Most of the work listed here was carried out while I was an employee of RSA Laboratories 1999-2002. Note that papers on practice-oriented cryptography are (or at least were back then) typically published in proceedings of conferences rather than in ordinary journals, so only the last one is a preprint.

• Securing RSA-KEM via the AES
  Joint work with Matt Robshaw, Proceedings from PKC 2005, Les Diablerets, Switzerland, January 2005. Send me a note if you want a free electronic copy of the paper (for copyright reasons, the paper is not available online).

  RSA-KEM is a popular key encapsulation mechanism that combines the RSA trapdoor permutation with a key derivation function (KDF). Often the details of the KDF are viewed as orthogonal to the RSA-KEM construction and the RSA-KEM proof of security models the KDF as a random oracle. In this paper we present an AES-based KDF that has been explicitly designed so that we can appeal to currently held views on the ideal behaviour of the AES when proving the security of RSA-KEM. Thus, assuming that encryption with the AES provides a permutation of 128-bit input blocks that is chosen uniformily at random for each key k, the security of RSA-KEM against chosen-ciphertext attacks can be related to the hardness of inverting RSA.

  Up Home

• On the Security of RSA Encryption in TLS
  Joint work with Burt Kaliski, Proceedings from CRYPTO 2002, Santa Barbara, California, August 2002. Send me a note if you want a free electronic copy of the paper (for copyright reasons, the paper is not available online).

  We show that the security of the TLS handshake protocol based on RSA can be related to the hardness of inverting RSA given a certain ``partial-RSA'' decision oracle. The reduction takes place in a security model with reasonable assumptions on the underlying TLS pseudo-random function, thereby addressing concerns about its construction in terms of two hash functions. The result is extended to a wide class of constructions that we denote tagged key-encapsulation mechanisms. TLS is the successor of the SSL 3.0 handshake protocol.

  Up Home

• The Security of CTR + CBC-MAC
  Proceedings from SAC (Selected Areas of Cryptography) 2002, St John's, Newfoundland, August 2002. Available as document CCM-AD1 from NIST's Modes of Operation page.

  I analyze the security of the CTR + CBC-MAC (CCM) encryption mode. This mode, proposed by Doug Whiting, Russ Housley, and Niels Ferguson, combines the CTR (counter) encryption mode with CBC-MAC message authentication and is based on a block cipher such as AES. I present concrete lower bounds for the security of CCM in terms of the security of the underlying block cipher. The conclusion is that CCM provides a level of privacy and authenticity that is in line with other proposed modes such as OCB.

  Up Home

• Attacks Against the NSS Signature Scheme
  Joint work with Craig Gentry, Jacques Stern, and Mike Szydlo, Proceedings from Asiacrypt 2001 (I did not attend the conference). Available from Mike Szydlo's homepage.

  In 1996, a new cryptosystem called NTRU was introduced, related to the hardness of finding short vectors in specific lattices. At Eurocrypt 2001, the NTRU Signature Scheme (NSS), apparently related to the same hard problem, was proposed. In this paper, we show that the problem on which NSS relies is much easier than anticipated, and we describe an attack that allows efficient forgery of a signature on any message. Additionally, we demonstrate that a transcript of signatures leaks information about the secret key: using a correlation attack, it is possible to recover the key from a few tens of thousands of signatures.

  Gentry and Szydlo have proceeded with refined attacks on adapted versions of NSS; see Mike Szydlo's homepage for more information about the attacks and NTRU's homepage for more information about NTRU's cryptographic schemes.

  Up Home

• Security Proofs for the RSA-PSS Signature Scheme and Its Variants
  Proceedings from the 2nd NESSIE Workshop, Royal Holloway, University of London, September 2001. Full version available from the IACR eprint archive.

  In this (not very deep) paper, I analyze the security of different versions of the adapted RSA-PSS signature scheme, including schemes with variable salt lengths and message recovery. I also examine a variant with Rabin-Williams (RW) as the underlying verification primitive. The conclusion is that the security of RSA-PSS and RW-PSS in the random oracle model can be tightly related to the hardness of inverting the underlying RSA and RW primitives, at least if the PSS salt length is reasonably large. My security proofs are based on already existing work by Bellare and Rogaway and by Coron, who examined signature schemes based on the original PSS encoding method. RSA-PSS is a signature scheme based on RSA and was selected for the NESSIE portfolio of cryptographic algorithms.

  Up Home

• An OAEP Variant with a Tight Security Proof
  Preprint, 2002. Available from the IACR eprint archive.

  I introduce the OAEP++ encoding method, which is an adaptation of the OAEP encoding method, replacing the last step of the encoding operation with an application of a block cipher such as AES. I demonstrate that if f is a one-way trapdoor function that is hard to invert, then OAEP++ combined with f is secure against an IND-CCA2 adversary in the random oracle model. Moreover, the security reduction is tight; an adversary against f-OAEP++ can be extended to an f-inverter with a running time linear in the number of oracle queries.

  There is another scheme denoted as OAEP++ that was introduced by Kazukuni Kobara and Hideki Imai (see the IACR eprint archive) before I presented my variant.

Up Home