Context Single-User Setting Multi-User Setting Conclusion On the broadcast and validity-checking security of PKCS_1 v1.5 encryption Aurelie Bauer1 Jean-Sebastien Coron2 David Naccache1 Mehdi Tibouchi1,2 Damien Vergnaud1 1Ecole normale superieure 2Universite du Luxembourg ACNS 2010
is a bad idea (e.g. homomorphic properties, deterministic encryption). Therefore, encapsulatemusing apadding schemeµ:
c=µ(m)emodN
Conclusion
Context
•
•
Single-User Setting
Multi-User Setting
RSA Signatures
Encrypting with textbook RSA:
c=m
emodN
is a bad idea (e.g. homomorphic properties, deterministic encryption). Therefore, encapsulatemusing apadding schemeµ:
c=µ(m)emodN
Conclusion
Context
•
•
Single-User Setting
Multi-User Setting
Padding schemes
Conclusion
Two kinds of padding schemes: 1. Ad-hoc paddings Designed to prevent PKCS#1 v1.5., e.g. specific attacks. Often exhibit other weaknesses. 2. Provably secure paddings Proven to be secure OAEP., e.g. under well-defined assumptions. Although potentially less secure, ad-hoc paddings remain in widespread use in real-world applications. Re-evaluating them periodically is thus necessary.
Context
•
•
Single-User Setting
Multi-User Setting
Padding schemes
Conclusion
Two kinds of padding schemes: 1. Ad-hoc paddings PKCS#1, e.g. Designed v1.5. to prevent specific attacks. Often exhibit other weaknesses. 2. Provably secure paddings Proven to be secure, e.g. OAEP. under well-defined assumptions. Although potentially less secure, ad-hoc paddings remain in widespread use in real-world applications. Re-evaluating them periodically is thus necessary.