Most of the work listed here was carried out while I was an
employee of RSA Laboratories 1999-2002. Note that papers on
practice-oriented cryptography are (or at least were back then)
typically published in proceedings of conferences rather than in
ordinary journals, so only the last one is a preprint.
RSA-KEM is a popular key encapsulation mechanism that combines the RSA trapdoor permutation with a key derivation function (KDF). Often the details of the KDF are viewed as orthogonal to the RSA-KEM construction and the RSA-KEM proof of security models the KDF as a random oracle. In this paper we present an AES-based KDF that has been explicitly designed so that we can appeal to currently held views on the ideal behaviour of the AES when proving the security of RSA-KEM. Thus, assuming that encryption with the AES provides a permutation of 128-bit input blocks that is chosen uniformily at random for each key k, the security of RSA-KEM against chosen-ciphertext attacks can be related to the hardness of inverting RSA.
We show that the security of the TLS handshake protocol based on RSA can be related to the hardness of inverting RSA given a certain ``partial-RSA'' decision oracle. The reduction takes place in a security model with reasonable assumptions on the underlying TLS pseudo-random function, thereby addressing concerns about its construction in terms of two hash functions. The result is extended to a wide class of constructions that we denote tagged key-encapsulation mechanisms. TLS is the successor of the SSL 3.0 handshake protocol.
I analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR (counter) encryption mode with CBC-MAC message authentication and is based on a block cipher such as AES. I present concrete lower bounds for the security of CCM in terms of the security of the underlying block cipher. The conclusion is that CCM provides a level of privacy and authenticity that is in line with other proposed modes such as OCB.
In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), apparently related to the same hard problem, was proposed. In this paper, we show that the problem on which NSS relies is much easier than anticipated, and we describe an attack that allows efficient forgery of a signature on any message. Additionally, we demonstrate that a transcript of signatures leaks information about the secret key: using a correlation attack, it is possible to recover the key from a few tens of thousands of signatures.
Gentry and Szydlo have proceeded with refined attacks on adapted versions of NSS; see Mike Szydlo's homepage for more information about the attacks and NTRU's homepage for more information about NTRU's cryptographic schemes.
Security Proofs for the RSA-PSS Signature Scheme and Its
Variants
Proceedings from the 2nd NESSIE Workshop, Royal Holloway,
University of London, September 2001. Full version available from
the IACR eprint archive.
In this (not very deep) paper, I analyze the security of different versions of the adapted RSA-PSS signature scheme, including schemes with variable salt lengths and message recovery. I also examine a variant with Rabin-Williams (RW) as the underlying verification primitive. The conclusion is that the security of RSA-PSS and RW-PSS in the random oracle model can be tightly related to the hardness of inverting the underlying RSA and RW primitives, at least if the PSS salt length is reasonably large. My security proofs are based on already existing work by Bellare and Rogaway and by Coron, who examined signature schemes based on the original PSS encoding method. RSA-PSS is a signature scheme based on RSA and was selected for the NESSIE portfolio of cryptographic algorithms.
I introduce the OAEP++ encoding method, which is an adaptation of the OAEP encoding method, replacing the last step of the encoding operation with an application of a block cipher such as AES. I demonstrate that if f is a one-way trapdoor function that is hard to invert, then OAEP++ combined with f is secure against an IND-CCA2 adversary in the random oracle model. Moreover, the security reduction is tight; an adversary against f-OAEP++ can be extended to an f-inverter with a running time linear in the number of oracle queries.
There is another scheme denoted as OAEP++ that was introduced by Kazukuni Kobara and Hideki Imai (see the IACR eprint archive) before I presented my variant.