¡¡Chinese Journal of Computers   Full Text
  TitleAn Improved OAEP 3-Round Padding Scheme
  AuthorsHU Yu-Pu MU Ning-Bo WANG Bao-Cang
  Address(Key Laboratory of Computer Networks & Information Security of Ministry of Education, Xidian University, Xi¡¯an 710071)
  Year2009
  IssueNo.4(611¡ª617)
  Abstract &
  Background 		Abstract OAEP 3-Round is a famous padding scheme. But if the attacker could obtain the random string of the OAEP 3-Round, it would not be indistinguishable against adaptive chosen ciphertext attacks any more. Examples are given to support the argument. The authors improve the OAEP 3-Round padding scheme to be plaintext awareness and prove that the revised version is semantic security against adaptive chosen ciphertext attacks in the random oracle model even in the case that attacker could get the random string of the padding scheme.
Keywords padding scheme; plaintext awareness; OAEP 3-Round; adaptive chosen ciphertext attack; OAEP3+
Background To protect the public key cryptosystems against unknown attacks, the concept of ¡°provable security¡± was proposed. Many efforts had been made to design the padding schemes which were expected to enhance the encryption schemes to be indistinguishable against adaptive chosen ciphertext attacks. Little attention has been paid to the problem that whether the security results still hold when the random string of padding scheme is leaked. When encryption schemes are applied into various scenes, existing security result must be considered carefully. Among padding schemes available now, OAEP 3-Round, which was proposed by Phan and Pointcheval in ASIACRYPT 2003, was believed to be suitable for most cryptosystems. However, it does not possess the character of plaintext awareness. That makes it impossible to distinguish ciphertexts from random strings. When the cryptosystem is malleable and the random string in the padding scheme is shown to the adaptive chosen ciphertext attacker, it would be not IND-CCA2 security any more. The authors improve the OAEP 3-Round padding scheme and prove that the revised version is indistinguishable against adaptive chosen ciphertext attacks in the random oracle model even in the case that attacker could get the random string of the padding scheme.