA
Key recovery
Weaker
Message decryption
Bit retrieval
Indistinguishability
Nonmalleability
Stronger
Resistance to the strongest attack (key recovery with chosen plaintexts) is the weakest
security model. Conversely, resistance to the weakest attack (malleability with CCA)
is the strongest security model.
9.3.8 RSA-OAEP
Based on the previous notes and the bad experience of PKCS#1v1.5, the PKCS was
updated into PKCS#1v2 with the OAEP preformatting technique. OAEP stands for
“Optimal Asymmetric Encryption Padding” and is due to Mihir Bellare and Phillip
Rogaway . We describe here the encryption scheme of PKCS#1v2.1 (Ref. [14]).
We are given a modulus
N
of
k
bytes and a hash function
H
which hashes to hLen
bytes. We also use a “Mask Generation Function” MGF which is indeed a family of
one-way functions such that MGF
maps a bitstring into a string of
bytes. In order to
encrypt a message
M
, we proceed as depicted in Fig. 9.10.
1. Set an optional label
L
associated with the message and compute
H
(
L
). (This
feature is to be used for specific applications. The default value for
L
,if
L
is
not provided, is the empty string.)
2. Set DB (as for “Data Byte”) to the concatenated string
H
(
L
)
||
00
||···
||
M
where we put enough zero bytes (possibly none) in order to get
a length of
k
00
||
01
||
−
1
−
hLen.
Search WWH ::
Custom Search