Results 1  10
of
24
Chinese Remaindering Based Cryptosystems in the Presence of Faults
 Journal of Cryptology
"... . We present some observations on publickey cryptosystems that use the Chinese remaindering algorithm. Our results imply that careless implementations of such systems could be vulnerable. Only one faulty signature, in some explained context, is enough to recover the secret key. Keywords. Publicke ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
. We present some observations on publickey cryptosystems that use the Chinese remaindering algorithm. Our results imply that careless implementations of such systems could be vulnerable. Only one faulty signature, in some explained context, is enough to recover the secret key. Keywords. Publickey cryptosystems, Faulty computations, Chinese remaindering. 1 Introduction In publickey cryptosystems two distinct computations can be distinguished: the computation that makes use of the secret, public key pair, and the one that only makes use of the public key. The former usually corresponds to the secret decryption or to the signature generation operation, the latter to the public encryption or to the signature verification operation. In this paper we restrict our attention to public key cryptosystems in which the former computation can be sped up using the Chinese remaindering algorithm. Examples of such cryptosystems are: RSA [16], LUC [19], KMOV [11], and Demytko's cryptosystem [6]. ...
On the Security of the KMOV Public Key Cryptosystem
"... . This paper analyzes the KMOV public key cryptosystem, which is an elliptic curve based analogue to RSA. It was believed that this cryptosystem is more secure against attacks without factoring such as the Hastadattack in broadcast application. Some new attacks on KMOV are presented in this paper t ..."
Abstract

Cited by 25 (0 self)
 Add to MetaCart
. This paper analyzes the KMOV public key cryptosystem, which is an elliptic curve based analogue to RSA. It was believed that this cryptosystem is more secure against attacks without factoring such as the Hastadattack in broadcast application. Some new attacks on KMOV are presented in this paper that show the converse. In particular, it is shown that some attacks on RSA which work only when a small public exponent e is used can be extended to KMOV, but with no restriction on e. The implication of these attacks on related cryptosystems are also discussed. 1 Introduction In 1985, Koblitz and Miller independently proposed new public key cryptosystems based on elliptic curves [9, 16]. These cryptosystems rely on the difficulty to solve the discrete logarithm problem for elliptic curves. Other cryptosystems based on the same problem have been proposed thereafter. We refer to [15] for more information. A more recent overview is [1]. Koyama, Maurer, Okamoto and Vanstone proposed another k...
Trading OneWayness Against ChosenCiphertext Security in FactoringBased Encryption
, 2006
"... Abstract. We revisit a longlived folklore impossibility result for factoringbased encryption and properly establish that reaching maximally secure onewayness (i.e. equivalent to factoring) and resisting chosenciphertext attacks (CCA) are incompatible goals for singlekey cryptosystems. We pinpoin ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. We revisit a longlived folklore impossibility result for factoringbased encryption and properly establish that reaching maximally secure onewayness (i.e. equivalent to factoring) and resisting chosenciphertext attacks (CCA) are incompatible goals for singlekey cryptosystems. We pinpoint two tradeoffs between security notions in the standard model that have always remained unnoticed in the Random Oracle (RO) model. These imply that simple ROmodel schemes such as Rabin/RWSAEP[+]/OAEP[+][+], EPOC2, etc. admit no instantiation in the standard model which CCA security is equivalent to factoring via a keypreserving reduction. We extend this impossibility to arbitrary reductions assuming nonmalleable key generation, a property capturing the intuition that factoring a modulus n should not be any easier when given a factoring oracle for moduli n ′ = n. The only known countermeasures against our impossibility results, besides malleable key generation, are the inclusion of an additional random string in the public key, or encryption twinning as in NaorYung or DolevDworkNaor constructions. 1
RSAtype Signatures in the Presence of Transient Faults
, 1997
"... . In this paper, we show that the presence of transient faults can leak some secret information. We prove that only one faulty RSAsignature is needed to recover one bit of the secret key. Thereafter, we extend this result to Lucasbased and elliptic curve systems. Keywords. RSA, Lucas sequences, el ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
. In this paper, we show that the presence of transient faults can leak some secret information. We prove that only one faulty RSAsignature is needed to recover one bit of the secret key. Thereafter, we extend this result to Lucasbased and elliptic curve systems. Keywords. RSA, Lucas sequences, elliptic curves, transient faults. 1 Introduction At the last Workshop on Security Protocols, Bao, Deng, Han, Jeng, Narasimhalu and Ngair from the Institute of Systems Science (Singapore) exhibited new attacks against several cryptosystems [2]. These attacks exploit the presence of transient faults. By exposing a device to external constraints, one can induce some faults with a nonnegligible probability [1]. In this paper, we show that these attacks are of very general nature and remain valid for cryptosystems based on other algebraic structures. We will illustrate this topic on the Lucasbased and elliptic curve cryptosystems. Moreover, we will focus on the signatures generation, reducing t...
On the importance of securing your bins: The garbagemaninthemiddle attack
, 1997
"... In this paper, we address the following problem: " Is it possible to weaken/attack a scheme when a (provably) secure cryptosystem is used? ". The answer is yes. We exploit weak errorhandling methods. Our attack relies on the cryptanalyst being able to modify some ciphertext and then getting access ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
In this paper, we address the following problem: " Is it possible to weaken/attack a scheme when a (provably) secure cryptosystem is used? ". The answer is yes. We exploit weak errorhandling methods. Our attack relies on the cryptanalyst being able to modify some ciphertext and then getting access to the decryption of this modified ciphertext. Moreover, it applies on many cryptosystems, including RSA, Rabin, LUC, KMOV, Demytko, ElGamal and its analogues, 3pass system, knapsack scheme, etc. . .
Attacks on systems using Chinese remaindering
 Journal of Cryptology
, 1996
"... In September 1996, Boneh, DeMillo and Lipton [2] identified a new attack against RSA [6] when performed with Chinese remaindering. In case of computation error, they showed how to recover the secret factors p and q of the public modulus n from two signatures of the same message : the correct one and ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
In September 1996, Boneh, DeMillo and Lipton [2] identified a new attack against RSA [6] when performed with Chinese remaindering. In case of computation error, they showed how to recover the secret factors p and q of the public modulus n from two signatures of the same message : the correct one and the faulty one. Independently, Lenstra [5] showed that only one message and the corresponding faulty signature were required to recover p and q. This paper shows that this attack applies to any RSAtype cryptosystem. Particularly, we show how to extend it to LUC [8] and Demytko [3] cryptosystems.
Security of an IdentityBased Cryptosystem and the Related Reductions
 In Advances in Cryptology, Eurocrypt'98, LNCS 1403
, 1998
"... Abstract. Recently an efficient solution to the discrete logarithm problem on elliptic curves over F, with p points (p: prime), socalled anornalous curues, was independently discovered by Semaev [14], Smart [17], and Satoh and Araki [12]. Since the solution is very efficient, i.e., 0(lpl3), the S ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. Recently an efficient solution to the discrete logarithm problem on elliptic curves over F, with p points (p: prime), socalled anornalous curues, was independently discovered by Semaev [14], Smart [17], and Satoh and Araki [12]. Since the solution is very efficient, i.e., 0(lpl3), the SemaevSmartSatohAraki (SSSA) algorithm implies the possibility of realizing a trapdoor for the discrete logarithm problem, and we have tried to utilize the SSSA algorithm for constructing a cryptographic scheme. One of our trials was to realize an identitybased cryptosystem (keydistribution) which has been proven to be as secure as a primitive problem, called the DiffieHellman problem on an elliptic curve over Z/nZ (n = pq, p and q are primes) where Ep and E, are anomalous curves (anomalous EnDiffieHellman problem). Unfortunately we have found that the anomalous EnDiffieHellman problem is not secure (namely, our scheme is not secure). First, this paper introduces our trial of realizing an identitybased cryptosystem based on the SSSA algorithm, and then shows why the anomalous EnDiffieHellman problem is not secure. In addition, we generalize the observation of our breaking algorithm and present reductions of factoring n to computing the order ’ of an elliptic curve over Z/nZ. (These reductions roughly imply the equivalence of intractability between factoring and computing elliptic curve’s order.) The algorithm of breaking our identitybased cryptosystem is considered to be a special case of these reductions, and the essential reason why our system was broken can be clarified through these reductions: En in our system is a very specific curve such that the order of En (i.e., n) is trivially known.
A New and Optimal ChosenMessage Attack on RSAType Cryptosystems
 Signatures in the Presence of Transient Faults 7 in the proceedings of the International Conference on Information and Communications Security
, 1997
"... Chosenmessage attack on RSA is usually considered as an inherent property of its homomorphic structure. In this paper, we show that nonhomomorphic RSAtype cryptosystems are also susceptible to a chosenmessage attack. In particular, we prove that only one message is needed to mount a successful c ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Chosenmessage attack on RSA is usually considered as an inherent property of its homomorphic structure. In this paper, we show that nonhomomorphic RSAtype cryptosystems are also susceptible to a chosenmessage attack. In particular, we prove that only one message is needed to mount a successful chosenmessage attack against the Lucasbased systems and Demytko's elliptic curve system.
Low exponent attack against elliptic curve RSA
, 1995
"... Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers. This is true even if timestamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers. This is true even if timestamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver. This paper shows that elliptic curve RSA is not secure in the same scinario. It is shown that the KMOV scheme and Demytko's scheme are not secure if e = 5; n 2 1024 and the number of receivers = 428. In Demytko's scheme, e can take the value of 2. In this case, this system is not secure if the number of receiver = 11 for n 2 175 . 1 Introduction Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers [1]. This is true even if timestamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver. On the other hand, el...
An efficient semantically secure elliptic curve cryptosystem based on KMOV scheme
, 2002
"... We propose an elliptic curve scheme over the ring Z n 2, which is efficient and semantically secure in the standard model. There appears to be no previous elliptic curve cryptosystem based on factoring that enjoys both of these properties. KMOV scheme has been used as an underlying primitive to obta ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
We propose an elliptic curve scheme over the ring Z n 2, which is efficient and semantically secure in the standard model. There appears to be no previous elliptic curve cryptosystem based on factoring that enjoys both of these properties. KMOV scheme has been used as an underlying primitive to obtain efficiency and probabilistic encryption. Semantic security of the scheme is based on a new decisional assumption, namely, the Decisional Smallx eMultiples Assumption. Confidence on this assumption is also discussed.