翻訳と辞書
Words near each other
・ OpTIIX
・ Optik
・ Optik (journal)
・ Optik Records
・ Optik Software
・ Optilan
・ Optile
・ Optima
・ Optima (disambiguation)
・ Optima (grape)
・ Optima Bus Corporation
・ Optima Lake
・ Optima National Wildlife Refuge
・ Optima Telekom
・ Optima, Oklahoma
Optimal asymmetric encryption padding
・ Optimal binary search tree
・ Optimal capital income taxation
・ Optimal computing budget allocation
・ Optimal control
・ Optimal cutting temperature compound
・ Optimal decision
・ Optimal design
・ Optimal discriminant analysis
・ Optimal distinctiveness theory
・ Optimal Energy Joule
・ Optimal estimation
・ Optimal Flexible Architecture
・ Optimal foraging theory
・ Optimal maintenance


Dictionary Lists
翻訳と辞書 辞書検索 [ 開発暫定版 ]
スポンサード リンク

Optimal asymmetric encryption padding : ウィキペディア英語版
Optimal asymmetric encryption padding

In cryptography, Optimal Asymmetric Encryption Padding (OAEP) is a padding scheme often used together with RSA encryption. OAEP was introduced by Bellare and Rogaway,〔M. Bellare, P. Rogaway. ''Optimal Asymmetric Encryption -- How to encrypt with RSA''. Extended abstract in Advances in Cryptology - Eurocrypt '94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, Springer-Verlag, 1995. (full version (pdf) )〕 and subsequently standardized in PKCS#1 v2 and RFC 2437.
The OAEP algorithm is a form of Feistel network which uses a pair of random oracles G and H to process the plaintext prior to asymmetric encryption. When combined with any secure trapdoor one-way permutation f, this processing is proved in the random oracle model to result in a combined scheme which is semantically secure under chosen plaintext attack (IND-CPA). When implemented with certain trapdoor permutations (e.g., RSA), OAEP is also proved secure against chosen ciphertext attack. OAEP can be used to build an all-or-nothing transform.
OAEP satisfies the following two goals:
#Add an element of randomness which can be used to convert a deterministic encryption scheme (e.g., traditional RSA) into a probabilistic scheme.
#Prevent partial decryption of ciphertexts (or other information leakage) by ensuring that an adversary cannot recover any portion of the plaintext without being able to invert the trapdoor one-way permutation f.
The original version of OAEP (Bellare/Rogaway, 1994) showed a form of "plaintext awareness" (which they claimed implies security against chosen ciphertext attack) in the random oracle model when OAEP is used with any trapdoor permutation. Subsequent results contradicted this claim, showing that OAEP was only IND-CCA1 secure. However, the original scheme was proved in the random oracle model to be IND-CCA2 secure when OAEP is used with the RSA permutation using standard encryption exponents, as in the case of RSA-OAEP.〔
Eiichiro Fujisaki, Tatsuaki Okamoto, David Pointcheval, and Jacques Stern. ''RSA-- OAEP is secure under the RSA assumption''. In J. Kilian, ed., Advances in Cryptology -- CRYPTO 2001, vol. 2139 of Lecture Notes in Computer Science, SpringerVerlag, 2001. (full version (pdf) )〕
An improved scheme (called OAEP+) that works with any trapdoor one-way permutation was offered by Victor Shoup to solve this problem.〔
Victor Shoup. ''OAEP Reconsidered''. IBM Zurich Research Lab, Saumerstr. 4, 8803 Ruschlikon, Switzerland. September 18, 2001. (full version (pdf) )〕
More recent work has shown that in the standard model (that is, when hash functions are not modeled as random oracles) it is impossible to prove the IND-CCA2 security of RSA-OAEP under the assumed hardness of the RSA problem.〔
P. Paillier and J. Villar, ''Trading One-Wayness against Chosen-Ciphertext Security in Factoring-Based Encryption'', Advances in Cryptology -- Asiacrypt 2006.〕〔
D. Brown, (''What Hashes Make RSA-OAEP Secure?'' ), IACR ePrint 2006/233.〕
==Diagram of OAEP==

In the diagram,
* ''n'' is the number of bits in the RSA modulus.
* ''k''0 and ''k''1 are integers fixed by the protocol.
* ''m'' is the plaintext message, an (''n'' − ''k''0 − ''k''1 )-bit string
* ''G'' and ''H'' are typically some cryptographic hash functions fixed by the protocol.
To encode,
# messages are padded with ''k''1 zeros to be ''n'' − ''k''0 bits in length.
# ''r'' is a random ''k''0-bit string
# ''G'' expands the ''k''0 bits of ''r'' to ''n'' − ''k''0 bits.
# ''X'' = ''m''00..0 ⊕ ''G''(''r'')
# ''H'' reduces the ''n'' − ''k''0 bits of ''X'' to ''k''0 bits.
# ''Y'' = ''r'' ⊕ ''H''(''X'')
# The output is ''X'' || ''Y'' where ''X'' is shown in the diagram as the leftmost block and ''Y'' as the rightmost block.
To decode,
# recover the random string as ''r'' = ''Y'' ⊕ ''H''(''X'')
# recover the message as ''m''00..0 = ''X'' ⊕ ''G''(''r'')
The "all-or-nothing" security is from the fact that to recover m, you must recover the entire X and the entire Y; X is required to recover r from Y, and r is required to recover m from X. Since any changed bit of a cryptographic hash completely changes the result, the entire X, and the entire Y must both be completely recovered.

抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)
ウィキペディアで「Optimal asymmetric encryption padding」の詳細全文を読む



スポンサード リンク
翻訳と辞書 : 翻訳のためのインターネットリソース

Copyright(C) kotoba.ne.jp 1997-2016. All Rights Reserved.