OAEP

edit

"Unlike ad-hoc schemes such as the padding used in PKCS #1 v1, OAEP is provably secure under the random oracle model."

I was under the impression that the original proof was proven to be wrong in papers from Crypto 2001 - anyone knows more about that?--80.171.158.198 22:02, 27 February 2006 (UTC)Reply

The original definition and proof were not strong enough. But a better proof has been published. See Optimal Asymmetric Encryption Padding for details. 67.84.116.166 13:35, 7 October 2006 (UTC)Reply

Plaintext awareness is not sufficient for security against chosen-ciphertext attacks

edit

Here is a heuristic example: If you encrypt a message m with RSA PKCS#1 v1.5 then the system is not plaintext aware. If you concatenate the encryption with a secure hash of the message then the encryption becomes plaintext aware, but is not longer semantically secure, because an attacker can simply try to guess the message, hash it and compare the result with the hash. So for getting security against chosen-ciphertext attacks you need a little bit more than just plaintext awareness. 85.2.38.165 17:59, 7 February 2007 (UTC)Reply

Actually, I'm not that sure anymore. The paper "Relations among notions of security for public-key encryption schemes" by M. Bellare, A. Desai, D. Pointcheval and P. Rogaway [1] indeed proofs that plaintext awareness implies security against chosen-ciphertext attacks. However, the definition of plaintext awareness in this paper seems to imply semantic security, wheras the informal wikipedia definition does not. 85.2.38.165 18:41, 7 February 2007 (UTC)Reply

Bleichenbacher's attack stronger than adaptive chosen ciphertext attack

edit

As I understand it, Bleichenbacher's makes uses of a severely limited chosen ciphertext oracle that does not return the full plaintext but rather a single bit indicating whether the raw RSA plaintext is properly PKCS #1 v1.5 formatted. So, his attack does not require the full CCA2 oracle: it can success with less information, making it a stronger attack.

A critique of the CCA2 security definition is that ciphertext-decrypting oracle's limitation on not decrypting the challenge ciphertext is artificial. The critique suggests that CCA2 security is not really needed to avoid a practical attack.

Bleichenbacher's practical attack can be described without the ciphertext limitation above: one can submit the challenge cipherext to the oracle, which returns a bit about the challenge plaintext. It is realistic to suppose that the challenge ciphertext was already correctly PKCS#1 v1.5 formatteed, so this bit would always return 1, so the oracle reveals nothing new.

So, Bleichenbacher's attack does not overcome the critique above regarding CCA2. The article, as written, could be construed to support of the necessity of CCA2 to overcome a practical attack. I propose amending the article slightly to avoid giving this impression. DRLB (talk) 18:39, 2 March 2011 (UTC)Reply