On the Selective Opening Security of Practical Public-Key Encryption Schemes

We show that two well-known and widely employed public-key encryption schemes – RSA Optimal Asymmetric Encryption Padding (RSA-OAEP) and Diffie-Hellman Integrated Encryption Standard (DHIES), the latter one instantiated with a one-time pad, – are secure under (the strong, simulation-based security notion of) selective opening security against chosen-ciphertext attacks in the random oracle model. Both schemes are obtained via known generic transformations that transform relatively weak primitives (with security in the sense of one-wayness) to INDCCA secure encryption schemes. We prove that selective opening security comes for free in these two transformations. Both DHIES and RSA-OAEP are important building blocks in several standards for public key encryption and key exchange protocols. They are the first practical cryptosystems that meet the strong notion of simulation-based selective opening (SIM-SO-CCA) security.

[1]  Sean Turner,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification , 2019, RFC.

[2]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[3]  Joonsang Baek,et al.  On the Necessity of Strong Assumptions for the Security of a Class of Asymmetric Encryption Schemes , 2002, ACISP.

[4]  Dennis Hofheinz,et al.  Standard versus Selective Opening Security: Separation and Equivalence Results , 2014, TCC.

[5]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[6]  Mihir Bellare,et al.  Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[7]  Michael Backes,et al.  OAEP Is Secure under Key-Dependent Messages , 2008, ASIACRYPT.

[8]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[9]  Dennis Hofheinz,et al.  All-But-Many Lossy Trapdoor Functions , 2012, EUROCRYPT.

[10]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[11]  Adrian Farrel,et al.  Multiprotocol Label Switching (MPLS) Management Overview , 2005, RFC.

[12]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[13]  Ben Harris RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol , 2006, RFC.

[14]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[15]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[16]  Donald Beaver,et al.  Plug and Play Encryption , 1997, CRYPTO.

[17]  Yunlei Zhao,et al.  Identity-Based Encryption Secure Against Selective Opening Chosen-Ciphertext Attack , 2014, IACR Cryptol. ePrint Arch..

[18]  Eike Kiltz,et al.  Instantiability of RSA-OAEP under Chosen-Plaintext Attack , 2010, CRYPTO.

[19]  Russ Housley,et al.  Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS) , 2003, RFC.

[20]  Donald Beaver,et al.  Cryptographic Protocols Provably Secure Against Dynamic Adversaries , 1992, EUROCRYPT.

[21]  Eike Kiltz,et al.  On the Security of Padding-Based Encryption Schemes - or - Why We Cannot Prove OAEP Secure in the Standard Model , 2009, EUROCRYPT.

[22]  Rafail Ostrovsky,et al.  Lossy Encryption: Constructions from General Assumptions and Efficient Selective Opening Chosen Ciphertext Security , 2011, ASIACRYPT.

[23]  Brent Waters,et al.  Identity-Based Encryption Secure against Selective Opening Attack , 2011, TCC.

[24]  Tsuyoshi Takagi,et al.  A Reject Timing Attackon an IND-CCA2 Public-Key Cryptosystem , 2002, ICISC.

[25]  Eike Kiltz,et al.  Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks , 2010, EUROCRYPT.

[26]  Brent Waters,et al.  Standard Security Does Not Imply Security against Selective-Opening , 2012, EUROCRYPT.

[27]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[28]  Marc Fischlin,et al.  On the Security of OAEP , 2006, ASIACRYPT.

[29]  Eiichiro Fujisaki,et al.  A Framework for Efficient Fully-Equipped UC Commitments , 2012, IACR Cryptol. ePrint Arch..

[30]  Kenneth Raeburn,et al.  Encryption and Checksum Specifications for Kerberos 5 , 2005, RFC.

[31]  William A. Arbaugh,et al.  Extensible Authentication Protocol (EAP) Password Authenticated Exchange , 2006, RFC.

[32]  Eiichiro Fujisaki,et al.  All-But-Many Encryption , 2014, Journal of Cryptology.

[33]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[34]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..

[35]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[36]  Daniel R. L. Brown What Hashes Make RSA-OAEP Secure? , 2006, IACR Cryptol. ePrint Arch..

[37]  Eric Rescorla Preventing the Million Message Attack on Cryptographic Message Syntax , 2002, RFC.

[38]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[39]  Jonathan Katz,et al.  Adaptively-Secure, Non-interactive Public-Key Encryption , 2005, TCC.

[40]  Dennis Hofheinz,et al.  On definitions of selective opening security , 2012, IACR Cryptol. ePrint Arch..

[41]  Victor Shoup,et al.  OAEP Reconsidered , 2002, Journal of Cryptology.

[42]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[43]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.