26 August 1998

From: "Rich Ankney" <rankney@erols.com>
To: <jy@jya.com>
Subject: The CS PK Cryptosystem
Date: Wed, 26 Aug 1998 20:08:12 -0400

This paper was posted to Victor's website a few months ago.
This is a really great algorithm since it is provably secure (with
no messy assumptions).  OTOH it's a totally new algorithm
(although obviously related to ElGamal).  My question is:
Why use this instead of RSA w/ "Optimal Asymmetric
Encryption Padding" (OAEP) as used by SET, being standardized
by ANSI X9 (as X9.44) etc.?  The difference is that OAEP is
secure only under the random oracle model (simple definition:
H(x) looks random for most x).


PS:  I swear I have no idea what Jon Graff would think about

JYA add: Rich Ankney is a member of the ANSI X9F Data & Information Security Subcommittee. Jon Graff is a member of PGP. From Crypto98: Lecture: "A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack" Ronald Cramer (ETH Zurich, Switzerland), Victor Shoup (IBM Zurich Research Laboratory, Switzerland) http://www.cs.wisc.edu/~shoup/papers/cs.ps.Z Or, http://www.zurich.ibm.com/Technology/Security/publications/1998/CS.pdf