26 August 1998

From: "Rich Ankney" <rankney@erols.com>
To: <jy@jya.com>
Subject: The CS PK Cryptosystem
Date: Wed, 26 Aug 1998 20:08:12 -0400

This paper was posted to Victor's website a few months ago.
This is a really great algorithm since it is provably secure (with
no messy assumptions).  OTOH it's a totally new algorithm
(although obviously related to ElGamal).  My question is:
Why use this instead of RSA w/ "Optimal Asymmetric
Encryption Padding" (OAEP) as used by SET, being standardized
by ANSI X9 (as X9.44) etc.?  The difference is that OAEP is
secure only under the random oracle model (simple definition:
H(x) looks random for most x).

Regards,
Rich

PS:  I swear I have no idea what Jon Graff would think about
this:-)



JYA add:

Rich Ankney is a member of the ANSI X9F Data & Information 
Security Subcommittee.

Jon Graff is a member of PGP.

From Crypto98:

Lecture: "A Practical Public Key Cryptosystem Provably Secure Against
Adaptive Chosen Ciphertext Attack"
 
Ronald Cramer (ETH Zurich, Switzerland), Victor Shoup (IBM Zurich
Research Laboratory, Switzerland)

http://www.cs.wisc.edu/~shoup/papers/cs.ps.Z

Or,

http://www.zurich.ibm.com/Technology/Security/publications/1998/CS.pdf