#StackBounty: #rsa #padding #chosen-plaintext-attack #chosen-ciphertext-attack #blinding IND-CCA1 RSA padding?

Bounty: 50

I’ve found a way to complete a task which I’d solve with passwords or by sending keys over the wire (otherwise) by using RSA’s homomorphic property.

I’m restricted to RSA (any padding; for hardware reasons) to implement “blindable decryption”, where one party holds some encrypted data, blinds it, sends it to the decryption oracle, receives it and recovers the embedded key by unblinding.

For this a “secure-as-possible” version of RSA is required which still has the multiplicative homomorphic property.

So what is the best padding for RSA that keeps this property?

Note: An IND-CCA1 version of RSA would be perfectly fine.
My definition of best (in order of preference): Highest security level, easiest implementability, fastest run-time.

Edit: I removed the ECDH unit as the question is way more interesting this way. The ECDH unit can solve the problem using ElGamal and an ECIES like approach.


Get this bounty!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.