On the Robustness of RSA-OAEP Encryption and RSA-PSS Signatures Against (Malicious) Randomness Failures

Jacob C. N. Schuldt, Kazumasa Shinagawa
{"title":"On the Robustness of RSA-OAEP Encryption and RSA-PSS Signatures Against (Malicious) Randomness Failures","authors":"Jacob C. N. Schuldt, Kazumasa Shinagawa","doi":"10.1145/3052973.3053040","DOIUrl":null,"url":null,"abstract":"It has recently become apparent that both accidental and maliciously caused randomness failures pose a real and serious threat to the security of cryptographic primitives, and in response, researchers have begone the development of primitives that provide robustness against these. In this paper, however, we focus on standardized, widely available primitives. Specifically, we analyze the RSA-OAEP encryption scheme and RSA-PSS signature schemes, specified in PKCS #1, using the related randomness security notion introduced by Paterson et al. (PKC 2014) and its extension to signature schemes. We show that, under the RSA and Φ-hiding assumptions, RSA-OAEP encryption is related randomness secure for a large class of related randomness functions in the random oracle model, as long as the recipient is honest, and remains secure even when additionally considering malicious recipients, as long as the related randomness functions does not allow the malicious recipients to efficiently compute the randomness used for the honest recipient. We furthermore show that, under the RSA assumption, the RSA-PSS signature scheme is secure for any class of related randomness functions, although with a non-tight security reduction. However, under additional, albeit somewhat restrictive assumptions on the related randomness functions and the adversary, a tight reduction can be recovered. Our results provides some reassurance regarding the use of RSA-OAEP and RSA-PSS in environments where randomness failures might be a concern. Lastly, we note that, unlike RSA-OAEP and RSA-PSS, several other schemes, including RSA-KEM, part of ISO 18033-2, and DHIES, part of IEEE P1363a, are not secure under simple repeated randomness attacks.","PeriodicalId":20540,"journal":{"name":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","volume":"2012 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3052973.3053040","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

Abstract

It has recently become apparent that both accidental and maliciously caused randomness failures pose a real and serious threat to the security of cryptographic primitives, and in response, researchers have begone the development of primitives that provide robustness against these. In this paper, however, we focus on standardized, widely available primitives. Specifically, we analyze the RSA-OAEP encryption scheme and RSA-PSS signature schemes, specified in PKCS #1, using the related randomness security notion introduced by Paterson et al. (PKC 2014) and its extension to signature schemes. We show that, under the RSA and Φ-hiding assumptions, RSA-OAEP encryption is related randomness secure for a large class of related randomness functions in the random oracle model, as long as the recipient is honest, and remains secure even when additionally considering malicious recipients, as long as the related randomness functions does not allow the malicious recipients to efficiently compute the randomness used for the honest recipient. We furthermore show that, under the RSA assumption, the RSA-PSS signature scheme is secure for any class of related randomness functions, although with a non-tight security reduction. However, under additional, albeit somewhat restrictive assumptions on the related randomness functions and the adversary, a tight reduction can be recovered. Our results provides some reassurance regarding the use of RSA-OAEP and RSA-PSS in environments where randomness failures might be a concern. Lastly, we note that, unlike RSA-OAEP and RSA-PSS, several other schemes, including RSA-KEM, part of ISO 18033-2, and DHIES, part of IEEE P1363a, are not secure under simple repeated randomness attacks.
RSA-OAEP加密和RSA-PSS签名对(恶意)随机失效的鲁棒性研究
最近很明显,意外和恶意引起的随机故障对加密原语的安全性构成了真实而严重的威胁,作为回应,研究人员已经开始开发提供抗这些故障的鲁棒性的原语。然而,在本文中,我们关注的是标准化的、广泛可用的原语。具体来说,我们使用Paterson等人(PKC 2014)引入的相关随机安全概念及其对签名方案的扩展,分析pkcs# 1中指定的RSA-OAEP加密方案和RSA-PSS签名方案。我们表明,在RSA和Φ-hiding假设下,RSA- oaep加密对于随机oracle模型中的一大类相关随机函数是相关随机安全的,只要收件人是诚实的,并且即使在额外考虑恶意收件人时也保持安全,只要相关随机函数不允许恶意收件人有效地计算用于诚实收件人的随机性。我们进一步证明,在RSA假设下,RSA- pss签名方案对于任何一类相关的随机函数都是安全的,尽管具有非严格的安全性降低。然而,在对相关随机函数和对手的额外(尽管有些限制性)假设下,可以恢复严格的缩减。我们的结果为RSA-OAEP和RSA-PSS在可能关注随机故障的环境中的使用提供了一些保证。最后,我们注意到,与RSA-OAEP和RSA-PSS不同,其他一些方案,包括ISO 18033-2的一部分RSA-KEM和IEEE P1363a的一部分DHIES,在简单的重复随机性攻击下并不安全。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信