How to Encrypt Properly with RSA

Transcription

1 RSA Laboatoies CyptoBytes. Volume 5, No. 1 Winte/Sping 2002, pages ow to Encypt Popely with RSA David Pointcheval Dépt d Infomatique, ENS CNRS, 45 ue d Ulm, Pais Cedex 05, Fance David.Pointcheval@ens.f URL: Abstact. In 1993, Bellae and Rogaway fomalized the concept of a andom oacle, impoted fom complexity theoy fo cyptogaphic puposes. This new tool allowed them to pesent seveal asymmetic encyption and signatue schemes that ae both efficient and povably secue (in the andom oacle model). The Optimal Asymmetic Encyption Padding (OAEP) is the most significant application of the andom oacle model to date. It gives an efficient RSA encyption scheme with a stong secuity guaantee (semantic secuity against chosen-ciphetext attacks). Afte Bleichenbache s devastating attack on RSA PKCS #1 v1.5 in 1998, RSA OAEP became the natual successo (RSA PKCS #1 v2.0) and thus a de facto intenational standad. Supisingly, Shoup ecently showed that the oiginal poof of secuity fo OAEP is incoect. Without a poof, RSA OAEP cannot be tusted to povide an adequate level of secuity. Luckily, shotly afte Shoup s discovey a fomal and complete poof was found in joint wok by the autho and othes that eaffimed the stong level of secuity povided by RSA OAEP. oweve, this new secuity poof still does not guaantee secuity fo key sizes used in pactice due to the inefficiency of the secuity eduction (the eduction to inveting RSA takes quadatic time). Recent altenatives to OAEP, such as OAEP +, SAEP +, and REACT, admit moe efficient poofs and thus povide adequate secuity fo key sizes used in pactice. 1 Asymmetic Encyption In 1978, Rivest, Shami, and Adleman poposed the fist candidate tapdoo pemutation [30]. A tapdoo pemutation pimitive is a function f that anyone can compute efficiently; howeve, inveting f is had unless we ae also given some tapdoo infomation. iven the tapdoo infomation, inveting f becomes easy. Naively, a tapdoo pemutation defines a simple public key encyption scheme: the desciption of f is the public key and the tapdoo is the secet key. Unfotunately, encyption in this naive public key system is deteministic and hence cannot be secue, as discussed below. Befoe we can claim that a cyptosystem is secue (o insecue) we must pecisely define what secuity actually means. The fomalization of secuity notions stated aound the time when RSA was poposed and took seveal yeas to convege (see [18] fo a suvey on this topic). Today, the accepted secuity equiement fo an encyption scheme is called semantic secuity against an adaptive chosen-ciphetext attack [29] o IND CCA fo shot. To undestand this concept we point out that secuity is always defined in tems of two paametes: (1) the attacke s capabilities, namely what the attacke can do duing the attack, and (2) the attacke s goals, namely what the attacke is tying to do. 1. Attacke s capabilities: The stongest attacke capability in the standad model is called adaptive chosen-ciphetext attack and is denoted by (CCA) [29]. This means that the advesay has the ability to decypt any ciphetext of his choice except fo some challenge ciphetext (imagine the attacke is able to exploit a decyption box that will decypt anything except fo some known challenge ciphetext). c RSA Secuity Inc

2 2 2. Attacke s goal: The standad secuity goal is called semantic secuity [19] (also known as indistinguishability of ciphetexts ), and is denoted by (IND). Roughly speaking, the attacke s goal is to deduce just one bit of infomation about the decyption of some given ciphetext. We say that a system is semantically secue if no efficient attacke can achieve this goal. We note that a deteministic encyption algoithm can neve give semantic secuity. An encyption scheme that is semantically secue unde an adaptive chosen-ciphetext attack is said to be IND CCA secue. IND CCA secuity implies that even with full access to the decyption oacle, the attacke is not able to deduce one bit of infomation about the decyption of a given challenge ciphetext. IND CCA may seem vey stong, but such attacks ae possible in some eal wold scenaios. In fact, CCAlike attacks have been used to beak pactical implementations, as we will see late. Futhemoe, semantic secuity is equied fo high confidentiality, namely when the message space is limited (such as yes o no, buy o sell ). As a consequence, IND CCA is accepted as the equied secuity level fo pactical encyption schemes. One can obtain many othe secuity notions by combining diffeent attacke goals with vaious attacke capabilities. Fo example, anothe secuity goal is called nonmalleability [15, 7]. ee the attacke is given some ciphetext and his goal is to build anothe ciphetext such that the plaintexts ae meaningfully elated. Non-malleability is known to be equivalent to semantic secuity unde an adaptive chosen-ciphetext attack [3]. Fo this eason, IND CCA secuity is sometimes called non-malleability. Similaly, one can also conside diffeent attacke capabilities based on the oacles given to the attacke [25, 29, 9, 20, 26]. As mentioned above, the most poweful attacke capability in the classical model is the decyption oacle itself, which decypts any ciphetext (except the challenge ciphetext). This classical model gives the cyptogaphic engine to the advesay as a black box to which he can make queies and eceive coect answes in constant time. It thus excludes timing attacks [21], simple and diffeential powe analyses [22] as well, and othe diffeential fault analyses [8, 12]. 2 The RSA-based Cyptosystems 2.1 The Plain RSA The RSA pemutation, poposed by Rivest, Shami and Adleman [30], is the most well known tapdoo pemutation. Its one-wayness is believed to be as stong as intege factoization. The RSA setup consists of choosing two lage pime numbes p and q, and computing the RSA modulus n = pq. The public key is n togethe with an exponent e (elatively pime to ϕ(n) = (p 1)(q 1)). The secet key d is defined to be the invese of e modulo ϕ(n). Encyption and decyption is defined as follows: E n,e (m) = m e mod n D n,d (c) = c d mod n. This pimitive does not povide by itself an IND CCA secue encyption scheme. Unde a slightly stonge assumption than the intactability of the intege factoization, it gives a cyptosystem that is only one-way unde chosen-plaintext attacks a vey weak level of secuity. Semantic secuity fails because encyption is deteministic. Even wose, unde a CCA attack, the attacke can fully decypt a challenge ciphetext C = m e mod n using the homomophic popety of RSA: E n,e (m 1 ) E n,e (m 2 ) = E n,e (m 1 m 2 mod n) mod n.

3 To decypt C = m e mod n using a CCA attack do: (1) compute C = C 2 e mod n, (2) give C ( C) to the decyption oacle, and (3) the oacle etuns 2m mod n fom which the advesay can deduce m. To ovecome RSA this simple CCA attack, pactical RSA-based cyptosystems andomly pad the plaintext pio to encyption. This andomizes the ciphetext and eliminates the homomophic popety The RSA PKCS #1 v1.5 Encyption A widely deployed padding fo RSA-based encyption is defined in the PKCS #1 v1.5 standad: fo any modulus 2 8(k 1) n < 2 8k, in ode to encypt an l byte-long message m (fo l k 11), one andomly chooses a k 3 l byte-long andom sting (with only non-zeo bytes). Then, one defines the k-byte long sting M = 02 0 m (see figue 1) which is theeafte encypted with the RSA pemutation, C = M e mod n. When decypting a ciphetext C, the decypto applies RSA invesion by computing M = C d mod n and then checks that the esult M matches the expected fomat 02 * 0 *. If so, the decypto outputs the last pat as the plaintext. Othewise, the ciphetext is ejected. 0 2 non-zeo bytes 0 m moe than 8 bytes Fig. 1. PKCS #1 v1.5 Fomat Intuitively, this padding seems sufficient to ule out the above weaknesses of the plain RSA system, but without any fomal poof o guaantee. Supisingly, in 1998, Bleichenbache [9] showed that a simple active attack can completely beak RSA PKCS #1. This attack applies to eal systems such as a Web seve using SSL v3.0. These seves often output a specific failue message in case of an invalid ciphetext. This enables an attacke to test whethe the two most significant bytes of a challenge ciphetext C ae equal to 02. If so, the attacke leans the following bound on the decyption of C: 2 2 8(k 2) C d mod n < 3 2 8(k 2). Due to the andom self-educibility of the RSA pemutation, in paticula the homomophism Cs e = M e s e = (Ms) e mod n, the complete decyption of C can be ecoveed afte a elatively small numbe of queies. Only a few million queies ae needed with a 1024-bit modulus. Bleichenbache s attack had an impact on many pactical systems and standads bodies, which suddenly became awae of the impotance of fomal secuity aguments. Nevetheless, the weak PKCS #1 v1.5 padding is still used in the TLS potocol [33]. The TLS specification now appeas to defend against Bleichenbache s attack using a technique fo which no poof of secuity has yet been published. Cetain simple attacks ae still possible (fo example, plaintext-checking attacks [26] can be easily un, even if they seem ineffective). The lesson hee is that standads should ely as much as possible on fully analyzed constuctions and avoid ad-hoc techniques.

4 4 3 The Optimal Asymmetic Encyption Padding Fo some time, people have tied to povide secuity poofs fo cyptogaphic potocols in the eductionist sense [10]. To do so, one pesents an algoithm that uses an effective advesay as a sub-pogam to beak some undelying hadness assumption (such as the RSA assumption, o the intactability of the intege factoization). Such an algoithm is called a eduction. This eduction is said to be efficient, oughly speaking, if it does not equie too many calls to the sub-pogam. 3.1 The Random Oacle Model A few yeas ago, a new line of eseach stated with the goal of combining povable secuity with efficiency, still in the eductionist sense. To achieve this goal, Bellae and Rogaway [4] fomalized a heuistic suggested by Fiat and Shami [16]. This heuistic consisted in making an idealized assumption about some objects, such as hash functions, accoding to which they wee assumed to behave like tuly andom functions. This assumption, known as the andom oacle model, may seem stong, and lacking in pactical embodiments. In fact, Canetti et al. [13] gave an example of a signatue scheme which is secue in the andom oacle model, but insecue unde any instantiation of the andom oacle. oweve, one can also conside andom-oacle-based poofs unde the assumption that the advesay is geneic, whateve the actual implementation of the hash function o othe idealized algoithms may be. In othe wods, we may assume that the advesay does/can not use any specific weakness of the hash functions used in pactice. Thanks to this ideal assumption, seveal efficient encyption and signatue schemes have been analyzed [5, 6, 27]. We emphasize that even fomal analyses in the andom oacle model ae not stong secuity poofs, because of the undelying ideal assumption. They do, howeve, povide stong evidence fo secuity and can futhemoe seve as the basis fo quite efficient schemes. Since people do not often want to pay moe than a negligible pice fo secuity, such an agument fo pactical schemes is moe useful than fomal secuity poofs fo inefficient schemes. m 0 k 1 s t Fig. 2. OAEP Padding

5 5 3.2 Desciption of OAEP At the time Bleichenbache published his attack on RSA PKCS #1 v1.5, the only efficient and povably secue encyption scheme based on RSA was the Optimal Asymmetic Encyption Padding (OAEP) poposed by Bellae and Rogaway [5]. OAEP can be used with any tapdoo pemutation f. To encypt a message m using the encyption scheme f OAEP, fist apply the OAEP pocedue descibed in Figue 2 ee is a andom sting and, ae hash functions. The esulting values [s t] ae then encypted using f, namely C = f(s, t). Bellae and Rogaway poved that OAEP padding used with any tapdoo pemutation f povides a semantically secue encyption scheme. By adding some edundancy (the constant value 0 k 1 at the end of the message, as shown in Figue 2), they futhemoe poved it to be weakly plaintext-awae. Plaintext-awaeness is a popety of encyption schemes in the andom oacle model which means that thee exists a plaintext-extacto able to simulate the decyption oacle on any ciphetext (valid o not) designed by the advesay. The weak pat in the definition poposed by Bellae and Rogaway was that the plaintext-extaction was just equied to wok while the advesay had not eceived any valid ciphetext fom any souce. Unfotunately, the adaptive chosen-ciphetext attack model gives the advesay a full-time access to the decyption oacle, even afte eceiving the challenge ciphetext about which the advesay wants to lean infomation. This challenge is a valid ciphetext. Theefoe, semantic secuity togethe with weak plaintext-awaeness only implies the semantic secuity against non-adaptive chosen-ciphetext attacks (a.k.a. lunchtime attacks [25], o indiffeent chosen-ciphetext attacks), whee the decyption oacle access is limited until the advesay has eceived the challenge ciphetext. In 1998, Bellae, Desai, Rogaway and the autho [3] coected this initial definition of plaintext-awaeness, equiing the existence of a plaintext-extacto able to simulate the decyption oacle on any ciphetext submitted by the advesay, even afte seeing some valid ciphetexts not encypted by the advesay himself. This stonge definition is a moe accuate model of the eal wold, whee the advesay may have access to ciphetexts via eavesdopping. We futhemoe poved that this new popety (which can only be defined in the andom oacle model) actually povides the encyption scheme with the stongest secuity level, namely semantic secuity against (adaptive) chosen-ciphetext attacks (IND CCA). oweve, no one eve povided OAEP with such a new plaintext-extacto. Theefoe, even if eveybody believed in the stong secuity level of OAEP, it had neve been poven IND CCA unde the one-wayness of the pemutation alone. 3.3 The OAEP Secuity Analyses In fact, the only fomally poven secuity esult about OAEP was its semantic secuity against lunchtime attacks, assuming the one-wayness of the undelying pemutation. Until vey ecently OAEP was widely believed to also be IND CCA. Shoup s Result Shoup [32] ecently showed that it was quite unlikely that OAEP is IND CCA assuming only the one-wayness of the undelying tapdoo pemutation. In fact, he showed that if thee exists a tapdoo one-way pemutation g fo which it is easy to compute g(x a) fom g(x) and a, then OAEP cannot be IND CCA secue fo an abitay tapdoo pemutation f. Refeing to this special popety of g as XOR malleability, let us biefly pesent Shoup s counte-example. Let s t denote

6 6 the output of the OAEP tansfomation on a plaintext message m. Define the oneway pemutation f as f(s t) = s g(t). Then encypting m using f OAEP gives the ciphetext C = [s g(t)]. What Shoup showed is that unde these conditions the advesay can use C to constuct a ciphetext C of a plaintext message m that is closely elated to the message m. In paticula, fo any sting δ, the advesay can constuct C which is the encyption of m = m δ. Thus, the scheme is malleable and hence not IND CCA giving C to the decyption oacle will eveal m = m δ, fom which the advesay can obtain m. m 0 k 1 m 0 k 1 s t s t (s) (s ) Fig. 3. Shoup s Attack To constuct C, the idea is fo the advesay to exploit the explicit appeaance of s in the ciphetext C. The advesay fist computes s = s, whee = δ 0 k 1 ; essentially, is simply a padded endeing of δ. The advesay then computes D = (s) (s ) using explicit knowledge of s and s and access to the andom oacle fo. Finally, by exploiting the XOR malleability of g, the advesay computes g(t ), whee t = t D. It is easy to see now that C = s g(t ) is a valid encyption of the message m. ence, the non-malleability of f OAEP is boken. This obsevation shows that it is unlikely that one can pove that f OAEP is IND CCA secue fo abitay tapdoo pemutations f by assuming only the one-wayness of f. Repaiing the OAEP Poof of Secuity To constuct a valid ciphetext C in the above attack it seems that the advesay has to quey the hash function at (s). But this seems to imply that given C the advesay can figue out the value s used to ceate C (ecall that s is the left hand side of f 1 (C)). Thus, it appeas that in ode to mount Shoup s attack the advesay must be able patly to invet f given f(s, t), the advesay must be able to expose s. We say f is patial-domain one-way if no efficient algoithm can deduce s fom C = f(s, t). Fo such tapdoo pemutations f, one could hope that Shoup s attack will fail and that f OAEP is IND CCA secue. Fujisaki, Okamoto, Sten and the autho [17] fomally poved this fact: If f is patial-domain one-way, then f OAEP is IND CCA secue. We note that patial-domain one-wayness is a stonge popety than onewayness: a function might be one-way but still not patial-domain one-way. Fotunately, the homomophic popeties of RSA enable us to pove that the RSA pemutation is patial-domain one-way if and only if RSA is one-way. Moe pecisely,

7 an algoithm that can expose half of RSA 1 (C) given C can be used to completely invet the RSA pemutation. Altogethe, this poves the widely believed IND CCA secuity of RSA OAEP assuming that RSA is a tapdoo pemutation. Fo secuity paametes, and t (whose fomal definitions ae omitted hee), we obtain the following esult [17]: Let A be a CCA-advesay against the semantic secuity of RSA OAEP with unning time bounded by t and advantage ε. Then, the RSA function can be inveted with pobability geate than appoximately ε 2 /4 within time bound 2t. Unfotunately, the secuity eduction fom an RSA-invesion into an attack is quite inefficient fo pactical sizes (moe pecisely, it is quadatic in the numbe of oacle queies). ence, this eduction is meaningless unless one uses a modulus lage enough so that the RSA-invesion (o the factoization) equies much moe than computational effot. With cuent factoization techniques [23, 14], one needs to use a modulus of length moe than 4096 bits to make the eduction meaningful (see [24] fo complexity estimates of the most efficient factoing algoithms). Viewed anothe way, this eduction shows that a 1024-bit modulus just povides a povable secuity level of 2 40, which is clealy inadequate given cuently pevalent levels of computing powe. (We note, howeve, that this does not mean that thee is an attack with this low complexity, only that one cannot be uled out by the available poofs of secuity.) 4 OAEP Altenatives 4.1 The OAEP + Padding Shoup also poposed a fomal secuity poof of RSA OAEP with a much moe efficient secuity eduction, but in the paticula case whee the encyption exponent e is equal to 3. oweve, many people believe that the RSA tapdoo pemutation with exponent 3 may be weake than with geate exponents. Theefoe, he also poposed a slightly modified vesion of OAEP, called OAEP + (see Figue 4), which can be poven secue unde the one-wayness of the pemutation alone. It uses the vaiable edundancy R(m, ) instead of the constant 0 k 1. It is thus a bit moe inticate than the oiginal OAEP. The secuity eduction fo OAEP + is efficient, but still uns in quadatic time. 7 m R m m R(m, ) R m R(m, ) R(m, ) s t s OAEP + padding SAEP + padding Fig. 4. OAEP + and SAEP + Paddings

8 8 4.2 SAEP + Padding Boneh [11] ecently poposed a new padding scheme, SAEP +, to be used with the Rabin pimitive [28] o RSA. It is simple than OAEP, hence the name Simplified Asymmetic Encyption Padding: wheeas OAEP is a two-ound Feistel netwok, SAEP + is a singleound. SAEP + has a linea time eduction fo the Rabin system (i.e., e = 2). Fo lage exponents, SAEP + has a quadatic time eduction. ence, fo lage exponents (e > 2), SAEP + does not guaantee secuity fo pactical paametes (less than two thousand bits). 4.3 The REACT Constuction Anothe altenative to OAEP is the REACT constuction, poposed by Okamoto and the autho [26] (see Figue 5). It povides an IND CCA encyption scheme fom any m m SymE RSA RSA C 1 C 2 C 3 C 1 C 2 C 3 Basic encyption ybid encyption Fig. 5. REACT weakly secue one (moe pecisely, a one-way pimitive, against plaintext-checking attacks), such as the RSA pimitive. Theefoe, the RSA REACT scheme is IND CCA secue unde the RSA assumption. Futhemoe, the secuity eduction is vey efficient, since it is in linea time without any loss in the success pobability, whateve the exponent. Consequently, it guaantees pefect equivalence with RSA invesion fo moduli which equie just a bit moe than 2 70 effot to be factoed. This is the case fo 1024 bit-long moduli, the minimal cuently advised key size. In compaison to pevious poposals, REACT is a full scheme and not just a pue padding applied to the message befoe the RSA function. Consequently, the ciphetext is a bit longe. oweve, even when used fo key tanspot, it allows integation of a symmetic encyption scheme (SymE) to achieve vey high encyption ates, as shown in the hybid constuction. In the specific case of RSA, REACT can be optimized, as explained below. 4.4 Simple RSA In an ISO epot [31], Shoup suggested a possible altenative, based on ideas fom Bellae and Rogaway [4] that povide a secue encyption scheme fom any tapdoo one-way pemutation f. Roughly speaking, simple RSA, as it is called, consists of fist encypting a andom sting using f to obtain C 0 (thus C 0 = e mod n), and then pasing () as k 0 k 1, whee is some hash function (modeled by a andom oacle). Theeafte, one encypts the message m using a symmetic encyption scheme

9 with the key k 0 to get C 1 (e.g., C 1 = m k 0 ), and authenticates the ciphetext with a MAC function using the key k 1 to get a tag T = (k 1, C 1 ). The ciphetext is the tiple (C 0, C 1, T ). This constuction is a special case of REACT, optimized fo RSA, and hence is IND CCA unde the RSA assumption. It povides a vey efficient linea time eduction. Moeove, thanks to the andom self-educibility of RSA (which can only be used with this latte constuction, but cannot with the OAEP and SAEP vaiants), this constuction povides a high secuity level even when encypting many plaintexts [1, 2]. 9 5 Conclusion RSA OAEP is a pactical RSA encyption scheme with povable secuity in the andom oacle model. Fo pactical secuity, the cost of the eductions cannot simply be shown to be polynomial time (as in asymptotical analyses), since the eduction efficiency diectly impacts the secuity paametes needed fo the scheme. ence, when evaluating cyptogaphic constuctions, one must take into account the efficiency of the secuity poof. Inefficient poofs of secuity do not give secuity guaantees fo eal wold paametes. Only OAEP with exponents 2 o 3, SAEP + with exponent 2, and RSA REACT (o the optimization simple RSA ) with any exponent, admit fomal poofs with linea time eductions in the andom oacle model. ence only these schemes guaantee semantic secuity against chosen-ciphetext attacks fo pactical modulus sizes (even less than 1024 bits). The povable secuity fo othe padding schemes is meaningful only fo much lage moduli (moe than 4096 bits). Acknowledgments I wamly thank my co-authos, Mihi Bellae, Anand Desai, Eiichio Fujisaki, Tatsuaki Okamoto, Phil Rogaway and Jacques Sten fo the inteesting woks we did on asymmetic encyption, as well as Dan Boneh, Piee-Alain Fouque, Victo Shoup and Yves Vehoeven fo the fuitful discussions we had. Refeences 1. O. Baudon, D. Pointcheval, and J. Sten. Extended Notions of Secuity fo Multicast Public Key Cyptosystems. In Poc. of the 27th ICALP, LNCS 1853, pages Spinge-Velag, Belin, M. Bellae, A. Boldyeva, and S. Micali. Public-key Encyption in a Multi-Use Setting: Secuity Poofs and Impovements. In Euocypt 00, LNCS 1807, pages Spinge-Velag, Belin, M. Bellae, A. Desai, D. Pointcheval, and P. Rogaway. Relations among Notions of Secuity fo Public-Key Encyption Schemes. In Cypto 98, LNCS 1462, pages Spinge-Velag, Belin, M. Bellae and P. Rogaway. Random Oacles Ae Pactical: a Paadigm fo Designing Efficient Potocols. In Poc. of the 1st CCS, pages ACM Pess, New Yok, M. Bellae and P. Rogaway. Optimal Asymmetic Encyption ow to Encypt with RSA. In Euocypt 94, LNCS 950, pages Spinge-Velag, Belin, M. Bellae and P. Rogaway. The Exact Secuity of Digital Signatues ow to Sign with RSA and Rabin. In Euocypt 96, LNCS 1070, pages Spinge-Velag, Belin, M. Bellae and A. Sahai. Non-Malleable Encyption: Equivalence between Two Notions, and an Indistinguishability-Based Chaacteization. In Cypto 99, LNCS 1666, pages Spinge- Velag, Belin, 1999.

10 10 8. E. Biham and A. Shami. Diffeential Fault Analysis of Secet Key Cyptosystems. In Cypto 97, LNCS 1294, pages Spinge-Velag, Belin, D. Bleichenbache. A Chosen Ciphetext Attack against Potocols based on the RSA Encyption Standad PKCS #1. In Cypto 98, LNCS 1462, pages Spinge-Velag, Belin, M. Blum and S. Micali. ow to eneate Cyptogaphically Stong Sequences of Pseudoandom Bits. SIAM Jounal on Computing, 13: , D. Boneh. Simplified OAEP fo the RSA and Rabin Functions. In Cypto 01, LNCS 2139, pages Spinge-Velag, Belin, D. Boneh, R. DeMillo, and R. Lipton. On the Impotance of Checking Cyptogaphic Potocols fo Faults. In Euocypt 97, LNCS 1233, pages Spinge-Velag, Belin, R. Canetti, O. oldeich, and S. alevi. The Random Oacles Methodology, Revisited. In Poc. of the 30th STOC, pages ACM Pess, New Yok, S. Cavalla, B. Dodson, A. K. Lensta, W. Lioen, P. L. Montgomey, B. Muphy,. te Riele, K. Aadal, J. ilchist,. uillem, P. Leyland, J. Machand, F. Moain, A. Muffett, Ch. Putnam, C. Putnam, and P. Zimmemann. Factoization of a 512-bit RSA Modulus. In Euocypt 00, LNCS 1807, pages Spinge-Velag, Belin, D. Dolev, C. Dwok, and M. Nao. Non-Malleable Cyptogaphy. SIAM Jounal on Computing, 30(2): , A. Fiat and A. Shami. ow to Pove Youself: Pactical Solutions of Identification and Signatue Poblems. In Cypto 86, LNCS 263, pages Spinge-Velag, Belin, E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Sten. RSA OAEP is Secue unde the RSA Assumption. In Cypto 01, LNCS 2139, pages Spinge-Velag, Belin, O. oldeich. On the Foundations of Moden Cyptogaphy. In Cypto 97, LNCS 1294, pages Spinge-Velag, Belin, S. oldwasse and S. Micali. Pobabilistic Encyption. Jounal of Compute and System Sciences, 28: , C. all, I. oldbeg, and B. Schneie. Reaction Attacks Against Seveal Public-Key Cyptosystems. In Poc. of ICICS 99, LNCS, pages Spinge-Velag, P. C. Koche. Timing Attacks on Implementations of Diffie-ellman, RSA, DSS, and Othe Systems. In Cypto 96, LNCS 1109, pages Spinge-Velag, Belin, P. C. Koche, J. Jaffe, and B. Jun. Diffeential Powe Analysis. In Cypto 99, LNCS 1666, pages Spinge-Velag, Belin, A. Lensta and. Lensta. The Development of the Numbe Field Sieve, volume 1554 of Lectue Notes in Mathematics. Spinge-Velag, A. Lensta and E. Veheul. Selecting Cyptogaphic Key Sizes. In PKC 00, LNCS 1751, pages Spinge-Velag, Belin, M. Nao and M. Yung. Univesal One-Way ash Functions and Thei Cyptogaphic Applications. In Poc. of the 21st STOC, pages ACM Pess, New Yok, T. Okamoto and D. Pointcheval. REACT: Rapid Enhanced-secuity Asymmetic Cyptosystem Tansfom. In CT RSA 01, LNCS 2020, pages Spinge-Velag, Belin, D. Pointcheval and J. Sten. Secuity Aguments fo Digital Signatues and Blind Signatues. Jounal of Cyptology, 13(3): , M. O. Rabin. Digitalized Signatues. In R. Lipton and R. De Millo, editos, Foundations of Secue Computation, pages Academic Pess, New Yok, C. Rackoff and D. R. Simon. Non-Inteactive Zeo-Knowledge Poof of Knowledge and Chosen Ciphetext Attack. In Cypto 91, LNCS 576, pages Spinge-Velag, Belin, R. Rivest, A. Shami, and L. Adleman. A Method fo Obtaining Digital Signatues and Public Key Cyptosystems. Communications of the ACM, 21(2): , Febuay V. Shoup. A Poposal fo an ISO Standad fo Public-Key Encyption, decembe ISO/IEC JTC 1/SC V. Shoup. OAEP Reconsideed. In Cypto 01, LNCS 2139, pages Spinge-Velag, Belin, T. Dieks and C. Allen. The TLS Potocol, januay RFC 2246 Available fom