6

I've found a way to complete a task which I'd solve with passwords or by sending keys over the wire (otherwise) by using RSA's homomorphic property.

I'm restricted to RSA (any padding; for hardware reasons) to implement "blindable decryption", where one party holds some encrypted data, blinds it, sends it to the decryption oracle, receives it and recovers the embedded key by unblinding.

For this a "secure-as-possible" version of RSA is required which still has the multiplicative homomorphic property.

So what is the best padding for RSA that keeps this property?

Note: An IND-CCA1 version of RSA would be perfectly fine.
My definition of best (in order of preference): Highest security level, easiest implementability, fastest run-time.

Edit: I removed the ECDH unit as the question is way more interesting this way. The ECDH unit can solve the problem using ElGamal and an ECIES like approach.

SEJPM
  • 45,967
  • 7
  • 99
  • 205
  • Can you use the ECDH unit for elGamal? $;$ –  Aug 12 '15 at 00:26
  • @RickyDemer, I think this would be possible. But I don't know of any reliable way to convert a random 256-bit string to a 256 or 320 bit curve point. – SEJPM Aug 12 '15 at 09:36
  • http://crypto.stackexchange.com/a/312/991 $;$ –  Aug 12 '15 at 16:58
  • @RickyDemer, thank you, I have solved the problem now by using the ECDH unit to do ElGamal Encryption. I avoided the problem of the mapping by doing what ECIES does: Randomly choose a point and derive the key from that one and then perform the above protocol with ElGamal. This should give me the IND-CCA1 security. I'll edit the ECDH unit now out of the question so we have the more interesting part of finding such a RSA conversion as main focus point and motivation for theoretical research. – SEJPM Aug 12 '15 at 18:02
  • If you solved the problem why do not post the answer, it shouldn't be in "No answers" lists. – R1w Jul 19 '20 at 18:25
  • @R1w I solved my problem (which needed an CCA1 secure encryption) scheme by using an ECDH-based solution. However this question still asks for an CCA1-secure RSA-based solution which could be of independent interest. – SEJPM Jul 19 '20 at 18:27
  • 1
    @R1w and SEJPM: is "still has the multiplicative homomorphic property" part of the current question? Neither the bounty notice nor the above comment mention that. And that interferes with the definition of IND-CCA1 security. – fgrieu Jul 23 '20 at 15:44
  • 3
    @fgrieu yes, the homomorphic property is key to this question and CCA1 (non-adaptive CCA) allows for such schemes. – SEJPM Jul 23 '20 at 16:10

0 Answers0