27:
199:
241:
are limited to small messages and are almost always used to encrypt a short random secret key in a hybrid cryptosystem anyway. And although a public-key encryption scheme can conversely be converted to a KEM by choosing a random secret key and encrypting it as a message, it is easier to design and
3898:
3761:
937:, IND-CCA, which is loosely how much better an adversary can do than a coin toss to tell whether, given a random key and an encapsulation, the key is encapsulated by that encapsulation or is an independent random key.
4887:
Traditional
Elgamal encryption can be adapted to the elliptic-curve setting, but it requires some way to reversibly encode messages as points on the curve, which is less trivial than encoding messages as integers mod
4117:
2388:
5433:
3142:
1663:
1003:
592:
321:
1177:
4312:
4227:
210:
scheme and a KEM is that a public-key encryption scheme allows a sender to choose an arbitrary message from some space of possible messages, while a KEM chooses a short secret key at random for the sender.
1340:
1085:
5133:
3707:
2865:
2126:
849:
438:
5538:
920:
190:
know the private key from recovering any information about the encapsulated secret keys, even after eavesdropping or submitting other encapsulations to the receiver to study how the receiver reacts.
4526:
4459:
3766:
5645:
4023:
3206:
2452:
5179:
3753:
3623:
3459:
3413:
752:
1901:
5736:
4882:
4565:
3313:
2735:
242:
analyze a secure KEM than to design a secure public-key encryption scheme as a basis. So most modern public-key encryption schemes are based on KEMs rather than the other way around.
222:
whose ciphertext is sent alongside the encapsulation to the receiver. This serves to compose a public-key encryption scheme out of a KEM and a symmetric-key authenticated cipher in a
4764:
4808:
1982:
1810:
1760:
3081:
2327:
1538:
772:
5693:
5306:
5225:
3505:
3254:
3003:
2249:
1435:
3574:
3541:
1937:
5372:
5076:
4056:
3952:
3656:
2808:
2075:
4684:
1032:
619:
465:
375:
348:
2922:
2203:
1245:
4372:
4342:
1839:
1466:
1287:
5563:
5339:
5263:
3036:
2960:
2505:
2480:
2282:
1365:
1110:
669:
644:
5458:
5007:
4142:
2022:
1204:
689:
5738:
in this case, and not a reversible encoding of messages, it is easy to extend to more compact and efficient elliptic curve groups for the same security, as in the
6162:
5926:
5895:
2594:
114:
71:
5583:
5030:
4980:
4960:
4929:
4906:
4828:
4704:
4625:
4605:
4585:
4392:
3353:
3333:
2890:
2762:
2689:
2666:
2634:
2614:
2568:
2544:
2171:
2151:
2042:
1708:
1688:
1595:
1575:
1389:
869:
792:
525:
505:
485:
134:
91:
48:
179:. The receiver who knows the private key corresponding to the public key can recover the same random secret key from the encapsulation by the KEM's
6665:
1540:, that is, the probability beyond a fair coin toss at correctly distinguishing an encapsulated key from an independently randomly chosen key.
6645:
6578:
6526:
6475:
6426:
6378:
6304:
6271:
6239:
6097:
5844:
5781:
3265:
1607:
947:
265:
234:
6158:
6598:
3893:{\displaystyle {\begin{aligned}t&:=y^{r}{\bmod {p}}\\c_{1}&:=g^{r}{\bmod {p}}\\c_{2}&:=(t\cdot m){\bmod {p}}\end{aligned}}}
1118:
4061:
2332:
6058:
5377:
5081:
3661:
3086:
2813:
2080:
797:
536:
386:
50:
from a sender to a receiver, consists of three algorithms: Gen, Encap, and Decap. Circles shaded blue—the receiver's public key
4232:
4147:
874:
6127:
6002:
5961:
4631:
1295:
1040:
934:
6367:Švenda, Petr; Nemec, Matúš; Sekan, Peter; Kvašňovský, Rudolf; Formánek, David; Komárek, David; Matyáš, Vashek (August 2016).
6368:
5463:
6613:
5703:. Since this KEM only requires a one-way key derivation function to hash random elements of the group it is defined over,
5739:
5700:
5699:
When combined with an authenticated cipher to encrypt arbitrary bit string messages, the combination is essentially the
2547:
5143:
3717:
3587:
3423:
3365:
711:
1851:
2511:
This naive approach is totally insecure. For example, since it is nonrandomized, it cannot be secure against even
5884:"Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack"
4467:
4400:
6563:. Lecture Notes in Computer Science. Vol. 196. Santa Barbara, CA, United States: Springer. pp. 10–18.
6411:. Lecture Notes in Computer Science. Vol. 1462. Santa Barbara, CA, United States: Springer. pp. 1–12.
6224:. Lecture Notes in Computer Science. Vol. 10677. Baltimore, MD, United States: Springer. pp. 341–371.
5706:
4535:
3283:
2705:
4935:
2695:
219:
161:
5591:
3152:
2398:
6670:
5010:
2742:
153:
4833:
1942:
1765:
1713:
3041:
2512:
2287:
1984:
as the private key. (Many variations on key generation algorithms and private key formats are available.)
1479:
757:
5268:
5187:
3467:
2965:
2211:
167:
A KEM allows a sender who knows a public key to simultaneously generate a short random secret key and an
6394:
6214:
Hofheinz, Dennis; Hövelmanns, Kathrin; Kiltz, Eike (November 2017). Kalai, Yael; Reyzin, Leonid (eds.).
4709:
3965:
207:
157:
156:
that allows a sender to generate a short secret key and transmit it to a receiver securely, in spite of
4769:
3546:
3513:
1909:
5344:
5048:
4028:
3905:
3628:
2780:
2047:
6141:
6016:
5975:
4637:
1010:
597:
443:
353:
326:
6650:
6373:. 25th USENIX Security Symposium. Austin, TX, United States: USENIX Association. pp. 893–910.
1842:
1397:
223:
6460:. Lecture Notes in Computer Science. Vol. 1807. Bruges, Belgium: Springer. pp. 369–381.
5829:. Lecture Notes in Computer Science. Vol. 1807. Bruges, Belgium: Springer. pp. 275–288.
2895:
2176:
1212:
6215:
3277:
2641:
2637:
1815:
238:
6166:
5653:
3214:
1253:
6574:
6522:
6471:
6422:
6374:
6300:
6267:
6235:
6093:
6054:
6037:
5840:
5777:
6451:
5820:
5233:
4532:
This meets the syntax of a public-key encryption scheme, restricted to messages in the space
2930:
6617:
6564:
6554:
6461:
6412:
6347:
6225:
6131:
6006:
5965:
5930:
5899:
5830:
4347:
4317:
6221:
5917:
5443:
4985:
4127:
1995:
1182:
674:
93:—can be safely revealed to an adversary, while boxes shaded red—the receiver's private key
6328:
6081:
1440:
2573:
6404:
Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1
5543:
5319:
3016:
2485:
2460:
2262:
1345:
1090:
649:
624:
96:
53:
6560:
6546:
6457:
6443:
6402:
6085:
6077:
6041:
6033:
5883:
5826:
5568:
5015:
4965:
4945:
4914:
4891:
4813:
4706:
can trivially decrypt it by querying the decryption oracle for the distinct ciphertext
4689:
4610:
4590:
4570:
4377:
3338:
3318:
2875:
2747:
2674:
2651:
2619:
2599:
2553:
2529:
2156:
2136:
2027:
1693:
1673:
1580:
1560:
1554:
1374:
1115:
The encapsulation algorithm is run to randomly generate a secret key and encapsulation
854:
777:
510:
490:
470:
119:
76:
33:
6622:
6045:
4587:). By validating ciphertexts in decryption, it avoids leaking bits of the private key
6659:
6542:
6398:
5875:
4932:
2692:
215:
6408:
6594:
6494:
6447:
6332:
6292:
5992:
5879:
5816:
5812:
141:
6230:
6550:
6144:
6121:
6019:
5996:
5978:
5955:
3261:
6503:, Cryptology ePrint Archive, International Association for Cryptologic Research
6198:, Cryptology ePrint Archive, International Association for Cryptologic Research
3260:
This approach is simpler to implement, and provides a tighter reduction to the
6324:
6320:
6117:
6113:
6072:
6070:
5903:
6556:
A Public Key
Cryptosystem and a Signature Scheme Based on Discrete Logarithms
6466:
5835:
6569:
214:
The sender may take the random secret key produced by a KEM and use it as a
2698:
used to encrypt an arbitrary bit string message, a simpler approach called
6352:
5935:
4938:
used to encrypt an arbitrary bit string message, a simpler approach is to
6640:
6209:
6207:
6205:
4567:(which limits it to message of a few hundred bytes for typical values of
20:
6333:"A method for obtaining digital signatures and public-key cryptosystems"
6417:
1658:{\displaystyle ({\mathit {pk}},{\mathit {sk}}):=\operatorname {Gen} ()}
998:{\displaystyle ({\mathit {pk}},{\mathit {sk}}):=\operatorname {Gen} ()}
692:
316:{\displaystyle ({\mathit {pk}},{\mathit {sk}}):=\operatorname {Gen} ()}
6500:
A Proposal for an ISO Standard for Public Key
Encryption (version 2.1)
6287:
6285:
6283:
4607:
through maliciously chosen ciphertexts outside the group generated by
6370:
The
Million-Key Question—Investigating the Origins of RSA Public Keys
6136:
6011:
5970:
2645:
230:
6512:
6510:
6498:
6264:
Serious
Cryptography: A Practical Introduction to Modern Encryption
6193:
5919:
FIPS 203: Module-Lattice-Based Key-Encapsulation
Mechanism Standard
2636:
simply by taking real number cube roots, and there are many other
2523:
simply by encrypting those messages and comparing the ciphertext.
197:
30:
A key encapsulation mechanism, to securely transport a secret key
25:
5767:
5765:
5763:
5761:
5759:
5757:
5755:
2515:—an adversary can tell whether the sender is sending the message
1172:{\displaystyle (k_{0},c):=\operatorname {Encap} ({\mathit {pk}})}
6517:
Galbraith, Steven (2012). "§20.3: Textbook
Elgamal encryption".
5822:
Using Hash
Functions as a Hedge against Chosen Ciphertext Attack
5995:; Jonsson, J.; Rusch, A. (November 2016). Moriarity, K. (ed.).
5954:
Barnes, R.; Bhargavan, K.; Lipp, B.; Wood, C. (February 2022).
4112:{\displaystyle m':=\operatorname {Decrypt} ({\mathit {sk}},c')}
2383:{\displaystyle m':=\operatorname {Decrypt} ({\mathit {sk}},c')}
3280:
is defined over a multiplicative subgroup of the finite field
198:
26:
5628:
5428:{\displaystyle k':=\operatorname {Decap} ({\mathit {sk}},c')}
5289:
5208:
5128:{\displaystyle (k,c):=\operatorname {Encap} ({\mathit {pk}})}
4865:
4791:
4509:
4442:
3877:
3831:
3790:
3702:{\displaystyle c:=\operatorname {Encrypt} ({\mathit {pk}},m)}
3488:
3189:
3137:{\displaystyle k':=\operatorname {Decap} ({\mathit {sk}},c')}
2986:
2860:{\displaystyle (k,c):=\operatorname {Encap} ({\mathit {pk}})}
2435:
2232:
2121:{\displaystyle c:=\operatorname {Encrypt} ({\mathit {pk}},m)}
1875:
844:{\displaystyle (k,c):=\operatorname {Encap} ({\mathit {pk}})}
587:{\displaystyle k':=\operatorname {Decap} ({\mathit {sk}},c')}
433:{\displaystyle (k,c):=\operatorname {Encap} ({\mathit {pk}})}
6257:
6255:
6253:
6251:
5406:
5403:
5353:
5350:
5117:
5114:
5057:
5054:
4090:
4087:
4037:
4034:
3685:
3682:
3637:
3634:
3555:
3552:
3522:
3519:
3115:
3112:
3050:
3047:
2849:
2846:
2789:
2786:
2361:
2358:
2296:
2293:
2104:
2101:
2056:
2053:
1951:
1948:
1918:
1915:
1632:
1629:
1619:
1616:
1313:
1310:
1161:
1158:
1058:
1055:
1019:
1016:
972:
969:
959:
956:
892:
889:
833:
830:
736:
733:
723:
720:
606:
603:
565:
562:
452:
449:
422:
419:
362:
359:
335:
332:
290:
287:
277:
274:
5772:
Galbraith, Steven (2012). "§23.1.1: The KEM/DEM paradigm".
6299:(3rd ed.). Chapman & Hall/CRC. pp. 161–232.
6295:(2006). "5. The RSA Cryptosystem and Factoring Integers".
4307:{\displaystyle (c'_{2})^{(p-1)/q}\not \equiv 1{\pmod {p}}}
4222:{\displaystyle (c'_{1})^{(p-1)/q}\not \equiv 1{\pmod {p}}}
915:{\displaystyle \operatorname {Decap} ({\mathit {sk}},c)=k}
6217:
A Modular
Analysis of the Fujisaki-Okamoto Transformation
1335:{\displaystyle \operatorname {Decap} ({\mathit {sk}},c')}
1080:{\displaystyle \operatorname {Decap} ({\mathit {sk}},c')}
5870:
5868:
5866:
5864:
5862:
5860:
5858:
5856:
6489:
6487:
5807:
5805:
5803:
5801:
5799:
5797:
5795:
5793:
6187:
6185:
6183:
5533:{\displaystyle (c')^{(p-1)/q}\not \equiv 1{\pmod {p}}}
5709:
5656:
5594:
5571:
5546:
5466:
5446:
5380:
5347:
5322:
5271:
5236:
5190:
5146:
5084:
5051:
5018:
4988:
4968:
4948:
4917:
4894:
4836:
4816:
4772:
4712:
4692:
4640:
4632:
indistinguishability against chosen ciphertext attack
4613:
4593:
4573:
4538:
4470:
4403:
4380:
4350:
4320:
4235:
4150:
4130:
4064:
4031:
3968:
3908:
3764:
3720:
3664:
3631:
3590:
3549:
3516:
3470:
3426:
3368:
3341:
3321:
3286:
3217:
3155:
3089:
3044:
3019:
2968:
2933:
2898:
2878:
2816:
2783:
2750:
2708:
2677:
2654:
2644:
have been devised in attempts—sometimes failed, like
2622:
2602:
2576:
2556:
2532:
2488:
2463:
2401:
2335:
2290:
2265:
2214:
2179:
2159:
2139:
2083:
2050:
2030:
1998:
1945:
1912:
1854:
1818:
1768:
1716:
1696:
1676:
1610:
1583:
1563:
1482:
1443:
1400:
1377:
1348:
1298:
1256:
1215:
1185:
1121:
1093:
1043:
1013:
950:
935:
indistinguishability against chosen-ciphertext attack
877:
857:
800:
780:
760:
714:
677:
652:
627:
600:
539:
513:
493:
473:
446:
389:
356:
329:
323:, takes no inputs and returns a pair of a public key
268:
122:
99:
79:
56:
36:
5998:
186:
The security goal of a KEM is to prevent anyone who
6346:(2). Association for Computer Machinery: 120–126.
5740:ECIES, Elliptic Curve Integrated Encryption Scheme
5730:
5687:
5639:
5577:
5557:
5532:
5452:
5427:
5366:
5333:
5300:
5257:
5219:
5173:
5127:
5070:
5024:
5001:
4974:
4954:
4923:
4900:
4876:
4822:
4802:
4758:
4698:
4678:
4619:
4599:
4579:
4559:
4520:
4453:
4386:
4366:
4336:
4306:
4221:
4136:
4111:
4050:
4017:
3946:
3892:
3747:
3701:
3650:
3617:
3568:
3535:
3499:
3453:
3407:
3347:
3327:
3307:
3248:
3200:
3136:
3075:
3030:
2997:
2954:
2916:
2884:
2859:
2802:
2756:
2729:
2683:
2660:
2628:
2608:
2588:
2562:
2538:
2499:
2474:
2446:
2382:
2321:
2276:
2243:
2197:
2165:
2145:
2120:
2069:
2036:
2016:
1976:
1931:
1895:
1833:
1804:
1754:
1702:
1682:
1657:
1589:
1569:
1532:
1460:
1429:
1383:
1359:
1334:
1281:
1239:
1198:
1171:
1104:
1079:
1026:
997:
914:
863:
843:
786:
766:
746:
683:
663:
638:
613:
586:
519:
499:
479:
459:
432:
369:
342:
315:
128:
108:
85:
65:
42:
2546:is always a random secret key, such as a 256-bit
6521:. Cambridge University Press. pp. 471–478.
5776:. Cambridge University Press. pp. 471–478.
4634:. For example, an adversary having a ciphertext
2648:—to make it secure for arbitrary short messages
1769:
1488:
944:The key generation algorithm is run to generate
646:, and either returns an encapsulated secret key
5174:{\displaystyle r\in \mathbb {Z} /q\mathbb {Z} }
3748:{\displaystyle r\in \mathbb {Z} /q\mathbb {Z} }
3618:{\displaystyle m\in \mathbb {Z} /p\mathbb {Z} }
3454:{\displaystyle x\in \mathbb {Z} /q\mathbb {Z} }
3408:{\displaystyle (pk,sk):=\operatorname {Gen} ()}
747:{\displaystyle ({\mathit {pk}},{\mathit {sk}})}
6163:National Institute of Standards and Technology
5927:National Institute of Standards and Technology
5896:Society for Industrial and Applied Mathematics
1896:{\displaystyle d:=e^{-1}{\bmod {\lambda }}(n)}
8:
6044:(October 1996). "8. Public-Key Encryption".
1424:
1412:
1234:
1222:
6262:Aumasson, Jean-Philippe (2018). "10. RSA".
4521:{\displaystyle m':=t^{-1}c'_{2}{\bmod {p}}}
4454:{\displaystyle t':=(c'_{1})^{x}{\bmod {p}}}
229:Most public-key encryption schemes such as
5731:{\displaystyle \mathbb {Z} /p\mathbb {Z} }
4931:is almost always a short secret key for a
4560:{\displaystyle \mathbb {Z} /p\mathbb {Z} }
3308:{\displaystyle \mathbb {Z} /p\mathbb {Z} }
2730:{\displaystyle \mathbb {Z} /n\mathbb {Z} }
2691:is almost always a short secret key for a
851:with high probability yields the same key
6621:
6568:
6465:
6416:
6351:
6229:
6135:
6010:
5969:
5949:
5947:
5945:
5934:
5834:
5724:
5723:
5715:
5711:
5710:
5708:
5655:
5631:
5627:
5621:
5593:
5570:
5545:
5514:
5498:
5482:
5465:
5445:
5402:
5401:
5379:
5349:
5348:
5346:
5321:
5292:
5288:
5282:
5270:
5235:
5211:
5207:
5201:
5189:
5167:
5166:
5158:
5154:
5153:
5145:
5113:
5112:
5083:
5053:
5052:
5050:
5017:
4993:
4987:
4967:
4947:
4916:
4893:
4868:
4864:
4855:
4835:
4815:
4794:
4790:
4771:
4744:
4731:
4711:
4691:
4667:
4654:
4639:
4612:
4592:
4572:
4553:
4552:
4544:
4540:
4539:
4537:
4512:
4508:
4499:
4486:
4469:
4445:
4441:
4435:
4422:
4402:
4379:
4355:
4349:
4325:
4319:
4288:
4272:
4256:
4243:
4234:
4203:
4187:
4171:
4158:
4149:
4129:
4086:
4085:
4063:
4033:
4032:
4030:
4003:
3987:
3967:
3935:
3922:
3907:
3880:
3876:
3848:
3834:
3830:
3824:
3807:
3793:
3789:
3783:
3765:
3763:
3741:
3740:
3732:
3728:
3727:
3719:
3681:
3680:
3663:
3633:
3632:
3630:
3611:
3610:
3602:
3598:
3597:
3589:
3551:
3550:
3548:
3518:
3517:
3515:
3491:
3487:
3481:
3469:
3447:
3446:
3438:
3434:
3433:
3425:
3367:
3340:
3320:
3301:
3300:
3292:
3288:
3287:
3285:
3216:
3192:
3188:
3182:
3154:
3111:
3110:
3088:
3046:
3045:
3043:
3018:
2989:
2985:
2979:
2967:
2932:
2897:
2877:
2845:
2844:
2815:
2785:
2784:
2782:
2749:
2723:
2722:
2714:
2710:
2709:
2707:
2676:
2653:
2621:
2601:
2575:
2555:
2531:
2487:
2462:
2438:
2434:
2428:
2400:
2357:
2356:
2334:
2292:
2291:
2289:
2264:
2235:
2231:
2225:
2213:
2178:
2158:
2138:
2100:
2099:
2082:
2052:
2051:
2049:
2029:
1997:
1947:
1946:
1944:
1914:
1913:
1911:
1878:
1874:
1865:
1853:
1817:
1767:
1746:
1721:
1715:
1695:
1675:
1628:
1627:
1615:
1614:
1609:
1582:
1562:
1517:
1481:
1442:
1399:
1376:
1347:
1309:
1308:
1297:
1264:
1255:
1214:
1209:A fair coin is tossed, giving an outcome
1190:
1184:
1157:
1156:
1129:
1120:
1092:
1054:
1053:
1042:
1015:
1014:
1012:
968:
967:
955:
954:
949:
888:
887:
876:
856:
829:
828:
799:
779:
759:
732:
731:
719:
718:
713:
676:
671:or fails, sometimes denoted by returning
651:
626:
602:
601:
599:
561:
560:
538:
512:
492:
472:
448:
447:
445:
418:
417:
388:
358:
357:
355:
331:
330:
328:
286:
285:
273:
272:
267:
121:
98:
78:
55:
35:
6120:; Shaw, D.; Thayer, R. (November 2007).
6458:Advances in Cryptology – EUROCRYPT 2000
5827:Advances in Cryptology – EUROCRYPT 2000
5751:
5640:{\displaystyle t':=(c')^{x}{\bmod {p}}}
3201:{\displaystyle r':=(c')^{d}{\bmod {n}}}
2447:{\displaystyle r':=(c')^{d}{\bmod {n}}}
6519:Mathematics of Public-Key Cryptography
5774:Mathematics of Public-Key Cryptography
6646:Optimal Asymmetric Encryption Padding
6453:New Attacks on PKCS#1 v1.5 Encryption
6266:. No Starch Press. pp. 181–199.
4877:{\displaystyle m=m'g^{-1}{\bmod {p}}}
1977:{\displaystyle {\mathit {sk}}:=(n,d)}
1805:{\displaystyle \gcd(e,\lambda (n))=1}
1755:{\displaystyle 2^{t-1}<n<2^{t}}
1206:is generated independently at random.
194:Difference from public-key encryption
7:
6561:Advances in Cryptology – CRYPTO 1984
5565:is not in the subgroup generated by
4374:is not in the subgroup generated by
3076:{\displaystyle {\mathit {sk}}=(n,d)}
2616:can be computed from the ciphertext
2570:is chosen to optimize efficiency as
2322:{\displaystyle {\mathit {sk}}=(n,d)}
1533:{\displaystyle \left|\Pr-1/2\right|}
767:{\displaystyle \operatorname {Gen} }
255:A KEM consists of three algorithms:
6442:Coron, Jean-Sébastien; Joye, Marc;
6409:Advances in Cryptology – CRYPTO '98
5522:
5301:{\displaystyle c:=g^{r}{\bmod {p}}}
5220:{\displaystyle t:=y^{r}{\bmod {p}}}
4296:
4211:
3500:{\displaystyle y:=g^{x}{\bmod {p}}}
2998:{\displaystyle c:=r^{e}{\bmod {n}}}
2244:{\displaystyle c:=r^{e}{\bmod {n}}}
940:Specifically, in the IND-CCA game:
5447:
4759:{\displaystyle c':=(c_{1},c_{2}g)}
4131:
4018:{\displaystyle c'=(c'_{1},c'_{2})}
678:
14:
6623:10.1090/S0025-5718-1987-0866109-5
6222:Theory of Cryptography – TCC 2017
6159:"Post-Quantum Cryptography: FAQs"
4803:{\displaystyle m':=mg{\bmod {p}}}
4766:, yielding the related plaintext
3569:{\displaystyle {\mathit {pk}}:=y}
3536:{\displaystyle {\mathit {sk}}:=x}
1932:{\displaystyle {\mathit {pk}}:=n}
774:, decapsulating an encapsulation
6297:Cryptography Theory and Practice
6047:Handbook of Applied Cryptography
5367:{\displaystyle {\mathit {sk}}=x}
5071:{\displaystyle {\mathit {pk}}=y}
4051:{\displaystyle {\mathit {sk}}=x}
3947:{\displaystyle c:=(c_{1},c_{2})}
3651:{\displaystyle {\mathit {pk}}=y}
2803:{\displaystyle {\mathit {pk}}=n}
2070:{\displaystyle {\mathit {pk}}=n}
467:, randomly chooses a secret key
116:and the encapsulated secret key
6446:; Paillier, Pascal (May 2000).
6128:Internet Engineering Task Force
6053:. CRC Press. pp. 283–319.
6003:Internet Engineering Task Force
5962:Internet Engineering Task Force
5515:
4679:{\displaystyle c=(c_{1},c_{2})}
4630:However, this fails to achieve
4289:
4204:
202:A public-key encryption scheme.
175:of the secret key by the KEM's
6599:"Elliptic Curve Cryptosystems"
5682:
5671:
5618:
5606:
5526:
5516:
5495:
5483:
5479:
5467:
5422:
5398:
5252:
5246:
5122:
5109:
5097:
5085:
5009:altogether, as a KEM, using a
4753:
4724:
4673:
4647:
4432:
4415:
4300:
4290:
4269:
4257:
4253:
4236:
4215:
4205:
4184:
4172:
4168:
4151:
4106:
4082:
4012:
3980:
3941:
3915:
3873:
3861:
3696:
3677:
3402:
3399:
3387:
3369:
3243:
3232:
3179:
3167:
3131:
3107:
3070:
3058:
2949:
2943:
2854:
2841:
2829:
2817:
2425:
2413:
2377:
2353:
2316:
2304:
2115:
2096:
2011:
1999:
1971:
1959:
1890:
1884:
1828:
1822:
1793:
1790:
1784:
1772:
1652:
1649:
1637:
1611:
1508:
1491:
1394:The adversary returns a guess
1329:
1305:
1292:The adversary can again query
1276:
1257:
1166:
1153:
1141:
1122:
1074:
1050:
1027:{\displaystyle {\mathit {pk}}}
992:
989:
977:
951:
933:of a KEM is quantified by its
903:
884:
838:
825:
813:
801:
741:
715:
614:{\displaystyle {\mathit {sk}}}
581:
557:
460:{\displaystyle {\mathit {pk}}}
427:
414:
402:
390:
370:{\displaystyle {\mathit {sk}}}
343:{\displaystyle {\mathit {pk}}}
310:
307:
295:
269:
1:
6666:Public-key encryption schemes
6614:American Mathematical Society
1430:{\displaystyle b'\in \{0,1\}}
1342:for arbitrary encapsulations
1289:is revealed to the adversary.
1087:for arbitrary encapsulations
1034:is revealed to the adversary.
507:along with its encapsulation
6231:10.1007/978-3-319-70500-2_12
6165:. 2024-07-19. Archived from
5957:Hybrid Public Key Encryption
5701:Integrated Encryption Scheme
3264:, than padding schemes like
2917:{\displaystyle 0\leq r<n}
2198:{\displaystyle 0\leq r<n}
1240:{\displaystyle b\in \{0,1\}}
6192:Dent, Alexander W. (2002),
6092:. Wiley. pp. 195–211.
2702:is to choose an element of
1834:{\displaystyle \lambda (n)}
1367:of the adversary's choice,
146:key encapsulation mechanism
6687:
6606:Mathematics of Computation
6195:A Designer’s Guide to KEMs
2737:at random and use that to
2642:randomized padding schemes
1112:of the adversary's choice.
18:
6340:Communications of the ACM
5904:10.1137/S0097539702403773
5888:SIAM Journal on Computing
5688:{\displaystyle k':=H(t')}
3249:{\displaystyle k':=H(r')}
2638:attacks against plain RSA
1597:, is defined as follows:
1577:-bit moduli and exponent
1282:{\displaystyle (k_{b},c)}
1179:, and another secret key
206:The difference between a
6467:10.1007/3-540-45539-6_25
6090:Cryptography Engineering
5836:10.1007/3-540-45539-6_19
1037:The adversary can query
19:Not to be confused with
6570:10.1007/3-540-39568-7_2
5258:{\displaystyle k:=H(t)}
5011:key derivation function
4686:for an unknown message
3543:as the private key and
2955:{\displaystyle k:=H(r)}
2743:key derivation function
1544:Examples and motivation
1437:, and wins the game if
181:decapsulation algorithm
177:encapsulation algorithm
154:public-key cryptosystem
16:Public-key cryptosystem
6547:Blakley, George Robert
6395:Bleichenbacher, Daniel
6123:OpenPGP Message Format
5732:
5689:
5641:
5579:
5559:
5534:
5454:
5429:
5368:
5335:
5302:
5259:
5221:
5175:
5129:
5072:
5026:
5003:
4976:
4956:
4925:
4902:
4878:
4824:
4804:
4760:
4700:
4680:
4621:
4601:
4581:
4561:
4522:
4455:
4388:
4368:
4367:{\displaystyle c'_{2}}
4338:
4337:{\displaystyle c'_{1}}
4308:
4223:
4138:
4113:
4052:
4019:
3948:
3902:Return the ciphertext
3894:
3749:
3703:
3652:
3619:
3570:
3537:
3501:
3455:
3409:
3349:
3329:
3309:
3250:
3202:
3138:
3077:
3032:
2999:
2956:
2918:
2886:
2861:
2804:
2764:, roughly as follows:
2758:
2731:
2685:
2662:
2630:
2610:
2590:
2564:
2540:
2513:known-plaintext attack
2501:
2476:
2448:
2384:
2323:
2278:
2245:
2199:
2167:
2147:
2133:Encode the bit string
2122:
2071:
2038:
2018:
1978:
1939:as the public key and
1933:
1897:
1835:
1806:
1756:
1704:
1684:
1659:
1591:
1571:
1534:
1462:
1431:
1385:
1361:
1336:
1283:
1241:
1200:
1173:
1106:
1081:
1028:
999:
916:
865:
845:
788:
768:
748:
685:
665:
640:
615:
594:, takes a private key
588:
521:
501:
481:
461:
434:
371:
344:
317:
203:
137:
130:
110:
87:
73:and the encapsulation
67:
44:
6353:10.1145/359340.359342
6038:van Oorschot, Paul C.
5936:10.6028/NIST.FIPS.203
5733:
5690:
5642:
5580:
5560:
5535:
5455:
5453:{\displaystyle \bot }
5430:
5369:
5336:
5308:as its encapsulation.
5303:
5260:
5222:
5176:
5130:
5073:
5027:
5004:
5002:{\displaystyle c_{2}}
4977:
4957:
4926:
4903:
4879:
4825:
4805:
4761:
4701:
4681:
4622:
4602:
4582:
4562:
4523:
4456:
4389:
4369:
4339:
4309:
4224:
4139:
4137:{\displaystyle \bot }
4114:
4053:
4020:
3949:
3895:
3750:
3704:
3653:
3620:
3571:
3538:
3502:
3456:
3410:
3350:
3330:
3310:
3251:
3203:
3139:
3078:
3033:
3005:as its encapsulation.
3000:
2957:
2919:
2887:
2862:
2805:
2759:
2741:a secret key using a
2732:
2686:
2663:
2631:
2611:
2591:
2565:
2541:
2502:
2477:
2449:
2385:
2324:
2279:
2246:
2200:
2168:
2148:
2123:
2072:
2039:
2019:
2017:{\displaystyle (t-1)}
1979:
1934:
1898:
1836:
1807:
1762:at random satisfying
1757:
1705:
1685:
1660:
1592:
1572:
1535:
1463:
1432:
1386:
1362:
1337:
1284:
1242:
1201:
1199:{\displaystyle k_{1}}
1174:
1107:
1082:
1029:
1000:
917:
866:
846:
789:
769:
749:
708:if, for any key pair
686:
684:{\displaystyle \bot }
666:
641:
621:and an encapsulation
616:
589:
522:
502:
482:
462:
440:, takes a public key
435:
372:
345:
318:
208:public-key encryption
201:
136:—must be kept secret.
131:
111:
88:
68:
45:
29:
5707:
5654:
5592:
5569:
5544:
5464:
5444:
5378:
5345:
5320:
5269:
5234:
5188:
5181:uniformly at random.
5144:
5082:
5049:
5016:
4986:
4966:
4946:
4942:the secret key from
4936:authenticated cipher
4915:
4892:
4834:
4830:can be recovered by
4814:
4770:
4710:
4690:
4638:
4611:
4591:
4571:
4536:
4468:
4401:
4378:
4348:
4318:
4233:
4148:
4128:
4062:
4029:
3966:
3906:
3762:
3755:uniformly at random.
3718:
3662:
3629:
3588:
3547:
3514:
3468:
3461:uniformly at random.
3424:
3366:
3339:
3319:
3284:
3215:
3153:
3087:
3042:
3017:
2966:
2931:
2924:uniformly at random.
2896:
2876:
2814:
2781:
2748:
2706:
2696:authenticated cipher
2675:
2652:
2620:
2600:
2574:
2554:
2530:
2486:
2461:
2399:
2333:
2288:
2263:
2212:
2177:
2157:
2137:
2081:
2048:
2028:
1996:
1943:
1910:
1852:
1816:
1766:
1714:
1694:
1674:
1608:
1581:
1561:
1480:
1476:of the adversary is
1461:{\displaystyle b=b'}
1441:
1398:
1375:
1346:
1296:
1254:
1213:
1183:
1119:
1091:
1041:
1011:
948:
875:
855:
798:
778:
758:
712:
675:
650:
625:
598:
537:
511:
491:
471:
444:
387:
354:
327:
266:
220:authenticated cipher
120:
97:
77:
54:
34:
6651:Hybrid Cryptosystem
6293:Stinson, Douglas R.
6116:; Donnerhacke, L.;
6088:(2010). "12. RSA".
4507:
4430:
4363:
4333:
4251:
4166:
4011:
3995:
2589:{\displaystyle e=3}
2519:versus the message
2457:Decode the integer
1843:Carmichael function
224:hybrid cryptosystem
6418:10.1007/BFb0055716
6042:Vanstone, Scott A.
6034:Menezes, Alfred J.
5728:
5685:
5637:
5575:
5558:{\displaystyle c'}
5555:
5530:
5450:
5425:
5364:
5334:{\displaystyle c'}
5331:
5298:
5255:
5217:
5171:
5125:
5068:
5022:
4999:
4972:
4962:and dispense with
4952:
4921:
4911:Since the message
4898:
4874:
4820:
4800:
4756:
4696:
4676:
4617:
4597:
4577:
4557:
4518:
4495:
4451:
4418:
4384:
4364:
4351:
4334:
4321:
4304:
4239:
4219:
4154:
4134:
4109:
4048:
4025:for a private key
4015:
3999:
3983:
3944:
3890:
3888:
3745:
3699:
3648:
3615:
3576:as the public key.
3566:
3533:
3497:
3451:
3405:
3345:
3325:
3305:
3278:Elgamal encryption
3246:
3198:
3134:
3073:
3031:{\displaystyle c'}
3028:
2995:
2952:
2914:
2882:
2872:Choose an integer
2857:
2800:
2754:
2727:
2681:
2671:Since the message
2658:
2626:
2606:
2586:
2560:
2536:
2500:{\displaystyle m'}
2497:
2475:{\displaystyle r'}
2472:
2444:
2380:
2319:
2277:{\displaystyle c'}
2274:
2241:
2195:
2163:
2143:
2118:
2067:
2034:
2014:
1974:
1929:
1893:
1831:
1802:
1752:
1700:
1680:
1655:
1587:
1567:
1530:
1458:
1427:
1381:
1360:{\displaystyle c'}
1357:
1332:
1279:
1237:
1196:
1169:
1105:{\displaystyle c'}
1102:
1077:
1024:
995:
912:
861:
841:
784:
764:
744:
681:
664:{\displaystyle k'}
661:
639:{\displaystyle c'}
636:
611:
584:
517:
497:
477:
457:
430:
367:
350:and a private key
340:
313:
239:Elgamal encryption
204:
138:
126:
109:{\displaystyle sk}
106:
83:
66:{\displaystyle pk}
63:
40:
6580:978-3-540-15658-1
6528:978-1-107-01392-6
6477:978-3-540-67517-4
6428:978-3-540-64892-5
6380:978-1-931971-32-4
6306:978-1-58488-508-5
6273:978-1-59327-826-7
6241:978-3-319-70499-9
6099:978-0-470-47424-2
5846:978-3-540-67517-4
5783:978-1-107-01392-6
5578:{\displaystyle g}
5341:with private key
5045:for a public key
5025:{\displaystyle H}
4975:{\displaystyle m}
4955:{\displaystyle t}
4924:{\displaystyle m}
4901:{\displaystyle p}
4823:{\displaystyle m}
4699:{\displaystyle m}
4620:{\displaystyle g}
4600:{\displaystyle x}
4580:{\displaystyle p}
4387:{\displaystyle g}
3348:{\displaystyle q}
3328:{\displaystyle g}
3038:with private key
2885:{\displaystyle r}
2777:for a public key
2757:{\displaystyle H}
2684:{\displaystyle m}
2661:{\displaystyle m}
2629:{\displaystyle c}
2609:{\displaystyle m}
2563:{\displaystyle e}
2539:{\displaystyle m}
2284:with private key
2166:{\displaystyle r}
2146:{\displaystyle m}
2037:{\displaystyle m}
1703:{\displaystyle n}
1683:{\displaystyle t}
1590:{\displaystyle e}
1570:{\displaystyle t}
1474:IND-CCA advantage
1384:{\displaystyle c}
926:Security: IND-CCA
864:{\displaystyle k}
787:{\displaystyle c}
520:{\displaystyle c}
500:{\displaystyle k}
480:{\displaystyle k}
129:{\displaystyle k}
86:{\displaystyle c}
43:{\displaystyle k}
6678:
6628:
6627:
6625:
6603:
6597:(January 1987).
6591:
6585:
6584:
6572:
6539:
6533:
6532:
6514:
6505:
6504:
6491:
6482:
6481:
6469:
6439:
6433:
6432:
6420:
6391:
6385:
6384:
6364:
6358:
6357:
6355:
6337:
6317:
6311:
6310:
6289:
6278:
6277:
6259:
6246:
6245:
6233:
6211:
6200:
6199:
6189:
6178:
6177:
6175:
6174:
6155:
6149:
6148:
6139:
6137:10.17487/RFC4880
6110:
6104:
6103:
6082:Kohno, Tadayoshi
6074:
6065:
6064:
6052:
6030:
6024:
6023:
6014:
6012:10.17487/RFC8017
5989:
5983:
5982:
5973:
5971:10.17487/RFC9180
5951:
5940:
5939:
5938:
5924:
5914:
5908:
5907:
5872:
5851:
5850:
5838:
5809:
5788:
5787:
5769:
5737:
5735:
5734:
5729:
5727:
5719:
5714:
5694:
5692:
5691:
5686:
5681:
5664:
5646:
5644:
5643:
5638:
5636:
5635:
5626:
5625:
5616:
5602:
5584:
5582:
5581:
5576:
5564:
5562:
5561:
5556:
5554:
5539:
5537:
5536:
5531:
5529:
5507:
5506:
5502:
5477:
5459:
5457:
5456:
5451:
5440:Fail and return
5434:
5432:
5431:
5426:
5421:
5410:
5409:
5388:
5373:
5371:
5370:
5365:
5357:
5356:
5340:
5338:
5337:
5332:
5330:
5307:
5305:
5304:
5299:
5297:
5296:
5287:
5286:
5264:
5262:
5261:
5256:
5226:
5224:
5223:
5218:
5216:
5215:
5206:
5205:
5180:
5178:
5177:
5172:
5170:
5162:
5157:
5134:
5132:
5131:
5126:
5121:
5120:
5077:
5075:
5074:
5069:
5061:
5060:
5031:
5029:
5028:
5023:
5008:
5006:
5005:
5000:
4998:
4997:
4981:
4979:
4978:
4973:
4961:
4959:
4958:
4953:
4930:
4928:
4927:
4922:
4907:
4905:
4904:
4899:
4883:
4881:
4880:
4875:
4873:
4872:
4863:
4862:
4850:
4829:
4827:
4826:
4821:
4809:
4807:
4806:
4801:
4799:
4798:
4780:
4765:
4763:
4762:
4757:
4749:
4748:
4736:
4735:
4720:
4705:
4703:
4702:
4697:
4685:
4683:
4682:
4677:
4672:
4671:
4659:
4658:
4626:
4624:
4623:
4618:
4606:
4604:
4603:
4598:
4586:
4584:
4583:
4578:
4566:
4564:
4563:
4558:
4556:
4548:
4543:
4527:
4525:
4524:
4519:
4517:
4516:
4503:
4494:
4493:
4478:
4460:
4458:
4457:
4452:
4450:
4449:
4440:
4439:
4426:
4411:
4393:
4391:
4390:
4385:
4373:
4371:
4370:
4365:
4359:
4343:
4341:
4340:
4335:
4329:
4313:
4311:
4310:
4305:
4303:
4281:
4280:
4276:
4247:
4228:
4226:
4225:
4220:
4218:
4196:
4195:
4191:
4162:
4143:
4141:
4140:
4135:
4124:Fail and return
4118:
4116:
4115:
4110:
4105:
4094:
4093:
4072:
4057:
4055:
4054:
4049:
4041:
4040:
4024:
4022:
4021:
4016:
4007:
3991:
3976:
3962:of a ciphertext
3953:
3951:
3950:
3945:
3940:
3939:
3927:
3926:
3899:
3897:
3896:
3891:
3889:
3885:
3884:
3853:
3852:
3839:
3838:
3829:
3828:
3812:
3811:
3798:
3797:
3788:
3787:
3754:
3752:
3751:
3746:
3744:
3736:
3731:
3708:
3706:
3705:
3700:
3689:
3688:
3657:
3655:
3654:
3649:
3641:
3640:
3624:
3622:
3621:
3616:
3614:
3606:
3601:
3575:
3573:
3572:
3567:
3559:
3558:
3542:
3540:
3539:
3534:
3526:
3525:
3506:
3504:
3503:
3498:
3496:
3495:
3486:
3485:
3460:
3458:
3457:
3452:
3450:
3442:
3437:
3414:
3412:
3411:
3406:
3354:
3352:
3351:
3346:
3334:
3332:
3331:
3326:
3314:
3312:
3311:
3306:
3304:
3296:
3291:
3255:
3253:
3252:
3247:
3242:
3225:
3207:
3205:
3204:
3199:
3197:
3196:
3187:
3186:
3177:
3163:
3143:
3141:
3140:
3135:
3130:
3119:
3118:
3097:
3082:
3080:
3079:
3074:
3054:
3053:
3037:
3035:
3034:
3029:
3027:
3004:
3002:
3001:
2996:
2994:
2993:
2984:
2983:
2961:
2959:
2958:
2953:
2923:
2921:
2920:
2915:
2891:
2889:
2888:
2883:
2866:
2864:
2863:
2858:
2853:
2852:
2809:
2807:
2806:
2801:
2793:
2792:
2763:
2761:
2760:
2755:
2736:
2734:
2733:
2728:
2726:
2718:
2713:
2690:
2688:
2687:
2682:
2667:
2665:
2664:
2659:
2646:RSAES-PKCS1-v1_5
2635:
2633:
2632:
2627:
2615:
2613:
2612:
2607:
2595:
2593:
2592:
2587:
2569:
2567:
2566:
2561:
2545:
2543:
2542:
2537:
2522:
2518:
2506:
2504:
2503:
2498:
2496:
2482:as a bit string
2481:
2479:
2478:
2473:
2471:
2453:
2451:
2450:
2445:
2443:
2442:
2433:
2432:
2423:
2409:
2389:
2387:
2386:
2381:
2376:
2365:
2364:
2343:
2328:
2326:
2325:
2320:
2300:
2299:
2283:
2281:
2280:
2275:
2273:
2250:
2248:
2247:
2242:
2240:
2239:
2230:
2229:
2204:
2202:
2201:
2196:
2172:
2170:
2169:
2164:
2152:
2150:
2149:
2144:
2127:
2125:
2124:
2119:
2108:
2107:
2076:
2074:
2073:
2068:
2060:
2059:
2043:
2041:
2040:
2035:
2023:
2021:
2020:
2015:
1983:
1981:
1980:
1975:
1955:
1954:
1938:
1936:
1935:
1930:
1922:
1921:
1902:
1900:
1899:
1894:
1883:
1882:
1873:
1872:
1840:
1838:
1837:
1832:
1811:
1809:
1808:
1803:
1761:
1759:
1758:
1753:
1751:
1750:
1732:
1731:
1709:
1707:
1706:
1701:
1689:
1687:
1686:
1681:
1664:
1662:
1661:
1656:
1636:
1635:
1623:
1622:
1596:
1594:
1593:
1588:
1576:
1574:
1573:
1568:
1539:
1537:
1536:
1531:
1529:
1525:
1521:
1501:
1467:
1465:
1464:
1459:
1457:
1436:
1434:
1433:
1428:
1408:
1390:
1388:
1387:
1382:
1366:
1364:
1363:
1358:
1356:
1341:
1339:
1338:
1333:
1328:
1317:
1316:
1288:
1286:
1285:
1280:
1269:
1268:
1246:
1244:
1243:
1238:
1205:
1203:
1202:
1197:
1195:
1194:
1178:
1176:
1175:
1170:
1165:
1164:
1134:
1133:
1111:
1109:
1108:
1103:
1101:
1086:
1084:
1083:
1078:
1073:
1062:
1061:
1033:
1031:
1030:
1025:
1023:
1022:
1004:
1002:
1001:
996:
976:
975:
963:
962:
921:
919:
918:
913:
896:
895:
870:
868:
867:
862:
850:
848:
847:
842:
837:
836:
793:
791:
790:
785:
773:
771:
770:
765:
753:
751:
750:
745:
740:
739:
727:
726:
690:
688:
687:
682:
670:
668:
667:
662:
660:
645:
643:
642:
637:
635:
620:
618:
617:
612:
610:
609:
593:
591:
590:
585:
580:
569:
568:
547:
526:
524:
523:
518:
506:
504:
503:
498:
486:
484:
483:
478:
466:
464:
463:
458:
456:
455:
439:
437:
436:
431:
426:
425:
376:
374:
373:
368:
366:
365:
349:
347:
346:
341:
339:
338:
322:
320:
319:
314:
294:
293:
281:
280:
231:RSAES-PKCS1-v1_5
135:
133:
132:
127:
115:
113:
112:
107:
92:
90:
89:
84:
72:
70:
69:
64:
49:
47:
46:
41:
6686:
6685:
6681:
6680:
6679:
6677:
6676:
6675:
6656:
6655:
6637:
6632:
6631:
6601:
6593:
6592:
6588:
6581:
6545:(August 1984).
6541:
6540:
6536:
6529:
6516:
6515:
6508:
6493:
6492:
6485:
6478:
6444:Naccache, David
6441:
6440:
6436:
6429:
6397:(August 1998).
6393:
6392:
6388:
6381:
6366:
6365:
6361:
6335:
6319:
6318:
6314:
6307:
6291:
6290:
6281:
6274:
6261:
6260:
6249:
6242:
6213:
6212:
6203:
6191:
6190:
6181:
6172:
6170:
6157:
6156:
6152:
6112:
6111:
6107:
6100:
6086:Schneier, Bruce
6078:Ferguson, Niels
6076:
6075:
6068:
6061:
6050:
6032:
6031:
6027:
5991:
5990:
5986:
5953:
5952:
5943:
5922:
5916:
5915:
5911:
5874:
5873:
5854:
5847:
5811:
5810:
5791:
5784:
5771:
5770:
5753:
5748:
5705:
5704:
5674:
5657:
5652:
5651:
5617:
5609:
5595:
5590:
5589:
5567:
5566:
5547:
5542:
5541:
5478:
5470:
5462:
5461:
5442:
5441:
5414:
5381:
5376:
5375:
5343:
5342:
5323:
5318:
5317:
5278:
5267:
5266:
5232:
5231:
5197:
5186:
5185:
5142:
5141:
5080:
5079:
5047:
5046:
5014:
5013:
4989:
4984:
4983:
4964:
4963:
4944:
4943:
4913:
4912:
4890:
4889:
4851:
4843:
4832:
4831:
4812:
4811:
4773:
4768:
4767:
4740:
4727:
4713:
4708:
4707:
4688:
4687:
4663:
4650:
4636:
4635:
4609:
4608:
4589:
4588:
4569:
4568:
4534:
4533:
4482:
4471:
4466:
4465:
4431:
4404:
4399:
4398:
4376:
4375:
4346:
4345:
4316:
4315:
4252:
4231:
4230:
4167:
4146:
4145:
4126:
4125:
4098:
4065:
4060:
4059:
4027:
4026:
3969:
3964:
3963:
3931:
3918:
3904:
3903:
3887:
3886:
3854:
3844:
3841:
3840:
3820:
3813:
3803:
3800:
3799:
3779:
3772:
3760:
3759:
3716:
3715:
3660:
3659:
3627:
3626:
3586:
3585:
3545:
3544:
3512:
3511:
3477:
3466:
3465:
3422:
3421:
3364:
3363:
3337:
3336:
3317:
3316:
3315:with generator
3282:
3281:
3274:
3235:
3218:
3213:
3212:
3178:
3170:
3156:
3151:
3150:
3123:
3090:
3085:
3084:
3040:
3039:
3020:
3015:
3014:
2975:
2964:
2963:
2929:
2928:
2894:
2893:
2874:
2873:
2812:
2811:
2779:
2778:
2746:
2745:
2704:
2703:
2673:
2672:
2650:
2649:
2618:
2617:
2598:
2597:
2572:
2571:
2552:
2551:
2528:
2527:
2520:
2516:
2489:
2484:
2483:
2464:
2459:
2458:
2424:
2416:
2402:
2397:
2396:
2369:
2336:
2331:
2330:
2286:
2285:
2266:
2261:
2260:
2221:
2210:
2209:
2175:
2174:
2155:
2154:
2135:
2134:
2079:
2078:
2046:
2045:
2026:
2025:
1994:
1993:
1941:
1940:
1908:
1907:
1861:
1850:
1849:
1814:
1813:
1764:
1763:
1742:
1717:
1712:
1711:
1692:
1691:
1690:-bit semiprime
1672:
1671:
1606:
1605:
1579:
1578:
1559:
1558:
1551:
1546:
1494:
1487:
1483:
1478:
1477:
1450:
1439:
1438:
1401:
1396:
1395:
1373:
1372:
1349:
1344:
1343:
1321:
1294:
1293:
1260:
1252:
1251:
1211:
1210:
1186:
1181:
1180:
1125:
1117:
1116:
1094:
1089:
1088:
1066:
1039:
1038:
1009:
1008:
946:
945:
928:
873:
872:
853:
852:
796:
795:
776:
775:
756:
755:
710:
709:
702:
673:
672:
653:
648:
647:
628:
623:
622:
596:
595:
573:
540:
535:
534:
509:
508:
489:
488:
469:
468:
442:
441:
385:
384:
352:
351:
325:
324:
264:
263:
253:
248:
196:
118:
117:
95:
94:
75:
74:
52:
51:
32:
31:
24:
17:
12:
11:
5:
6684:
6682:
6674:
6673:
6671:Key management
6668:
6658:
6657:
6654:
6653:
6648:
6643:
6636:
6633:
6630:
6629:
6586:
6579:
6543:Elgamal, Taher
6534:
6527:
6506:
6483:
6476:
6434:
6427:
6399:Krawczyk, Hugo
6386:
6379:
6359:
6331:(1978-02-01).
6312:
6305:
6279:
6272:
6247:
6240:
6201:
6179:
6150:
6105:
6098:
6066:
6059:
6025:
5984:
5941:
5929:, 2024-08-13,
5909:
5876:Cramer, Ronald
5852:
5845:
5789:
5782:
5750:
5749:
5747:
5744:
5726:
5722:
5718:
5713:
5697:
5696:
5684:
5680:
5677:
5673:
5670:
5667:
5663:
5660:
5648:
5634:
5630:
5624:
5620:
5615:
5612:
5608:
5605:
5601:
5598:
5586:
5574:
5553:
5550:
5528:
5525:
5521:
5518:
5513:
5510:
5505:
5501:
5497:
5494:
5491:
5488:
5485:
5481:
5476:
5473:
5469:
5449:
5437:
5436:
5424:
5420:
5417:
5413:
5408:
5405:
5400:
5397:
5394:
5391:
5387:
5384:
5363:
5360:
5355:
5352:
5329:
5326:
5310:
5309:
5295:
5291:
5285:
5281:
5277:
5274:
5254:
5251:
5248:
5245:
5242:
5239:
5228:
5214:
5210:
5204:
5200:
5196:
5193:
5182:
5169:
5165:
5161:
5156:
5152:
5149:
5137:
5136:
5124:
5119:
5116:
5111:
5108:
5105:
5102:
5099:
5096:
5093:
5090:
5087:
5067:
5064:
5059:
5056:
5040:
5037:Key generation
5021:
4996:
4992:
4971:
4951:
4920:
4897:
4871:
4867:
4861:
4858:
4854:
4849:
4846:
4842:
4839:
4819:
4797:
4793:
4789:
4786:
4783:
4779:
4776:
4755:
4752:
4747:
4743:
4739:
4734:
4730:
4726:
4723:
4719:
4716:
4695:
4675:
4670:
4666:
4662:
4657:
4653:
4649:
4646:
4643:
4616:
4596:
4576:
4555:
4551:
4547:
4542:
4530:
4529:
4515:
4511:
4506:
4502:
4498:
4492:
4489:
4485:
4481:
4477:
4474:
4462:
4448:
4444:
4438:
4434:
4429:
4425:
4421:
4417:
4414:
4410:
4407:
4395:
4383:
4362:
4358:
4354:
4332:
4328:
4324:
4302:
4299:
4295:
4292:
4287:
4284:
4279:
4275:
4271:
4268:
4265:
4262:
4259:
4255:
4250:
4246:
4242:
4238:
4217:
4214:
4210:
4207:
4202:
4199:
4194:
4190:
4186:
4183:
4180:
4177:
4174:
4170:
4165:
4161:
4157:
4153:
4133:
4121:
4120:
4108:
4104:
4101:
4097:
4092:
4089:
4084:
4081:
4078:
4075:
4071:
4068:
4047:
4044:
4039:
4036:
4014:
4010:
4006:
4002:
3998:
3994:
3990:
3986:
3982:
3979:
3975:
3972:
3956:
3955:
3943:
3938:
3934:
3930:
3925:
3921:
3917:
3914:
3911:
3900:
3883:
3879:
3875:
3872:
3869:
3866:
3863:
3860:
3857:
3855:
3851:
3847:
3843:
3842:
3837:
3833:
3827:
3823:
3819:
3816:
3814:
3810:
3806:
3802:
3801:
3796:
3792:
3786:
3782:
3778:
3775:
3773:
3771:
3768:
3767:
3756:
3743:
3739:
3735:
3730:
3726:
3723:
3711:
3710:
3698:
3695:
3692:
3687:
3684:
3679:
3676:
3673:
3670:
3667:
3647:
3644:
3639:
3636:
3625:to public key
3613:
3609:
3605:
3600:
3596:
3593:
3578:
3577:
3565:
3562:
3557:
3554:
3532:
3529:
3524:
3521:
3508:
3494:
3490:
3484:
3480:
3476:
3473:
3462:
3449:
3445:
3441:
3436:
3432:
3429:
3417:
3416:
3404:
3401:
3398:
3395:
3392:
3389:
3386:
3383:
3380:
3377:
3374:
3371:
3360:Key generation
3344:
3324:
3303:
3299:
3295:
3290:
3273:
3270:
3258:
3257:
3245:
3241:
3238:
3234:
3231:
3228:
3224:
3221:
3209:
3195:
3191:
3185:
3181:
3176:
3173:
3169:
3166:
3162:
3159:
3146:
3145:
3133:
3129:
3126:
3122:
3117:
3114:
3109:
3106:
3103:
3100:
3096:
3093:
3072:
3069:
3066:
3063:
3060:
3057:
3052:
3049:
3026:
3023:
3007:
3006:
2992:
2988:
2982:
2978:
2974:
2971:
2951:
2948:
2945:
2942:
2939:
2936:
2925:
2913:
2910:
2907:
2904:
2901:
2881:
2869:
2868:
2856:
2851:
2848:
2843:
2840:
2837:
2834:
2831:
2828:
2825:
2822:
2819:
2799:
2796:
2791:
2788:
2772:
2769:Key generation
2753:
2725:
2721:
2717:
2712:
2680:
2657:
2625:
2605:
2596:, the message
2585:
2582:
2579:
2559:
2535:
2521:ATTACK AT DUSK
2517:ATTACK AT DAWN
2509:
2508:
2495:
2492:
2470:
2467:
2455:
2441:
2437:
2431:
2427:
2422:
2419:
2415:
2412:
2408:
2405:
2392:
2391:
2379:
2375:
2372:
2368:
2363:
2360:
2355:
2352:
2349:
2346:
2342:
2339:
2318:
2315:
2312:
2309:
2306:
2303:
2298:
2295:
2272:
2269:
2259:of ciphertext
2253:
2252:
2238:
2234:
2228:
2224:
2220:
2217:
2206:
2194:
2191:
2188:
2185:
2182:
2162:
2153:as an integer
2142:
2130:
2129:
2117:
2114:
2111:
2106:
2103:
2098:
2095:
2092:
2089:
2086:
2066:
2063:
2058:
2055:
2044:to public key
2033:
2013:
2010:
2007:
2004:
2001:
1986:
1985:
1973:
1970:
1967:
1964:
1961:
1958:
1953:
1950:
1928:
1925:
1920:
1917:
1904:
1892:
1889:
1886:
1881:
1877:
1871:
1868:
1864:
1860:
1857:
1846:
1830:
1827:
1824:
1821:
1801:
1798:
1795:
1792:
1789:
1786:
1783:
1780:
1777:
1774:
1771:
1749:
1745:
1741:
1738:
1735:
1730:
1727:
1724:
1720:
1699:
1679:
1667:
1666:
1654:
1651:
1648:
1645:
1642:
1639:
1634:
1631:
1626:
1621:
1618:
1613:
1602:Key generation
1586:
1566:
1555:RSA encryption
1550:
1547:
1545:
1542:
1528:
1524:
1520:
1516:
1513:
1510:
1507:
1504:
1500:
1497:
1493:
1490:
1486:
1470:
1469:
1456:
1453:
1449:
1446:
1426:
1423:
1420:
1417:
1414:
1411:
1407:
1404:
1392:
1380:
1355:
1352:
1331:
1327:
1324:
1320:
1315:
1312:
1307:
1304:
1301:
1290:
1278:
1275:
1272:
1267:
1263:
1259:
1248:
1236:
1233:
1230:
1227:
1224:
1221:
1218:
1207:
1193:
1189:
1168:
1163:
1160:
1155:
1152:
1149:
1146:
1143:
1140:
1137:
1132:
1128:
1124:
1113:
1100:
1097:
1076:
1072:
1069:
1065:
1060:
1057:
1052:
1049:
1046:
1035:
1021:
1018:
1006:
994:
991:
988:
985:
982:
979:
974:
971:
966:
961:
958:
953:
927:
924:
911:
908:
905:
902:
899:
894:
891:
886:
883:
880:
860:
840:
835:
832:
827:
824:
821:
818:
815:
812:
809:
806:
803:
783:
763:
743:
738:
735:
730:
725:
722:
717:
701:
698:
697:
696:
680:
659:
656:
634:
631:
608:
605:
583:
579:
576:
572:
567:
564:
559:
556:
553:
550:
546:
543:
528:
516:
496:
487:, and returns
476:
454:
451:
429:
424:
421:
416:
413:
410:
407:
404:
401:
398:
395:
392:
378:
364:
361:
337:
334:
312:
309:
306:
303:
300:
297:
292:
289:
284:
279:
276:
271:
260:Key generation
252:
249:
247:
244:
195:
192:
125:
105:
102:
82:
62:
59:
39:
15:
13:
10:
9:
6:
4:
3:
2:
6683:
6672:
6669:
6667:
6664:
6663:
6661:
6652:
6649:
6647:
6644:
6642:
6639:
6638:
6634:
6624:
6619:
6615:
6611:
6607:
6600:
6596:
6595:Koblitz, Neal
6590:
6587:
6582:
6576:
6571:
6566:
6562:
6558:
6557:
6552:
6548:
6544:
6538:
6535:
6530:
6524:
6520:
6513:
6511:
6507:
6502:
6501:
6496:
6495:Shoup, Victor
6490:
6488:
6484:
6479:
6473:
6468:
6463:
6459:
6455:
6454:
6449:
6448:Preneel, Bart
6445:
6438:
6435:
6430:
6424:
6419:
6414:
6410:
6406:
6405:
6400:
6396:
6390:
6387:
6382:
6376:
6372:
6371:
6363:
6360:
6354:
6349:
6345:
6341:
6334:
6330:
6326:
6322:
6316:
6313:
6308:
6302:
6298:
6294:
6288:
6286:
6284:
6280:
6275:
6269:
6265:
6258:
6256:
6254:
6252:
6248:
6243:
6237:
6232:
6227:
6223:
6219:
6218:
6210:
6208:
6206:
6202:
6197:
6196:
6188:
6186:
6184:
6180:
6169:on 2024-06-26
6168:
6164:
6160:
6154:
6151:
6146:
6143:
6138:
6133:
6129:
6125:
6124:
6119:
6115:
6109:
6106:
6101:
6095:
6091:
6087:
6083:
6079:
6073:
6071:
6067:
6062:
6060:0-8493-8523-7
6056:
6049:
6048:
6043:
6039:
6035:
6029:
6026:
6021:
6018:
6013:
6008:
6004:
6000:
5999:
5994:
5988:
5985:
5980:
5977:
5972:
5967:
5963:
5959:
5958:
5950:
5948:
5946:
5942:
5937:
5932:
5928:
5921:
5920:
5913:
5910:
5905:
5901:
5897:
5893:
5889:
5885:
5881:
5880:Shoup, Victor
5877:
5871:
5869:
5867:
5865:
5863:
5861:
5859:
5857:
5853:
5848:
5842:
5837:
5832:
5828:
5824:
5823:
5818:
5817:Preneel, Bart
5814:
5813:Shoup, Victor
5808:
5806:
5804:
5802:
5800:
5798:
5796:
5794:
5790:
5785:
5779:
5775:
5768:
5766:
5764:
5762:
5760:
5758:
5756:
5752:
5745:
5743:
5741:
5720:
5716:
5702:
5678:
5675:
5668:
5665:
5661:
5658:
5649:
5632:
5622:
5613:
5610:
5603:
5599:
5596:
5587:
5572:
5551:
5548:
5523:
5519:
5511:
5508:
5503:
5499:
5492:
5489:
5486:
5474:
5471:
5439:
5438:
5418:
5415:
5411:
5395:
5392:
5389:
5385:
5382:
5361:
5358:
5327:
5324:
5315:
5314:Decapsulation
5312:
5311:
5293:
5283:
5279:
5275:
5272:
5249:
5243:
5240:
5237:
5229:
5212:
5202:
5198:
5194:
5191:
5183:
5163:
5159:
5150:
5147:
5139:
5138:
5106:
5103:
5100:
5094:
5091:
5088:
5065:
5062:
5044:
5043:Encapsulation
5041:
5038:
5035:
5034:
5033:
5019:
5012:
4994:
4990:
4969:
4949:
4941:
4937:
4934:
4933:symmetric-key
4918:
4909:
4895:
4885:
4869:
4859:
4856:
4852:
4847:
4844:
4840:
4837:
4817:
4810:, from which
4795:
4787:
4784:
4781:
4777:
4774:
4750:
4745:
4741:
4737:
4732:
4728:
4721:
4717:
4714:
4693:
4668:
4664:
4660:
4655:
4651:
4644:
4641:
4633:
4628:
4614:
4594:
4574:
4549:
4545:
4513:
4504:
4500:
4496:
4490:
4487:
4483:
4479:
4475:
4472:
4463:
4446:
4436:
4427:
4423:
4419:
4412:
4408:
4405:
4396:
4381:
4360:
4356:
4352:
4330:
4326:
4322:
4297:
4293:
4285:
4282:
4277:
4273:
4266:
4263:
4260:
4248:
4244:
4240:
4212:
4208:
4200:
4197:
4192:
4188:
4181:
4178:
4175:
4163:
4159:
4155:
4123:
4122:
4102:
4099:
4095:
4079:
4076:
4073:
4069:
4066:
4045:
4042:
4008:
4004:
4000:
3996:
3992:
3988:
3984:
3977:
3973:
3970:
3961:
3958:
3957:
3936:
3932:
3928:
3923:
3919:
3912:
3909:
3901:
3881:
3870:
3867:
3864:
3858:
3856:
3849:
3845:
3835:
3825:
3821:
3817:
3815:
3808:
3804:
3794:
3784:
3780:
3776:
3774:
3769:
3757:
3737:
3733:
3724:
3721:
3713:
3712:
3693:
3690:
3674:
3671:
3668:
3665:
3645:
3642:
3607:
3603:
3594:
3591:
3584:of a message
3583:
3580:
3579:
3563:
3560:
3530:
3527:
3509:
3492:
3482:
3478:
3474:
3471:
3463:
3443:
3439:
3430:
3427:
3419:
3418:
3396:
3393:
3390:
3384:
3381:
3378:
3375:
3372:
3361:
3358:
3357:
3356:
3342:
3322:
3297:
3293:
3279:
3271:
3269:
3267:
3263:
3239:
3236:
3229:
3226:
3222:
3219:
3210:
3193:
3183:
3174:
3171:
3164:
3160:
3157:
3148:
3147:
3127:
3124:
3120:
3104:
3101:
3098:
3094:
3091:
3067:
3064:
3061:
3055:
3024:
3021:
3012:
3011:Decapsulation
3009:
3008:
2990:
2980:
2976:
2972:
2969:
2946:
2940:
2937:
2934:
2926:
2911:
2908:
2905:
2902:
2899:
2879:
2871:
2870:
2838:
2835:
2832:
2826:
2823:
2820:
2797:
2794:
2776:
2775:Encapsulation
2773:
2770:
2767:
2766:
2765:
2751:
2744:
2740:
2719:
2715:
2701:
2697:
2694:
2693:symmetric-key
2678:
2669:
2655:
2647:
2643:
2639:
2623:
2603:
2583:
2580:
2577:
2557:
2549:
2533:
2524:
2514:
2493:
2490:
2468:
2465:
2456:
2439:
2429:
2420:
2417:
2410:
2406:
2403:
2394:
2393:
2373:
2370:
2366:
2350:
2347:
2344:
2340:
2337:
2313:
2310:
2307:
2301:
2270:
2267:
2258:
2255:
2254:
2236:
2226:
2222:
2218:
2215:
2207:
2192:
2189:
2186:
2183:
2180:
2160:
2140:
2132:
2131:
2112:
2109:
2093:
2090:
2087:
2084:
2064:
2061:
2031:
2024:-bit message
2008:
2005:
2002:
1991:
1988:
1987:
1968:
1965:
1962:
1956:
1926:
1923:
1905:
1887:
1879:
1869:
1866:
1862:
1858:
1855:
1847:
1844:
1825:
1819:
1799:
1796:
1787:
1781:
1778:
1775:
1747:
1743:
1739:
1736:
1733:
1728:
1725:
1722:
1718:
1697:
1677:
1669:
1668:
1646:
1643:
1640:
1624:
1603:
1600:
1599:
1598:
1584:
1564:
1556:
1548:
1543:
1541:
1526:
1522:
1518:
1514:
1511:
1505:
1502:
1498:
1495:
1484:
1475:
1454:
1451:
1447:
1444:
1421:
1418:
1415:
1409:
1405:
1402:
1393:
1378:
1370:
1353:
1350:
1325:
1322:
1318:
1302:
1299:
1291:
1273:
1270:
1265:
1261:
1249:
1231:
1228:
1225:
1219:
1216:
1208:
1191:
1187:
1150:
1147:
1144:
1138:
1135:
1130:
1126:
1114:
1098:
1095:
1070:
1067:
1063:
1047:
1044:
1036:
1007:
986:
983:
980:
964:
943:
942:
941:
938:
936:
932:
925:
923:
909:
906:
900:
897:
881:
878:
858:
822:
819:
816:
810:
807:
804:
781:
761:
754:generated by
728:
707:
699:
694:
657:
654:
632:
629:
577:
574:
570:
554:
551:
548:
544:
541:
532:
531:Decapsulation
529:
514:
494:
474:
411:
408:
405:
399:
396:
393:
382:
381:Encapsulation
379:
304:
301:
298:
282:
261:
258:
257:
256:
250:
245:
243:
240:
236:
232:
227:
225:
221:
217:
216:symmetric key
212:
209:
200:
193:
191:
189:
184:
182:
178:
174:
170:
169:encapsulation
165:
164:adversaries.
163:
159:
158:eavesdropping
155:
151:
147:
143:
123:
103:
100:
80:
60:
57:
37:
28:
22:
6609:
6605:
6589:
6555:
6551:Chaum, David
6537:
6518:
6499:
6452:
6437:
6403:
6389:
6369:
6362:
6343:
6339:
6321:Rivest, R.L.
6315:
6296:
6263:
6216:
6194:
6171:. Retrieved
6167:the original
6153:
6122:
6108:
6089:
6046:
6028:
5997:
5987:
5956:
5918:
5912:
5891:
5887:
5821:
5815:(May 2000).
5773:
5698:
5313:
5042:
5036:
4939:
4910:
4886:
4629:
4531:
3959:
3581:
3359:
3355:as follows:
3276:Traditional
3275:
3259:
3010:
2774:
2768:
2738:
2699:
2670:
2525:
2510:
2256:
1989:
1601:
1553:Traditional
1552:
1473:
1471:
1368:
939:
930:
929:
794:returned by
705:
703:
530:
380:
259:
254:
228:
213:
205:
187:
185:
180:
176:
172:
168:
166:
162:intercepting
149:
145:
142:cryptography
139:
6616:: 203–209.
6329:Adleman, L.
5993:Kaliski, B.
5898:: 167–226.
5540:, i.e., if
5039:: As above.
4314:, i.e., if
3262:RSA problem
2771:: As above.
1670:Generate a
871:, that is,
700:Correctness
6660:Categories
6325:Shamir, A.
6173:2024-07-20
6118:Finney, H.
6114:Callas, J.
5746:References
3960:Decryption
3582:Encryption
3266:RSAES-OAEP
2640:. Various
2550:key, when
2257:Decryption
1990:Encryption
246:Definition
235:RSAES-OAEP
173:ciphertext
5490:−
5448:⊥
5396:
5374:, giving
5151:∈
5107:
5078:, giving
4857:−
4488:−
4264:−
4179:−
4132:⊥
4080:
4058:, giving
3868:⋅
3758:Compute:
3725:∈
3675:
3658:, giving
3595:∈
3431:∈
3397:
3335:of order
3105:
3083:, giving
2903:≤
2839:
2810:, giving
2351:
2329:, giving
2184:≤
2094:
2077:, giving
2006:−
1880:λ
1867:−
1820:λ
1782:λ
1726:−
1647:
1512:−
1410:∈
1303:
1250:The pair
1220:∈
1151:
1048:
987:
882:
823:
704:A KEM is
691:(called ‘
679:⊥
555:
412:
305:
6641:Key Wrap
6635:See also
6553:(eds.).
6497:(2001),
5882:(2003).
5679:′
5662:′
5614:′
5600:′
5588:Compute
5552:′
5509:≢
5475:′
5419:′
5386:′
5328:′
5184:Compute
4848:′
4778:′
4718:′
4505:′
4476:′
4428:′
4409:′
4397:Compute
4361:′
4331:′
4283:≢
4249:′
4198:≢
4164:′
4103:′
4070:′
4009:′
3993:′
3974:′
3464:Compute
3240:′
3223:′
3175:′
3161:′
3149:Compute
3128:′
3095:′
3025:′
2526:Even if
2494:′
2469:′
2421:′
2407:′
2395:Compute
2374:′
2341:′
2271:′
1848:Compute
1812:, where
1499:′
1455:′
1406:′
1354:′
1326:′
1099:′
1071:′
931:Security
658:′
633:′
578:′
545:′
21:key wrap
6612:(177).
6450:(ed.).
6401:(ed.).
5819:(ed.).
5650:Return
5230:Return
5140:Choose
4464:Return
4077:Decrypt
3714:Choose
3672:Encrypt
3510:Return
3420:Choose
3272:Elgamal
3211:Return
2927:Return
2700:RSA-KEM
2348:Decrypt
2208:Return
2091:Encrypt
1906:Return
1841:is the
1557:, with
706:correct
218:for an
188:doesn't
152:, is a
6577:
6525:
6474:
6425:
6377:
6303:
6270:
6238:
6096:
6057:
5843:
5780:
4940:derive
4229:or if
2739:derive
1369:except
693:bottom
251:Syntax
237:, and
6602:(PDF)
6336:(PDF)
6051:(PDF)
5923:(PDF)
5894:(1).
5393:Decap
5104:Encap
3102:Decap
2892:with
2836:Encap
2173:with
1710:with
1300:Decap
1148:Encap
1045:Decap
879:Decap
820:Encap
552:Decap
409:Encap
148:, or
6575:ISBN
6523:ISBN
6472:ISBN
6423:ISBN
6375:ISBN
6301:ISBN
6268:ISBN
6236:ISBN
6145:4880
6094:ISBN
6055:ISBN
6020:8017
5979:9180
5841:ISBN
5778:ISBN
5265:and
4982:and
2962:and
2909:<
2190:<
1740:<
1734:<
1472:The
1371:for
160:and
144:, a
6618:doi
6565:doi
6462:doi
6413:doi
6348:doi
6226:doi
6142:RFC
6132:doi
6017:RFC
6007:doi
5976:RFC
5966:doi
5931:doi
5900:doi
5831:doi
5629:mod
5520:mod
5460:if
5316:of
5290:mod
5209:mod
4866:mod
4792:mod
4510:mod
4443:mod
4344:or
4294:mod
4209:mod
4144:if
3878:mod
3832:mod
3791:mod
3489:mod
3394:Gen
3190:mod
3013:of
2987:mod
2548:AES
2436:mod
2233:mod
1992:of
1876:mod
1770:gcd
1644:Gen
1549:RSA
984:Gen
762:Gen
695:’).
302:Gen
171:or
150:KEM
140:In
6662::
6610:48
6608:.
6604:.
6573:.
6559:.
6549:;
6509:^
6486:^
6470:.
6456:.
6421:.
6407:.
6344:21
6342:.
6338:.
6327:;
6323:;
6282:^
6250:^
6234:.
6220:.
6204:^
6182:^
6161:.
6140:.
6130:.
6126:.
6084:;
6080:;
6069:^
6040:;
6036:;
6015:.
6005:.
6001:.
5974:.
5964:.
5960:.
5944:^
5925:,
5892:33
5890:.
5886:.
5878:;
5855:^
5839:.
5825:.
5792:^
5754:^
5742:.
5666::=
5604::=
5390::=
5276::=
5241::=
5195::=
5101::=
5032::
4908:.
4884:.
4782::=
4722::=
4627:.
4480::=
4413::=
4074::=
3913::=
3859::=
3818::=
3777::=
3669::=
3561::=
3528::=
3475::=
3391::=
3362:,
3268:.
3227::=
3165::=
3099::=
2973::=
2938::=
2833::=
2668:.
2411::=
2345::=
2219::=
2088::=
1957::=
1924::=
1859::=
1641::=
1604:,
1489:Pr
1145::=
981::=
922:.
817::=
549::=
533:,
406::=
383:,
299::=
262:,
233:,
226:.
183:.
6626:.
6620::
6583:.
6567::
6531:.
6480:.
6464::
6431:.
6415::
6383:.
6356:.
6350::
6309:.
6276:.
6244:.
6228::
6176:.
6147:.
6134::
6102:.
6063:.
6022:.
6009::
5981:.
5968::
5933::
5906:.
5902::
5849:.
5833::
5786:.
5725:Z
5721:p
5717:/
5712:Z
5695:.
5683:)
5676:t
5672:(
5669:H
5659:k
5647:.
5633:p
5623:x
5619:)
5611:c
5607:(
5597:t
5585:.
5573:g
5549:c
5527:)
5524:p
5517:(
5512:1
5504:q
5500:/
5496:)
5493:1
5487:p
5484:(
5480:)
5472:c
5468:(
5435::
5423:)
5416:c
5412:,
5407:k
5404:s
5399:(
5383:k
5362:x
5359:=
5354:k
5351:s
5325:c
5294:p
5284:r
5280:g
5273:c
5253:)
5250:t
5247:(
5244:H
5238:k
5227:.
5213:p
5203:r
5199:y
5192:t
5168:Z
5164:q
5160:/
5155:Z
5148:r
5135::
5123:)
5118:k
5115:p
5110:(
5098:)
5095:c
5092:,
5089:k
5086:(
5066:y
5063:=
5058:k
5055:p
5020:H
4995:2
4991:c
4970:m
4950:t
4919:m
4896:p
4870:p
4860:1
4853:g
4845:m
4841:=
4838:m
4818:m
4796:p
4788:g
4785:m
4775:m
4754:)
4751:g
4746:2
4742:c
4738:,
4733:1
4729:c
4725:(
4715:c
4694:m
4674:)
4669:2
4665:c
4661:,
4656:1
4652:c
4648:(
4645:=
4642:c
4615:g
4595:x
4575:p
4554:Z
4550:p
4546:/
4541:Z
4528:.
4514:p
4501:2
4497:c
4491:1
4484:t
4473:m
4461:.
4447:p
4437:x
4433:)
4424:1
4420:c
4416:(
4406:t
4394:.
4382:g
4357:2
4353:c
4327:1
4323:c
4301:)
4298:p
4291:(
4286:1
4278:q
4274:/
4270:)
4267:1
4261:p
4258:(
4254:)
4245:2
4241:c
4237:(
4216:)
4213:p
4206:(
4201:1
4193:q
4189:/
4185:)
4182:1
4176:p
4173:(
4169:)
4160:1
4156:c
4152:(
4119::
4107:)
4100:c
4096:,
4091:k
4088:s
4083:(
4067:m
4046:x
4043:=
4038:k
4035:s
4013:)
4005:2
4001:c
3997:,
3989:1
3985:c
3981:(
3978:=
3971:c
3954:.
3942:)
3937:2
3933:c
3929:,
3924:1
3920:c
3916:(
3910:c
3882:p
3874:)
3871:m
3865:t
3862:(
3850:2
3846:c
3836:p
3826:r
3822:g
3809:1
3805:c
3795:p
3785:r
3781:y
3770:t
3742:Z
3738:q
3734:/
3729:Z
3722:r
3709::
3697:)
3694:m
3691:,
3686:k
3683:p
3678:(
3666:c
3646:y
3643:=
3638:k
3635:p
3612:Z
3608:p
3604:/
3599:Z
3592:m
3564:y
3556:k
3553:p
3531:x
3523:k
3520:s
3507:.
3493:p
3483:x
3479:g
3472:y
3448:Z
3444:q
3440:/
3435:Z
3428:x
3415::
3403:)
3400:(
3388:)
3385:k
3382:s
3379:,
3376:k
3373:p
3370:(
3343:q
3323:g
3302:Z
3298:p
3294:/
3289:Z
3256:.
3244:)
3237:r
3233:(
3230:H
3220:k
3208:.
3194:n
3184:d
3180:)
3172:c
3168:(
3158:r
3144::
3132:)
3125:c
3121:,
3116:k
3113:s
3108:(
3092:k
3071:)
3068:d
3065:,
3062:n
3059:(
3056:=
3051:k
3048:s
3022:c
2991:n
2981:e
2977:r
2970:c
2950:)
2947:r
2944:(
2941:H
2935:k
2912:n
2906:r
2900:0
2880:r
2867::
2855:)
2850:k
2847:p
2842:(
2830:)
2827:c
2824:,
2821:k
2818:(
2798:n
2795:=
2790:k
2787:p
2752:H
2724:Z
2720:n
2716:/
2711:Z
2679:m
2656:m
2624:c
2604:m
2584:3
2581:=
2578:e
2558:e
2534:m
2507:.
2491:m
2466:r
2454:.
2440:n
2430:d
2426:)
2418:c
2414:(
2404:r
2390::
2378:)
2371:c
2367:,
2362:k
2359:s
2354:(
2338:m
2317:)
2314:d
2311:,
2308:n
2305:(
2302:=
2297:k
2294:s
2268:c
2251:.
2237:n
2227:e
2223:r
2216:c
2205:.
2193:n
2187:r
2181:0
2161:r
2141:m
2128::
2116:)
2113:m
2110:,
2105:k
2102:p
2097:(
2085:c
2065:n
2062:=
2057:k
2054:p
2032:m
2012:)
2009:1
2003:t
2000:(
1972:)
1969:d
1966:,
1963:n
1960:(
1952:k
1949:s
1927:n
1919:k
1916:p
1903:.
1891:)
1888:n
1885:(
1870:1
1863:e
1856:d
1845:.
1829:)
1826:n
1823:(
1800:1
1797:=
1794:)
1791:)
1788:n
1785:(
1779:,
1776:e
1773:(
1748:t
1744:2
1737:n
1729:1
1723:t
1719:2
1698:n
1678:t
1665::
1653:)
1650:(
1638:)
1633:k
1630:s
1625:,
1620:k
1617:p
1612:(
1585:e
1565:t
1527:|
1523:2
1519:/
1515:1
1509:]
1506:b
1503:=
1496:b
1492:[
1485:|
1468:.
1452:b
1448:=
1445:b
1425:}
1422:1
1419:,
1416:0
1413:{
1403:b
1391:.
1379:c
1351:c
1330:)
1323:c
1319:,
1314:k
1311:s
1306:(
1277:)
1274:c
1271:,
1266:b
1262:k
1258:(
1247:.
1235:}
1232:1
1229:,
1226:0
1223:{
1217:b
1192:1
1188:k
1167:)
1162:k
1159:p
1154:(
1142:)
1139:c
1136:,
1131:0
1127:k
1123:(
1096:c
1075:)
1068:c
1064:,
1059:k
1056:s
1051:(
1020:k
1017:p
1005:.
993:)
990:(
978:)
973:k
970:s
965:,
960:k
957:p
952:(
910:k
907:=
904:)
901:c
898:,
893:k
890:s
885:(
859:k
839:)
834:k
831:p
826:(
814:)
811:c
808:,
805:k
802:(
782:c
742:)
737:k
734:s
729:,
724:k
721:p
716:(
655:k
630:c
607:k
604:s
582:)
575:c
571:,
566:k
563:s
558:(
542:k
527:.
515:c
495:k
475:k
453:k
450:p
428:)
423:k
420:p
415:(
403:)
400:c
397:,
394:k
391:(
377:.
363:k
360:s
336:k
333:p
311:)
308:(
296:)
291:k
288:s
283:,
278:k
275:p
270:(
124:k
104:k
101:s
81:c
61:k
58:p
38:k
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
