Explain what an adversary would have to do to violate the - - PowerPoint PPT Presentation

1

Explain what an adversary would have to do to violate the Computational Diffie-Hellman assumption (CDH)

Question #1

Why isn’t raw RSA, EN (M) = M 3 mod N, a secure way to encrypt a plaintext M ∈ ℤN ?

Question #1

2

Explain what an adversary would have to do to violate the Computational Diffie-Hellman assumption (CDH)

Question #1

Why isn’t raw RSA, EN (M) = M 3 mod N, a secure way to encrypt a plaintext M ∈ ℤN ?

Question #1

Do well at computing gab from ga and gb (for a random a, b, in a group <g>=G)

• Because it’s deterministic.
• Because it won’t achieve IND.
• Because the RSA assumption doesn’t ensure that all
• f M is concealed by the applying the RSA function.

3

M $$ … $$

( )

e mod N

RSA PKCS # 1, v. 1

00 02 00

4

M 0⋅⋅⋅0 k1 R G k0 G(R)

⊕

S T

⊕

H

( )

e mod N

OAEP

[Bellare-Rogaway 1994], [Shoup 2001] [Fujisaki, Okamoto, Pointcheval and Stern 2001]

5

The Random-Oracle Paradigm

[Bellare-Rogaway 1993]

• 1. Design your protocol pretending there’s a public random oracle that all

parties can access.

• 2. Prove your protocol secure in the random-oracle model (ROM).
• 3. Instantiate the random oracle (RO) by a cryptographic hash function, or

something derived from one. Thesis: significant assurance remains despite the heuristic final step. Π

Adv (A,k) = Pr[(pk, sk) ↞K (k): A ⟹1] − Pr[(pk, sk) ↞K (k): A ⟹1]

ind Epk(.) Epk(0|. | )

H ↞ Ω; H ↞ Ω; H H H H , H , H

rom

H

Dsk(.) ,

H

Dsk(.) , cca

6

H(M ) FF … FF

( )

d mod N

RSA PKCS # 1, v. 1

00 01 00

M H