Provable Security in Cryptography

Transcription

1 Povable Secuity in Cyptogaphy Thomas Baignèes EPFL May 29, 2007 (ve. 25) These lectue notes ae a compilation of some of my eadings while I was pepaing two lectues given at EPFL on povable secuity in cyptogaphy. They ae essentially based on a book chapte fom David Pointcheval called Povable Secuity fo Public Key Schemes [24], on Victo Shoup s tutoial on game playing techniques [30], on Coon s Cypto 00 pape on the exact secuity of the Full Domain Hash [9], and on Victo Shoup s Jounal of Cyptology pape on OAEP+ [28, 29]. 1 Povable Secuity Although the oigin of cyptogaphy seems to date back to the invention of witing, no povably secue cyptosystem (a notion that will be made cleae late) was known befoe Rabin s cyptosystem, published in 1979 [18, 25]. Yet, seveal cyptosystems designed duing the past 30 yeas povide vey little (not to say no) secuity poofs. Some of these algoithms ae widely used in nowadays secue applications. Fo example, if it was not fo the wok of Kelihe [15], the AES [10] (the block ciphe adopted as an encyption standad by the U.S. govenment) would not povide any (convincing) secuity poof against linea cyptanalysis [20] (a vey poweful, yet vey specific attack). The stongest agument in favo of the secuity of the AES is that, until now, none of the smat cyptanalytic attempts to beak it was successful. This fact, added to the vey nice design ationales on which the AES elies, ae often consideed as sufficient fom a secuity pespective. Ae we done then? Not quite. It sometimes takes time to beak a cyptogaphic scheme. Fo example the Cho-Rivest cyptosystem [8] esisted to almost 15 yeas of cyptanalytic effots, until it was completely boken by Vaudenay [32]. Obviously, the lack of successful cyptanalytic attack shall not eplace a secuity poof. But what do cyptogaphes exactly mean by povable secuity? Infomally, a scheme is povably secue if it comes with a igoous logical agument that shows that if the secuity of this scheme is compomised then eithe some simple logical contadiction occus (Infomation theoetic secuity o secuity against computationally unbounded advesaies), o some well-studied poblem can be solved efficiently (secuity against computationally bounded advesaies). In the latte case, one must fist assume the hadness of some poblem (such as factoization of lage integes) o the existence of some pimitive (such as a one-way function f, fo which it is easy to compute f(x), but given y = f(x) it is computationally intactable to ecove x). In ode to pove the secuity of a cyptogaphic scheme, one shows that a potential advesay against the scheme (i.e., an algoithm that beaks the scheme) can be used as a suboutine in ode to efficiently beak the computational assumption. We say that the cyptogaphic scheme educes to the computational assumption (a notion boowed fom complexity theoy). The eduction is consideed to be efficient when both the time and space complexities of the outine against the computational assumption ae bounded by a polynomial in the size of some secuity input (e.g., the size an RSA modulus). Howeve, even the existence of such a poof may have little impact on pactical secuity. To illustate this fact we boow an example fom Koblitz and Menezes [17]. The Blum-Blum-Shub geneato [6] is a cyptogaphically secue pseudoandom bit geneato. Let N = p q be the n-bit poduct of two lage pimes both conguent to 3 mod 4. Let x 0 < N be a andom intege and define x i = x 2 i 1 mod N fo i = 1,..., k. The pseudoandom bit sequence made of the O(log log N) least significant bits of the x i s is cyptogaphically secue [33], i.e., no polynomialtime statistical test can distinguish it fom a pefectly andom bitsting of the same length unde the assumption that factoing N is intactable. Moe pecisely, if the unning time of the statistical test is

2 bounded by T and its advantage 1 is bounded by ɛ, then it was shown by Sidoenko and Schoenmakes [31] that one can secuely extact the j least significant bits of each x i, povided that T L(n) 36n(log n)δ 2 22j+9 nδ 4, (1) whee δ = (2 j 1) 1 (ɛ/(kj)) and L(n) = exp ( (n ln 2) 1/3 (ln(n ln 2)) 2/3) which is the heuistic expected unning time of the numbe field sieve to facto a andom n-bit Blum intege. Fo n = 1024, j = 10, k = 10 6, and ɛ = 0.01, the bound given by (1) is close to 2 200, which is quite meaningless. To obtain a positive bound with this specific choice of j,k, and ɛ, n must be lage than wheeas in pactice the typical size fo a modulus would be 2048 bits. 2 Fom Povable Secuity to Pactical Secuity o the Need fo Idealized Models. The poblem illustated in the last section with the BBS pseudoandom geneato finds a solution in the notion of exact secuity [5] o concete secuity [23]. The advesay against the undelying poblem should almost be as efficient (both in time and space) than the advesay against the cyptogaphic scheme it elies on, and should almost each the same success pobability. A scheme that comes with such secuity aguments achieves pactical secuity. Unfotunately, pactical secuity seems to lead to inefficient cyptogaphic schemes. To compensate, idealized models have been intoduced. Among them, one may cite the andom oacle model, infomally intoduced by Fiat and Shami [11] and fomalized by Bellae and Rogaway [3], whee andom functions eplace hash functions, and the ideal ciphe model [2], whee block ciphes ae eplaced by andom pemutations. Given the fact that poviding secuity poofs in such idealized models indeed leads to efficient cyptogaphic schemes, it is natual to wonde whethe thee is a gap between pactical secuity in these models and pactical secuity in the eal wold (e.g., whee a hash function is SHA-1 [22]), also known as the standad model. The fist counte example was povided by Canetti, Goldeich, and Halevi [7] who show that thee exists encyption and signatue schemes which ae secue in the andom oacle model but that have no secue implementation in the standad model. In othe wods, a eal implementation of the secue ideal schemes would esult in an insecue scheme. As fa as the autho of these notes can judge, the question whethe the andom oacle model should be pefeed to the standad model with stong secuity assumptions on the undelying pimitives is essentially a matte of taste. Yet, it is often stated that the constuctions whose pupose is to efute the validity of the andom oacle model ae not natual and that it would be vey unlikely to come up with a eal constuction that would suffe fom the same pathology [18, 24]. 3 Stuctuing Convincing Secuity Poofs using Sequences of Games A poof of secuity (just like any kind of poof) should be clea and easy to follow. If it is not elementay, being convincing about the validity of that which is to be demonstated can be vey challenging. Stuctuing secuity poofs as a sequence of games is one possibility to povide such poofs. The notion of secuity fo a cyptogaphic scheme is usually defined via the desciption of a game between an advesay and a challenge. If the advesay wins the game, the secuity of the scheme is compomised. Both the advesay and the challenge ae modeled as pobabilistic pocesses, so that the whole game is modeled as a pobability space. Consequently, the fact that the game is won by the advesay coesponds to a specific event S and the scheme is secue when P[S] is close to some taget pobability (such as 0 o 1 2 ). Poviding a tight bound between P[S] and the taget pobability is fundamental to povide pactical secuity. Usually, poviding such a bound given the sole desciption of the initial game is had. One thus constucts a sequence of games Game 0, Game 1,..., Game n, whee Game 0 is the oiginal game between the advesay and the challenge. Just as Game 0 defines an event 1 The advantage of such a test is the absolute value of the pobability that it outputs 1 when fed with a andom bitsting minus the pobability that it outputs 1 when fed with a BBS pseudoandom sequence. 2

3 S 0 = S, each Game i defines an event S i such that P[S i ] is negligibly close to P[S i 1 ] fo i = 1,..., n. Povided that P[S n ] is easy to compute and negligibly close to the taget pobability, we ae done. Note that if we only conside povable secuity, negligibly close to means bounded by the invese of some polynomial in the secuity paamete. When consideing pactical secuity, the final bound should moeove be of pactical inteest (i.e., be meaningful fo pactical values of the secuity paamete). Tansitions between the games should be small to keep the analysis as simple as possible. Tansitions ae mainly of 3 types [30]: Tansitions based on indistinguishability. Hee, if the advesay is able to distinguish between the two games, then it is easy to deive a distinguishing algoithm between two pobability distibutions that wee assumed to be indistinguishable (eithe computationally o statistically, in the case of infomation theoetic secuity), hence a contadiction. The secuity poof the ElGamal encyption (see Section 7) is the fist example in this notes that uses this kind of tansition. Tansitions based on failue events. In such a tansition, Game i and Game i+1 poceed identically unless some failue event F occus, i.e., The following fact is then (almost) inevitably used. S i F S i+1 F. Lemma 1 (Diffeence Lemma). Let A, B, and F be thee pobabilistic events such that A F B F. Then P[A] P[B] P[F ]. Poof. P[A] P[B] = P[A F ] + P[A F ] P[B F ] P[B F ] = P[A F ] P[B F ] P[F ], whee the second equality comes fom the fact that P[A F ] = P[B F ] and the thid fom the fact that both P[A F ] and P[B F ] ae eal numbes between 0 and P[F ]. Thus, to show that P[S i ] P[S i+1 ] is negligible (i.e., negligibly close to 0), it is sufficient to show that P[F ] is negligible. The computation of the RF/RP-advantage (see Section 8) is the fist example in this notes that uses this kind of tansition. Bidging step. This is the most simple kind of steps in which the game is just fomulated in a diffeent way, but such that P[S i ] = P[S i+1 ]. The objective is to obtain an equivalent game, but easie to analyse. The computation of the RF/RP-advantage (see Section 8) is the fist example in this notes that uses this kind of tansition. 4 About of the Rest of this Pape Sections 5 and 6 espectively intoduce the main secuity scenaios fo public key encyption and fo digital signatues. Next, each of the following sections descibes a secue scheme and povides a poof of its secuity using sequences of games. The sections ae odeed by inceasing level difficulty of the poofs, the fist examples being faily simple (toy examples, yet, impotant esults), the last two examples being moe technical (as they ae based on ecent eseach papes). All the secuity notions intoduced in sections 5 and 6 ae illustated by at least one example in the following sections. 5 Secuity of Public-Key Encyption Schemes The aim of a public-key encyption scheme is to allow anybody who knows the public-key of Alice to s he a message that she will be the only one able to ecove, ganted he pivate key [24]. A public-key encyption scheme is a tiplet (K, f, f 1 ) whee K is a key geneation algoithm, which on input 1 k (whee k is the secuity paamete) outputs a pai (pk, sk) of matching public and pivate keys. The algoithm is pobabilistic. f is an encyption algoithm that, given a message m and the public key pk outputs a ciphetext c = f pk (m). The algoithm may be pobabilistic. f 1 is a decyption algoithm that, given a ciphetext c and the secet key sk outputs a plaintext m = f 1 sk (c). The algoithm is deteministic. The decyption shall undo the encyption, i.e., fo any message m and any valid public/pivate key pai (pk, sk), it should hold that f 1 sk (f pk(m)) = m. 3

4 One-Wayness. This is the most basic secuity notion fo a public-key encyption scheme which infomally means that only the legitimate secet key holde should be able to decypt. We descibe this notion moe fomally in Algoithm 1. In this algoithm the advesay A is a deteministic algoithm that takes as input andom coins sampled unifomly fom some set R. (pk, sk) K(1 k ) R, view {, pk} m M, c f pk (m),view view {c} m A(view) if m = m then etun 1 else etun 0 Algoithm 1: One-wayness of a Public-key Encyption Scheme Denoting S the event that Algoithm 1 etuns 1, the success of an advesay A of beaking the one-wayness (ow) of the public-key scheme S is defined by Succ ow S (A) = P[S] whee the pobability holds ove the andom coins used by the encyption scheme, the intenal coins used by the advesay, and the message m. Semantic Secuity. This notion, intoduced by Goldwasse and Micali in [13], guaantees that the advesay should not be able to obtain any infomation about a message given its encyption, even if the advesay knows that the plaintext was chosen among a finite set of texts (e.g., if the plaintext is just the encyption of yes o no ). This notion 2 is descibed in Algoithm 2. (pk, sk) K(1 k ) R, view {, pk} (m 0, m 1 ) A(view) b {0, 1}, c f pk (m b ),view view {c} b A(view) if b = b then etun 1 else etun 0 Algoithm 2: Semantic Secuity of a Public-key Encyption Scheme Denoting S the event that Algoithm 2 etuns 1, the success of an advesay A of beaking the semantic secuity (ss) of the public-key encyption scheme S is defined by Succ ss S (A) = P[S] 1/2. Adaptive Chosen Ciphetext Attacks (CCA). Semantic secuity is not sufficient when consideing active advesaies (i.e, that don t only eavesdop but also injects messages). To deal with active advesaies, Rackoff and Simon intoduced the notion of adaptive chosen ciphetext attack [26]. Hee, the advesay has access to a decyption oacle that she/he can quey to obtain the decyption of any ciphetext. Given a taget ciphetext (diffeent fom those that wee submitted to the decyption oacle), the advesay must not be able to extact any infomation about the coesponding plaintext. The attack is adaptive in the sense that the advesay is allowed to quey the decyption oacle even afte she/he obtained the taget ciphetext (povided, of couse, that this taget ciphetext is not submitted to the decyption oacle). This notion is descibed in Algoithm 3. Denoting S the event that Algoithm 3 etuns 1, the success of an advesay A of beaking the CCA secuity (cca) of the public-key encyption scheme S is defined by Succ cca S (A) = P[S] 1/2. In Algoithm 3 it is undestood that the advesay is bounded in the numbe of oacle queies (i.e., the loop in the Oacle Queies function eventually s). In othe wods, when studying the secuity of a paticula scheme, thee will be some explicit bound on this numbe of queies, on which the final secuity bound will dep. 2 The definition we give fo semantic secuity is actually that of a diffeent (but equivalent) one, called ciphetext indistinguishability, also intoduced by Goldwasse and Micali in [13]. 4

5 (pk, sk) K(1 k ) /* Global Vas */ R, view {, pk} Oacle Queies(A, view, ) (m 0, m 1 ) A(view), (y, bit) Encyption Oacle(m 0, m 1 ), view view {y } Oacle Queies(A, view, y ) cbit A(view) if c bit = bit then etun 1 else etun 0 function Oacle Queies(A, view, y ) loop y A(view) such that y y, m Decyption Oacle(y), view view {m} function Decyption Oacle(y) m f 1 (y), etun m sk function Encyption Oacle(m 0, m 1 ) bit {0, 1}, m m bit, y f pk (m ), etun (y, bit) Algoithm 3: CCA Secuity of a Public-key Encyption Scheme Othe Secuity Notions. Fo an in-depth study of the secuity elations between diffeent secuity citeia of public-key encyption schemes, we efe to [1]. 6 Secuity of Digital Signatue Schemes The aim of a digital signatue scheme is to allow Alice to sign any document with he pivate key, the coectness of this signatue being veifiable by anybody using Alice s public key. Intuitively, it should be impossible to foge a signatue, i.e., without the knowledge of Alice s pivate key, it should not be possible to sign messages on behalf of he. A digital signatue scheme is a tiplet (K, sig, ve) whee K is a key geneation algoithm, which on input 1 k (whee k is the secuity paamete) outputs a pai (pk, sk) of matching public and pivate keys. The algoithm is pobabilistic. sig is the signing algoithm that, given a message m and the secet key sk outputs a signatue σ = sig sk (m) of the message m. The algoithm may be pobabilistic. ve is veification algoithm that, given a message m, a signatue σ, and the public key pk, checks whethe the signatue is valid (in that case ve pk (m, σ) etuns 1) o not (in that case ve pk (m, σ) etuns 0). This algoithm is deteministic. Fo any valid public/pivate key pai (pk, sk), any message m, and any signatue σ = sig sk (m), it should always hold that ve pk (m, σ) = 1. Moeove, it should be impossible fo an advesay to compute a valid signatue on Alice s behalf, without the knowledge of he pivate key. Seveal kind of advesaies can be consideed, with diffeent goals. In these notes we will only conside one kind of secuity notion, namely existential unfogeability (euf) unde chosen-message attack (cma) [14], defined by Algoithm 4. 5

6 (pk, sk) K(1 k ) /* Global Vas */ R, view {, pk} Oacle Queies(A, view) (m, σ ) A(view) etun ve pk (m, σ ) /* etuns 1 if the signatue is valid, 0 othewise */ function Oacle Queies(A, view) loop m A(view), σ Signing Oacle(m), view view {σ} function Signing Oacle(m) σ sig sk (m), etun σ Algoithm 4: Existential unfogeability (euf) against chosen-message attack (cma) of a digital signatue scheme. Denoting S the event that Algoithm 4 etuns 1, the success of an advesay A of foging a valid message/signatue pai (euf) unde a chosen-message attack against the digital signatue scheme S is Succ euf S (A) = P[S]. In Algoithm 4 it is undestood that m should not have been queied to the signing oacle 3, and that the numbe of signing queies of the advesay is uppe bounded. The secuity bound on the success of a paticula advesay will dep on this bound. 7 ElGamal Encyption We show in this section that the ElGamal public-key encyption scheme is semantically secue unde the decisional Diffie-Hellman (DDH) assumption. In this section, G is a cyclic goup of pime ode q, and γ is an abitay geneato of G. 7.1 Peliminaies The Decisional Diffie-Hellman (DDH) assumption. Let D be a distinguishing algoithm that takes a tiplet of elements of G as an input and outputs a bit. The DDH advantage of D is defined by DDHAdv(D) = P x,y [D(γ x, γ y, γ xy ) = 1] P x,y,z [D(γ x, γ y, γ z ) = 1], whee x, y, z ae andom elements of Z q. The DDH assumption (fo G) is the assumption that DDHAdv(D) is negligible fo any D. The ElGamal public-key encyption scheme. The key geneation algoithm computes the public/pivate key pai as follows: x Z q, α γ x, pk α, sk x. Given a message m G, the encyption algoithm computes the ciphetext c as follows: y Z q, β γ y, δ α y, χ δ m, c (β, χ). Given a ciphetext c = (β, χ) G 2, the decyption algoithm ecoves the plaintext m as follows: The decyption undoes the encyption as m χ/β x. χ/β x = (δ m)/(γ y ) x = (α y m)/γ xy = ((γ x ) y m)/γ xy = (γ xy m)/γ xy = m. Finally, note that the secuity paamete coesponds to the bit-length of the goup ode q. 3 A stonge secuity notion, called non-malleability, equies that the signatue was not obtained fom the signing oacle. 6

7 7.2 Secuity Poof Game 0: This game coesponds to the definition of an advesay A against the semantic secuity of the ElGamal encyption scheme. x Z q, α = γ x, pk α, sk x R, view {, pk} (m 0, m 1 ) A(view) b {0, 1}, y Z q, β γ y, δ α y, χ δ m b, c (β, χ), view view {c} b A(view) if b = b then etun 1 else etun 0 Denoting S 0 the event that Game 0 etuns 1, we have Succ ss ElGamal(A) = P[S 0 ] 1/2. (2) Game 1: [Tansition based on indistinguishability.] Instead of computing δ as α y = γ xy, we now compute it as γ z, whee z is sampled unifomly fom Z q. x Z q, α = γ x, pk α, sk x R, view {, pk} (m 0, m 1 ) A(view) b {0, 1}, y Z q, β γ y, b A(view) if b = b then etun 1 else etun 0 z Z q, δ γ z, χ δ m b, c (β, χ), view view {c} Denoting S 1 the event that Game 0 etuns 1, we claim that P[S 1 ] P[S 0 ] = DDHAdv(D), (3) fo some distinguishing algoithm D. To pove this claim, let us fist define D as follows: Distinguishe D(α, β, δ) pk α R, view {, pk} (m 0, m 1 ) A(view) b {0, 1}, χ δ m b, c (β, χ), view view {c} b A(view) if b = b then etun 1 else etun 0 If the input of the pevious algoithm is of the fom (γ x, γ y, γ xy ), then computation poceeds just as in Game 0, so that P[D(γ x, γ y, γ xy ) = 1] = P[S 0 ]. If the input is of the fom (γ x, γ y, γ z ), then computation poceeds just as in Game 1, so that P[D(γ x, γ y, γ z ) = 1] = P[S 1 ]. Based on the advesay A, we obtained the desciption of a distinguishe D against the DDH assumption such that P[S 1 ] P[S 0 ] = DDHAdv(D). Moeove, it is easy to see that P[S 1 ] = 1/2: we fist note that (in Game 1) b,, pk, β, δ ae unifomly distibuted andom vaiables that ae mutually indepent, and thus, so ae b,, pk, β, χ (the agument is identical to the one that shows that the distibution of a ciphetext poduced by the one-time pad is unifom, egadless of the plaintext distibution). Consequently b and b A(view) ae mutually indepent so that P[S 1 ] = 1/2. Fom this, and fom equations (2) and (3), we conclude that Succ ss ElGamal(A) = DDHAdv(D) fo some distinguishe D, which is negligible unde the DDH assumption. This completes the poof. 7

8 8 Random Function vs. Random Pemutation In the ideal ciphe model [2], block ciphes ae eplaced by andom pemutations. In cetain cicumstances, it is easie to study the secuity of a cyptogaphic scheme by eplacing the andom pemutations by andom functions. The RF/RP-Lemma allows to evaluate in which cases such a switch is acceptable by computing the advantage of an advesay tying to distinguish between a andom pemutation and a andom function of the same (co)domain. 8.1 Peliminaies We denote by Γ l the set of all functions fom {0, 1} l to {0, 1} l and by Π l the set of all pemutations on {0, 1} l. We conside an advesay A who is eithe given a black-box (oacle) access to a unifomly distibuted andom function F Γ l o to a unifomly distibuted andom pemutation P Π l. We espectively denote this advesay A F and A P. The RF/RP-advantage of this advesay is defined by P F [A F = 1] P P [A P = 1]. We will show that the advantage of an advesay that makes at most q queies to the black box is bounded by q l. Without loss of geneality, we assume that the advesay makes exactly q queies and that all of them ae distinct (a duplicate quey would be useless as it would not povide any additional infomation that the advesay would not aleady have). 8.2 Secuity Poof Game 0: This game epesents the computations made by an advesay A having a black-box (oacle) access to a andom pemutation P Π l. P Π l /* Global Va */ R, view {} fo i = 1,..., q do x i A(view), y i Oacle(x i ), view view {y i } bit A(view), etun bit function Oacle(x) y P (x) etun y Denoting S 0 the event that the pevious algoithm etuns 1, we have P P [A P = 1] = P[S 0 ]. (4) Game 1: [Bidging Step.] We now intoduce a technique that will be oveused in the est of these notes. We eplace the andom pemutation by a table that gows while the advesay makes queies to the oacle. The table, initially empty, keeps tack of the input/output values of the simulated pemutation. Given an input value x on which the oacle has not been queied yet, a andom value is chosen fo y, the pai (x, y) is inseted in the table, and y is etuned. If the input value x matches some enty in the table, the coesponding y is etuned. This would pefectly simulate a andom function. As we ae dealing with a andom pemutation, we should also make sue that two distinct queies eceive two distinct answes. This is descibed moe fomally in Game 1 (ecall that we assumed that the advesay neve makes the same quey twice, so that we do not actually need to keep tack of x in the list hee). This technique is sometimes called lazy sampling. 8

9 List /* Global Va */ R, view {} fo i = 1,..., q do x i A(view), y i Oacle(x i ), view view {y i } bit A(view), etun bit function Oacle(x) Y {0, 1} l if Y List then y {0, 1} l \List else y Y List List {y} etun y It should be clea that this change is puely conceptual and doesn t change anything fom the point of view of the advesay. Consequently, if we denote by S 1 the event the Game 1 etuns 1, P[S 1 ] = P[S 0 ]. (5) Game 2: [Tansition based on a failue event.] We now dop the consistency check in the simulation of the andom pemutation, so that it actually becomes a simulation of a andom function, i.e., letting S 2 be the event that Game 2 etuns 1, whee F Γ l is a andom function. List /* Global Va */ R, view {} fo i = 1,..., q do x i A(view), y i Oacle(x i ), view view {y i } bit A(view), etun bit function Oacle(x) Y {0, 1} l y Y List List {y} etun y P[S 2 ] = P F [A F = 1], (6) Let F be the event that Y List at least once duing the execution of Game 1. It is obvious that Game 1 and Game 2 poceed identically unless the event F occus. By the diffeence lemma, P[S 2 ] P[S 1 ] P[F ]. (7) We denote Y i the value sampled by Oacle to answe the ith quey in Game 1. Let {y 1, y 2,..., y q } be a list of q distinct elements of {0, 1} l at let Y {0, 1} l be a unifomly distibuted andom vaiable. We have that P[F ] = P[Y 2 {Y 1 } Y 3 {Y 1, Y 2 } Y q {Y 1,..., Y q 1 }] P[Y 2 {Y 1 }] + P[Y 3 {Y 1, Y 2 }] + + P[Y q {Y 1,..., Y q 1 }] P Y [Y {y 1 }] + P Y [Y {y 1, y 2 }] + + P Y [Y {y 1, y 2,..., y q 1 }] = 1 2 l l + + q 1 q(q 1) 2 l = 2 l q l. The fist inequality comes fom the union bound, the second fom the fact that P[Y i {Y 1,..., Y i 1 }] P[Y i {y 1,..., y i 1 }] as the y 1,..., y i 1 ae distinct values (which might not be the case fo the Y i s). Fom this bound and fom equations (4), (5), (6), and (7) we deduce the announced esult. 9

10 9 The Luby-Rackoff Constuction When studying the secuity of the Data Encyption Standad (DES) [21], Luby and Rackoff poved that a 3 ounds Feistel netwok (on which the DES is based) can geneate a pseudo-andom pemutation out of thee mutually indepent andom functions. 9.1 Peliminaies A family P = {P k } k K Π l is said to be pseudo-andom if it is had to distinguish between a andom instance of that family and a andom instance of Π l. Moe fomally, let A be an advesay who is given an oacle access to a andom pemutation P k of P o to a andom pemutation P of Π l. The PRP-advantage of A is defined by P[A P k = 1] P[A P = 1]. The family P is said to be pseudo-andom if any advesay s PRP-advantage is negligible. A Feistel scheme allows to build a pemutation fom a ound functions. A thee ound Feistel scheme based on the functions f 1, f 2, f 3 Γ l is a pemutation in Π 2l, usually denoted Ψ(f 1, f 2, f 3 ), and defined as follows: On input (u, v) {0, 1} l {0, 1} l, let w u f 1 (v) x v f 2 (w) y w f 3 (x), the output is (x, y) {0, 1} l {0, 1} l. It is easy to see that Ψ(f 1, f 2, f 3 ) is pemutation by checking that Ψ 1 (f 1, f 2, f 3 ) = Ψ(f 3, f 2, f 1 ). The Luby-Rackoff constuction consists in a thee ound Feistel scheme with 3 mutually indepent andom functions. In the next section, we show that the family LR = {Ψ(F, G, H) : F, G, H Γ l } Π 2l is pseudo-andom, povided that 2 l is negligible. Moe pecisely, we show that the PRP-advantage of any advesay A who is given access to a andom pemutation P LR o to a andom pemutation P Π l is bounded by 3 2 q2 2 l. 9.2 Secuity Poof Game 0: This game epesents the computation of an advesay A who is given an oacle access to a andom Luby-Rackoff instance. As in Section 8.1, we assume that the advesay makes exactly q encyption queies, and that all the queies ae distinct fom each othe. In the following game, this tanslates in (u i, v i ) (u j, v j ) fo i j. F, G, H Γ l /* Global Va */ R, view {} fo i = 1,..., q do (u i, v i ) A(view), (x i, y i ) Oacle(u i, v i ), view view {(x i, y i )} bit A(view), etun bit function Oacle(u, v) w u F (v) x v G(w) y w H(x) etun (x, y) Denoting S 0 the event that Game 0 etuns 1, we have whee P is a andom instance of Luby-Rackoff constuction. P[S 0 ] = P[A P = 1], (8) 10

11 Game 1: [Bidging Step.] In this game, we adopt the lazy-sampling technique fo both andom functions G and H (similaly to what we did in Game 1 in Section 8.2, except that we deal with a simple case hee, as we conside andom functions). GList, HList, F Γ l /* Global Va */ R, view {} fo i = 1,..., q do (u i, v i ) A(view), (x i, y i ) Oacle(u i, v i ), view view {(x i, y i )} bit A(view), etun bit function Oacle(u, v) w u F (v) if (w, g) GList then x v g else g {0, 1} l, GList GList {(w, g)}, x v g if (x, h) HList then y w h else h {0, 1} l, HList HList {(x, h)}, y w h etun (x, y) To save us some space in the algoithm, we do not explicitly wite that seaching fo (w, g) GList o fo (x, h) HList is espectively done fo some g and fo some h. Denoting S 1 the event that Game 0 etuns 1, we have P[S 1 ] = P[S 0 ]. (9) Game 2: [Tansition based on a failue event.] We eliminate the consistency checks in the encyption oacle. As we do not need GList no HList in this case, we emove them fom the game desciption to simplify it a little bit. F Γ l /* Global Va */ R, view {} fo i = 1,..., q do (u i, v i ) A(view), (x i, y i ) Oacle(u i, v i ), view view {(x i, y i )} bit A(view), etun bit function Oacle(u, v) w u F (v) g {0, 1} l, x v g h {0, 1} l, y w h etun (x, y) In this new game, the oacle simply outputs a fesh andom value of {0, 1} 2l fo each quey. As we assumed that the q queies of the advesay ae distinct fom each othe, this means that the oacle behaves like a andom function of Γ l. Denoting S 2 the event that Game 2 outputs 1, we thus have P[S 2 ] = P[A F = 1], (10) whee F Γ l is a andom function. We denote by (u 1, v 1 ),..., (u q, v q ) the q queies made to the oacle, and similaly denote w i, g i, h i, x i, y i the values coesponding to the quey (u i, v i ). Let F 1 be the event that w i = w j fo some i j in Game 2. Let F 2 be the event that x i = x j fo some i j in Game 2. It is simple to see that Game 2 poceed identically to Game 1, unless the event F 1 F 2 occus. By the diffeence lemma and the union bound, we have P[S 2 ] P[S 1 ] P[F 1 F 2 ] P[F 1 ] + P[F 2 ] i<j(p[w i = w j ] + P[x i = x j ]). (11) 11

12 Fo any i j we have P[w i = w j ] = P[u i F (v i ) = u j F (v j )]. As we assumed that the advesay does not ask the same quey twice, eithe u i u j and v i = v j, in such a case we have P[u i F (v i ) = u j F (v j )] = 0, o v i v j, and we have P[u i F (v i ) = u j F (v j )] = 2 l. Thus P[w i = w j ] 2 l. Fo any i j, we moeove have P[x i = x j ] = P[v i g i = v j g j ] = 2 l, as g i, g j ae mutually indepent andom vaiables. With this and fom (11) we obtain that Fom equations (8), (9), (10), (11), and (12), we deduce that P[S 2 ] P[S 1 ] q 2 2 l. (12) P[A P = 1] P[A F = 1] q 2 2 l. Finalizing the poof using the RF/RP-Lemma: To conclude, we make use of the esult of Section 8. The advantage of A of distinguishing P fom P is P[A P = 1] P[A P = 1] P[A P = 1] P[A F = 1] + P[A F = 1] P[A P = 1] 3 2 q2 2 l. This completes the poof. 10 Full-Domain Hash The Full-Domain Hash (FDH) [3] is a povably secue signatue scheme in the andom oacle model. The fist secuity poof was initially poposed by Bellae and Rogaway in [5] and was late impoved by Coon in [9] (see Section 11 fo Coon s poof) Peliminaies The Full Domain Hash (FDH) signatue scheme is defined as follows. On input 1 k (whee k is the secuity paamete), the key geneation algoithm computes RSA paametes n = p q, e, d whee p, q ae k/2-bit pimes and whee e d 1 (mod ϕ(n)). It outputs (pk, sk) whee pk = (n, e) and sk = (n, d). Both the signing and the veifying algoithm have oacle access to a hash function H : {0, 1} Z n. On input m, the signing algoithm outputs the signatue σ = H(m) d mod n. On input (m, σ), the veifying algoithm outputs 1 if σ e mod n = H(m) and 0 othewise. Theoem 2. Let A be an advesay pefoming a chosen-message attack against the Full Domain Hash in the andom oacle model, with secuity paamete k. Let q s and q h denote the numbe of queies made by A to the signing oacle and to the hash oacle espectively. Let Succ euf fdh(a) be the success pobability of A to poduce an existential fogey in time t. Then thee exists an advesay A that beaks the one-wayness of RSA with pobability of success Succ ow sa(a ) in time t whee Succ ow sa(a ) = 1 q h Succ euf fdh(a) and t = t + q h O(k 3 ). A poof of this esult is povided in Section Discussion As noted by authos themselves, the bound is not satisfactoy. Indeed, wheeas it is easy in pactice to limit the numbe of signing quey, it is not possible to limit the numbe of hash queies. We should assume that q h q s. If the advesay is allowed to ask, say, q h = 2 60 hash queies (in pactice, this coesponds to hash 2 60 times with SHA-1 [22] o MD5 [27]), and if the success pobability of inveting RSA is 2 61, Theoem 2 says that the foging pobability is 1/2, which is too much. If we only had this secuity esult available, we would have to incease the size of the secuity paamete k to lowe the 12

13 pobability of inveting RSA. The dawback of this solution is that it would decease the efficiency of the scheme. At fist sight, it might be supising that the bound given in Theoem 2 does not dep on q s. In fact, the oiginal bound poposed in [5] does, as it shows how to constuct an advesay A such that Succ ow sa(a 1 ) = q h + q s + 1 Succeuf fdh(a) and t = t + (q h + q s + 1) O(k 3 ). Theefoe, ou bound slightly impoves on that of the oiginal poof, but the gain is negligible. Fo easons mentioned in the pevious paagaph, we should conside that q h q s so that both bounds ae equivalent. Coon s poof [9] is a eal impovement in the sense that it eplaces the facto q h by q s in the bound on the success pobability of A (see Section 11 fo a full teatment of Coon s poof) Poof of Theoem 2 Thoughout this poof, we denote by S i the pobability that Game i etuns 1. Game 0: This game exactly coesponds to the existential unfogeability (euf) game unde chosenmessage attack pefomed by an advesay A. In the game, we denote by H the set of all functions fom {0, 1} to Z n. We have Succ euf fdh(a) = P[S 0 ]. (13) Note that as the hash oacle is queied q h + q s + 1 times in total (q h times by the advesay, q s by the signing oacle, and one last time at the of the game). (n, e, d) RSA(1 k ), H H, i, j 0 /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) h H(m ) if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) loop m i+j A(view) do eithe if i < q h then h i+j Hash Oacle(m i+j ), view view {h i+j }, i i + 1 o if j < q s then σ i+j Signing Oacle(m i+j ), view view {σ i+j }, j j + 1 done function Hash Oacle(m) h H(m), etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 1: [Bidging Step.] In this game, we adopt the lazy-sampling technique fo the andom function H. Note that seaching fo (, m,, h) HList is done fo some h. We have P[S 1 ] = P[S 0 ]. (14) 13

14 (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) if (, m,, h ) HList then h h else h if σ = h d mod n then etun 1 else etun 0 Z n function Oacle Queies(A, view) loop m i+j A(view) do eithe if i < q h then h i+j Hash Oacle(m i+j ), view view {h i+j }, i i + 1 o if j < q s then σ i+j Signing Oacle(m i+j ), view view {σ i+j }, j j + 1 done function Hash Oacle(m) if (, m,, h) HList then etun h else h Z n, HList HList {(i + j, m,, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 2: [Bidging Step.] (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) if (, m,, h ) HList then h h else h Z n if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else h Z n, HList HList {( i, m,, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ This game comes fom two obsevations. This fist is that we can assume without loss of geneality that the advesay does not ask twice the same quey to the signing oacle (as she/he would necessaily obtain the same answe twice). We can thus assume that the signing queies ae distinct fom each othe. 14

15 The second obsevation is that if the advesay pefoms a signing quey at a point m that she/he neve queies to the hash oacle duing the game, then the signatue σ Z n is a unifomly distibuted andom vaiable indepent fom the est of the game at any time, and in paticula fom the est of view (as it is the encyption of a andom bitsting that is neve included in view). We can thus assume that the advesay neve queies the signing oacle at point she/he has not submitted to the hash oacle yet. Note that this implies that q h q s. We have P[S 2 ] = P[S 1 ]. (15) Game 3: Using a simila agument than in the pevious game, if m does not match any enty in the list (i.e., if the advesay did not quey the hash oacle at the point m ), then the success pobability of the advesay is necessaily negligible since the guess σ is compaed to a andom value indepent fom the value of view at the of the game. We can assume that thee exists some index 1 c < q h + such that m = m c. In Game 3 we ty to guess the value of c (we denote the guess ĉ). If the guess is coect, Game 3 poceeds just as Game 2. If it is not, the game is aboted. As both games poceed identically unless ĉ c in Game 3, we have P[S 3 ] = P[S 2 ĉ = c] = P[S 2 ] P[ĉ = c] = 1 q h P[S 2 ], (16) whee the second equality comes fom the fact that the events S 2 and ĉ = c ae indepent (they concen two distinct games), and whee the last equality comes fom the fact that ĉ is sampled unifomly at andom. (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} ĉ {1, 2,..., q h } /* Global Va */ Oacle Queies(A, view) (m, σ ) A(view) Seach fo (c, m,, h ) HList fo some c and h /* We assumed that this enty exists */ if ĉ c then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else h Z n, HList HList {(i, m,, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 4: In this game we incopoate the challenge ciphetext (of the ow game) as follows: at the cth quey to the hash oacle, we set the hash value to y, without queying the hash oacle. 15

16 (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} ĉ {1, 2,..., q h }, y Z n /* Global Vas */ Oacle Queies(A, view) (m, σ ) A(view) Seach fo (c, m,, h ) HList fo some c and h /* We assumed that this enty exists */ if ĉ c then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) if i = ĉ then HList HList {(i, m i,, y)}, view view {y} else h i Hash Oacle(m i ) view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else h Z n, HList HList {(i, m,, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Since we assumed that the advesay neve asks the same hash quey twice, this game pefoms just as the pevious one fom the point of view of the advesay (i.e., the espective distibutions of view ae identical). Consequently, P[S 4 ] = P[S 3 ]. (17) Game 5: In this game, instead of geneating a andom value fo each hash quey, we geneate andom signatues that we encypt (using the public key) to get equivalent andom hash values. Also note that we keep tack of the plaintexts in the list. As the encyption is bijective, this makes no diffeence fom the point of view of the advesay, and thus P[S 5 ] = P[S 4 ]. (18) 16

17 (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} ĉ {1, 2,..., q h }, y Z n /* Global Vas */ Oacle Queies(A, view) (m, σ ) A(view) Seach fo (c, m,, h ) HList fo some c and h /* We assumed that this enty exists */ if ĉ c then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) if i = ĉ then HList HList {(i, m i,, y)}, view view {y} else h i Hash Oacle(m i ) view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else x Z n, h x e mod n, HList HList {(i, m, x, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 6: Since the peimage of each hash quey (except the cth one) is known, we can simulate the signing oacle without the need fo the secet key. Fom the point of view of the advesay, this game is identical to the pevious one: P[S 6 ] = P[S 5 ]. (19) In Game 6, one can note that a valid fogey actually coesponds to a peimage of y. Moeove, the simulation of this game does not equie to have access to the signing (decyption) oacle as it can be simulated. Indeed, the secet key is neve used duing the game (except fo the final veification step of couse). This game thus povides a desciption of a valid advesay A that ties to beak the one-wayness (ow) of the public key scheme. This advesay needs to pefom q h RSA encyptions (with the public key). Consequently, P[S 6 ] = Succ ow sa(a ), (20) whee A pefoms in time t = t + q h O(k 3 ). Fom equations (13), (14), (15), (16), (17), (18), (19), and (20) we obtain Succ ow sa(a ) = 1 q h Succ euf fdh(a). 17

18 (n, e, d) RSA(1 k ), HList, i, j 0 /* Global Vas */ R, view {, n, e} ĉ {1, 2,..., q h }, y Z n /* Global Vas */ Oacle Queies(A, view) (m, σ ) A(view) Seach fo (c, m,, h ) HList fo some c and h /* We assumed that this enty exists */ if ĉ c then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) if i = ĉ then HList HList {(i, m i,, y)}, view view {y} else h i Hash Oacle(m i ) view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (, m,, h) HList then etun h else x Z n, h x e mod n, HList HList {(i, m, x, h)}, etun h function Signing Oacle(m) h Hash Oacle(m), Seach fo (,, x, h) HList, σ x etun σ 11 A Bette Secuity Bound fo the Full-Domain Hash 11.1 Peliminaies In Section 10 we descibed the FDH signatue scheme and poved its secuity. Fo easons detailed in Section 10.2 the bound was not satisfactoy. In this section we intoduce a new bound, poposed by Coon in [9]. Theoem 3. Let A be an advesay pefoming a chosen-message attack against the Full Domain Hash in the andom oacle model, with secuity paamete k. Let q s and q h denote the numbe of queies made by A to the signing oacle and to the hash oacle espectively. Let Succ euf fdh(a) be the success pobability of A to poduce an existential fogey in time t. Then thee exists an advesay A that beaks the one-wayness of RSA with pobability of success Succ ow sa(a ) in time t whee 11.2 Poof of Theoem 3 Succ ow sa(a ) = 1 q s e Succeuf fdh(a) and t = t + q h O(k 3 ). Games 0,1, and 2 ae almost the same in this poof than in the one of Theoem 2. The only diffeence is that the list HList contains elements that ae diffeent fom those that wee stoed in the pevious poof. The two fist elements will natually coespond to a message and to its image by H. The next to will be claified in Game 3. These last two values ae always set to in games 0,1, and 2. Game 3: In the pevious poof, the challenge ciphetext y was intoduced only once, at a specific index. Hee, fo each quey, we intoduce it with pobability p (that we will pecised late). With pobability 1 p we intoduce a value with a known peimage. In both cases, the value etuned by Hash Oacle is a unifomly distibuted andom value of Z n, just as in Game 2. Consequently, P[S 3 ] = P[S 2 ]. (21) 18

19 (n, e, d) RSA(1 k ), HList, i, j 0, y Z n /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) if (m, h,, ) HList then h h else h if σ = h d mod n then etun 1 else etun 0 Z n function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (m, h,, ) HList then etun h else s Z n, With pobability p, h y s e and t 1, othewise h s e and t 0 HList HList {(m, h, s, t)}, function Signing Oacle(m) h Hash Oacle(m), σ h d mod n etun σ Game 4: We fist note that if m cannot be found in HList, then the advantage of the advesay is necessaily negligible as he/his guess σ is compaed to a fesh andom value. Consequently, we assume in this game that m can always be found in the list. This will simplify the analysis of Game 5. Now the ticky pat. Fo a popotion 1 p of the signing queies, it is now possible to simulate the signing oacle without the knowledge of the secet key. Games 3 and 4 ae identical unless Game 4 abot (an event that we denote F ), i.e., unless t = 1 fo one of the q s signing oacle queies. As t = 1 with pobability p we have P[S 4 ] = P[F S 3 ] = P[F ] P[S 3 ] = (1 p) qs P[S 3 ]. (22) 19

20 (n, e, d) RSA(1 k ), HList, i, j 0, y Z n /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) Seach fo (m, h,, ) HList and set h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (m, h,, ) HList then etun h else Z n, With pobability p, h y s e and t 1, othewise h s e and t 0 s HList HList {(m, h, s, t)}, function Signing Oacle(m) Seach fo (m, h, s, t) HList fo some h, s, t. if t = 1 then abot else σ s etun σ Game 5: We add a last modification at the of the game. If the last lookup etuns a tuple such that t = 0 we abot the game (an event that we denote F ). As t = 0 with pobability 1 p, P[S 5 ] = P[F S 4 ] = P[F ] P[S 4 ] = p P[S 4 ]. (23) In this last game, the simulation can be pefomed without the knowledge of the secet key (except fo the last veification step of couse). Note also that when Game 5 outputs one, it is easy to find the peimage x of y as in that case we have σ = h d and h = y s e, so that x = y d = h d /s e d = σ /s. This game thus povides a desciption of a valid advesay A that beaks the one-wayness (ow) of the public key scheme by use of A so that we can denote P[S 5 ] = Succ ow sa(a ). (24) This advesay pefoms q h encyptions (using the public key) and thus, it pefoms in time t = t + q h O(k 3 ). Fom equations (13), (14), (15), (21), (22), (23), and (24), we obtain Succ ow sa(a ) = p(1 p) qs Succ euf fdh(a). To best success pobability of advesay A is obtained by choosing p = 1 1+q s, in which case we obtain When q s is lage, this can be appoximated by whee e = exp(1). Succ ow sa(a ) = 1 ( 1 1 ) qs Succ euf 1 + q s 1 + q fdh(a). s Succ ow sa(a ) = 1 q s e Succeuf fdh(a), 20

21 (n, e, d) RSA(1 k ), HList, i, j 0, y Z n /* Global Vas */ R, view {, n, e} Oacle Queies(A, view) (m, σ ) A(view) Seach fo (m, h, s, t) HList, if t = 0 then abot else h h if σ = h d mod n then etun 1 else etun 0 function Oacle Queies(A, view) fo i = 1,..., q h do m i A(view) h i Hash Oacle(m i ), view view {h i } if j < q s then possibly do σ i Signing Oacle(m i ), view view {σ i }, j j + 1 function Hash Oacle(m) if (m, h,, ) HList then etun h else Z n, With pobability p, h y s e and t 1, othewise h s e and t 0 s HList HList {(m, h, s, t)}, function Signing Oacle(m) Seach fo (m, h, s, t) HList fo some s, h, t. if t = 1 then abot else σ s etun σ 12 OAEP+ OAEP is a public-key encyption scheme intoduced by Bellae and Rogaway in [4]. Although vey efficient, this scheme suffes fom the fact that it is not povably secue against adaptive chosen ciphetext attacks. Shoup shows in [28, 29] that no poof is attainable fo the geneal OAEP scheme by only assuming the one-wayness of the undelying tapdoo pemutation, even in the andom oacle model. Yet, he poves that when the undelying tapdoo pemutation is RSA with a public exponent equal to 3, then the constuction is secue (a esult that is exted in [12] to any public exponent). To obtain a povably secue scheme unde the one-wayness assumption of the undelying tapdoo pemutation, Shoup intoduces the OAEP+ public-key encyption scheme Peliminaies OAEP+ is based on a one-way tapdoo pemutation f pk : {0, 1} k {0, 1} k, its invese being f 1 sk. Let k 0 and k 1 be two paametes that satisfy k 0 + k 1 < k and such that 2 k0 and 2 k1 ae negligible. The scheme encypts messages x {0, 1} n whee n = k k 0 k 1. It makes use of thee hash functions (that will be modeled in the poofs as andom oacles): G : {0, 1} k 0 {0, 1} n, H : {0, 1} n+k0 {0, 1} k1, H : {0, 1} n+k1 {0, 1} k0. Key Geneation: On input the secuity paamete, the key geneation algoithm poduces a public/pivate key pai (pk, sk), defining the public pemutation f pk and its invese f 1 sk. 21

22 Encyption: Given a plaintext x {0, 1} n, the encyption algoithm chooses {0, 1} k0 and computes The ciphetext is y. s (G() x) H ( x), (s {0, 1} n+k 1 ), t H(s), (t {0, 1} k0 ), w s t, (w {0, 1} k ), y f pk (w) (y{0, 1} k ). Decyption: On input y {0, 1} k, the decyption algoithm pefoms the following computations: w f 1 sk (y) (w {0, 1}k ), s t w (s {0, 1} n+k 1, t {0, 1} k 0 ), H(s) t ( {0, 1} k 0 ), x G() s[0 n 1] (x {0, 1} n ), c s[n n + k 1 1] (c {0, 1} k1 ). If c = H ( x), the algoithm outputs the cleatext x; othewise, the algoithm ejects the ciphetext and does not output a cleatext. Theoem 4. If the undelying tapdoo pemutation f is one-way (ow), then OAEP+ is secue against adaptive chosen ciphetext attack in the andom oacle model Poof of Theoem 4 Thoughout this poof the event S i always denotes the pobability that Game i etuns 1. Moeove we note that, duing the decyption pocess, H is always queied at points of the fom x whee x = G() s[0 n 1]. Consequently, an efficient advesay would not quey H at a point x without at least queying G() fist (othewise, the pobability that the H quey makes any sense would be negligible). In the poof, we thus assume that wheneve a quey of the fom H ( x) is made by the advesay A, then A has peviously made the quey G(). Game 0: This is the oiginal attack game against the encyption scheme. It is epesented on page 23. In this game we let G = {g : {0, 1} k 0 {0, 1} n }, H = {h : {0, 1} n+k 0 {0, 1} k 1 }, and H = {h : {0, 1} n+k 1 {0, 1} k 0 }. We have Succ cca oaep+(a) = P[S 0 ] 1/2. (25) Game 0 : We adopt the (by now) well known lazy-sampling technique. Obviously, P[S 0 ] = P[S 0 ]. (26) 22