slides - Stanford Crypto Group

More documents

Recommendations

Info

OAEP [BR94] Theorem: In the ROM, OAEP is • IND-CPA secure if f is one-way [BR94] • IND-CCA secure if f is partialdomain one-way [FOPS01] M || 0…0 HASH HASH s t r Theorem [BK13]: If H is UCE-secure then instantiated OAEP is • IND-CPA' secure if f is partialdomain one-way IND-CPA for messages not depending on the public key. Note: One-way and partial-domain one-way are equivalent for RSA [FOPS01]. Previous work: [KOS10] show RSA-OAEP is IND-CPA-secure under a weaker assumption on H (t-wise independence) and a stronger assumption on RSA (ϕ-hiding). 1/9/13 Bellare, <strong>Stanford</strong> RWC Workshop 39
Multi-key UCE We also give a definition of UCE-security for the case that hashing is being performed with many different keys. We do not know whether single-key UCE-security implies multi-key UCEsecurity in general. (The hybrid argument breaks down.) However, we can show that single key UCE-security implies multi-key UCE-security in the case that the number of keys is a constant. We exploit multi-key security in a crucial way for instantiating the RO in the [BRS03] KDM-secure encryption scheme and in RKA-secure encryption. 1/9/13 Bellare, <strong>Stanford</strong> RWC Workshop 40
Page 1 and 2: Instantiating Random Oracles Mihir
Page 3 and 4: Contributions in brief UCE (Univers
Page 5 and 6: RSA-OAEP [BR94] Theorem: In the ROM
Page 7 and 8: ROM Critiques Step 1: Prove securit
Page 9 and 10: The debate continues … The RO par
Page 11 and 12: The core problem: Lack of a definit
Page 13 and 14: Want: Instantiable RO Paradigm Step
Page 15 and 16: Contributions in brief UCE (Univers
Page 17 and 18: UCE x1 x x 2 n S H K H K Y 1 Y 0 :
Page 19 and 20: UCE x1 x x 2 n S H K H K Y 1 Y 0 :
Page 21 and 22: UCE: Formally is UCE-secure if is n
Page 23 and 24: UCE generalizes existing definition
Page 25 and 26: UCE generalizes existing definition
Page 27 and 28: UCE: Features and Limitations Allow
Page 29 and 30: Instantiating EwH ROM EwH D-PKE sch
Page 31 and 32: Why it works Claim 1: S is unpredic
Page 33: More instantiations in the same vei
Page 37 and 38: KDM-secure encryption [CL01,BRS02]
Page 39 and 40: Strength of UCE Is UCE too ``close
Page 41 and 42: A vision of ROM-based cryptography
Page 43 and 44: UCE hash functions from ``standard

slides - Stanford Crypto Group

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?