Cryptography Reference
In-Depth Information
=
=
Figure 14.1
OAEP padding scheme.
OAEP( m )=( s, t )= m
g ( r )
r
h ( m
g ( r ))
s
t
This value can then be taken as input for an asymmetric encryption system,
such as the RSA asymmetric encryption system. The resulting system is sometimes
referred to as RSA-OAEP.
Bellare and Rogaway argued that OAEP provides semantic security against
chosen-ciphertext attacks in the random oracle model. Hence, quite naturally, OAEP
was adopted in PKCS #1 version 2.0. In 2001, however, Victor Shoup showed that
the security arguments provided by Bellare and Rogaway are formally incorrect
[17]. A formal and complete proof of the semantic security against adaptive chosen-
ciphertext attacks provided by RSA-OAEP was given in [18]. Unfortunately, this
security proof does not guarantee security for key sizes used in practice (due to
the inefficiency of the security reduction). Consequently, a few alternative padding
schemes have been proposed in the literature that admit more efficient proofs and
provide adequate security for key sizes used in practice (see, for example, [19]). The
development and formal treatment of padding schemes for asymmetric encryption
is still a hot research topic in contemporary cryptography.
14.4
IDENTITY-BASED ENCRYPTION
In an asymmetric encryption system, every user has a public key pair, and the keys
the pair consist of look somehow arbitrary and random. Consequently, one usually
Search WWH ::




Custom Search