资源描述:
《optimal asymmetric encryption and signature paddings》由会员上传分享,免费在线阅读,更多相关内容在教育资源-天天文库。
1、OptimalAsymmetricEncryptionandSignaturePaddings[PublishedinJohnIoannidis,AngelosKeromytis,MotiYung,Eds.,AppliedCryptographyandNetworkSecurity2005–ACNS2005,vol.3531ofLectureNotesinComputerScience,pp.254–268,Springer-Verlag,2005.]BenoˆıtChevallier-Mames1,2,DuongHieuPhan2,an
2、dDavidPointcheval21Gemplus,France–benoit.chevallier-mames@gemplus.com2ENS,Paris,France–{david.pointcheval,duong.hieu.phan}@ens.frAbstract.Strongsecuritynotionsoftenintroducestrongconstraintsontheconstructionofcryptographicschemes:semanticsecurityimpliesprobabilisticencryp
3、tion,whiletheresistancetoexistentialforgeriesre-quiresredundancyinsignatureschemes.Somepaddingshavethusbeendesignedinordertoprovidetheseminimalrequirementstoeachofthem,inordertoachievesecureprimitives.Afewyearsago,Coronetal.suggestedthedesignofacommonconstruc-tion,auniver
4、salpadding,whichonecouldapplyforbothencryptionandsignature.Asaconsequence,suchapaddinghastointroducebothran-domnessandredundancy,whichdoesnotleadtoanoptimalencryptionnoranoptimalsignature.Inthispaper,werefinethisnotionofuniversalpadding,inwhichapartcanbeeitherarandomstring
5、inordertointroducerandomnessorazero-constantstringinordertointroducesomeredundancy.Thishelpsustobuild,withauniquepadding,optimalencryptionandoptimalsignature:first,intherandom-permutationmodel,andthenintherandom-oraclemodel.Inbothcases,westudytheconcretesizesoftheparameter
6、s,foraspecificsecuritylevel:Theformerachievesanoptimalbandwidth.1IntroductionWhenonedealswithpublic-keyencryption,chosen-ciphertextsecurity[22]isbynowthebasicrequiredsecuritynotion.Similarly,forsignatures,resistancetoexistentialforgeriesagainstadaptivechosen-messageattacks
7、[10]isalsotheminimalrequirement.Butstrongsecurityisnotenough,ithastobeachievedinanefficientway,accordingtovariouscriteria:time,bandwidth,butalsosizeofthecode.Thefirsttwoabovecriteriaarethemostusualgoals,andimprovementsarecontinuouslyproposed.Whendealingwithpublic-keycryptogr
8、aphy,onecanindeednotethatfastpaddingshavebeenproposedforencryption[3,19]andsignature[4].Aboutthe
