. We present some observations on public-key cryptosystems that use the Chinese remaindering algorithm. Our results imply that careless implementations of such systems could be vulnerable. Only one faulty signature, in some explained context, is enough to recover the secret key. Keywords. Public-key cryptosystems, Faulty computations, Chinese remaindering. 1 Introduction In public-key cryptosystems two distinct computations can be distinguished: the computation that makes use of the secret, public key pair, and the one that only makes use of the public key. The former usually corresponds to the secret decryption or to the signature generation operation, the latter to the public encryption or to the signature verification operation. In this paper we restrict our attention to public key cryptosystems in which the former computation can be sped up using the Chinese remaindering algorithm. Examples of such cryptosystems are: RSA [16], LUC [19], KMOV [11], and Demytko's cryptosystem [6]. ...

. This paper analyzes the KMOV public key cryptosystem, which is an elliptic curve based analogue to RSA. It was believed that this cryptosystem is more secure against attacks without factoring such as the Hastad-attack in broadcast application. Some new attacks on KMOV are presented in this paper that show the converse. In particular, it is shown that some attacks on RSA which work only when a small public exponent e is used can be extended to KMOV, but with no restriction on e. The implication of these attacks on related cryptosystems are also discussed. 1 Introduction In 1985, Koblitz and Miller independently proposed new public key cryptosystems based on elliptic curves [9, 16]. These cryptosystems rely on the difficulty to solve the discrete logarithm problem for elliptic curves. Other cryptosystems based on the same problem have been proposed thereafter. We refer to [15] for more information. A more recent overview is [1]. Koyama, Maurer, Okamoto and Vanstone proposed another k...

. In this paper, we show that the presence of transient faults can leak some secret information. We prove that only one faulty RSAsignature is needed to recover one bit of the secret key. Thereafter, we extend this result to Lucas-based and elliptic curve systems. Keywords. RSA, Lucas sequences, elliptic curves, transient faults. 1 Introduction At the last Workshop on Security Protocols, Bao, Deng, Han, Jeng, Narasimhalu and Ngair from the Institute of Systems Science (Singapore) exhibited new attacks against several cryptosystems [2]. These attacks exploit the presence of transient faults. By exposing a device to external constraints, one can induce some faults with a non-negligible probability [1]. In this paper, we show that these attacks are of very general nature and remain valid for cryptosystems based on other algebraic structures. We will illustrate this topic on the Lucas-based and elliptic curve cryptosystems. Moreover, we will focus on the signatures generation, reducing t...

In this paper, we address the following problem: " Is it possible to weaken/attack a scheme when a (provably) secure cryptosystem is used? ". The answer is yes. We exploit weak error-handling methods. Our attack relies on the cryptanalyst being able to modify some ciphertext and then getting access to the decryption of this modified ciphertext. Moreover, it applies on many cryptosystems, including RSA, Rabin, LUC, KMOV, Demytko, ElGamal and its analogues, 3-pass system, knapsack scheme, etc. . .

In September 1996, Boneh, DeMillo and Lipton [2] identified a new attack against RSA [6] when performed with Chinese remaindering. In case of computation error, they showed how to recover the secret factors p and q of the public modulus n from two signatures of the same message : the correct one and the faulty one. Independently, Lenstra [5] showed that only one message and the corresponding faulty signature were required to recover p and q. This paper shows that this attack applies to any RSA-type cryptosystem. Particularly, we show how to extend it to LUC [8] and Demytko [3] cryptosystems.

Abstract. Recently an efficient solution to the discrete logarithm prob-lem on elliptic curves over F, with p points (p: prime), so-called anorna-lous curues, was independently discovered by Semaev [14], Smart [17], and Satoh and Araki [12]. Since the solution is very efficient, i.e., 0(lpl3), the Semaev-Smart-Satoh-Araki (SSSA) algorithm implies the possibil-ity of realizing a trapdoor for the discrete logarithm problem, and we have tried to utilize the SSSA algorithm for constructing a cryptographic scheme. One of our trials was to realize an identity-based cryptosystem (key-distribution) which has been proven to be as secure as a prim-itive problem, called the Diffie-Hellman problem on an elliptic curve over Z/nZ (n = pq, p and q are primes) where Ep and E, are anoma-lous curves (anomalous En-Diffie-Hellman problem). Unfortunately we have found that the anomalous En-Diffie-Hellman problem is not secure (namely, our scheme is not secure). First, this paper introduces our trial of realizing an identity-based cryptosystem based on the SSSA algorithm, and then shows why the anomalous En-Diffie-Hellman problem is not se-cure. In addition, we generalize the observation of our breaking algorithm and present reductions of factoring n to computing the order ’ of an el-liptic curve over Z/nZ. (These reductions roughly imply the equivalence of intractability between factoring and computing elliptic curve’s order.) The algorithm of breaking our identity-based cryptosystem is considered to be a special case of these reductions, and the essential reason why our system was broken can be clarified through these reductions: En in our system is a very specific curve such that the order of En (i.e., n) is trivially known.

Chosen-message attack on RSA is usually considered as an inherent property of its homomorphic structure. In this paper, we show that non-homomorphic RSA-type cryptosystems are also susceptible to a chosen-message attack. In particular, we prove that only one message is needed to mount a successful chosen-message attack against the Lucasbased systems and Demytko's elliptic curve system.

Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers. This is true even if time-stamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver. This paper shows that elliptic curve RSA is not secure in the same scinario. It is shown that the KMOV scheme and Demytko's scheme are not secure if e = 5; n 2 1024 and the number of receivers = 428. In Demytko's scheme, e can take the value of 2. In this case, this system is not secure if the number of receiver = 11 for n 2 175 . 1 Introduction Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers [1]. This is true even if time-stamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver. On the other hand, el...

We propose an elliptic curve scheme over the ring Z n 2, which is efficient and semantically secure in the standard model. There appears to be no previous elliptic curve cryptosystem based on factoring that enjoys both of these properties. KMOV scheme has been used as an underlying primitive to obtain efficiency and probabilistic encryption. Semantic security of the scheme is based on a new decisional assumption, namely, the Decisional Small-x e-Multiples Assumption. Confidence on this assumption is also discussed.

. We show that the cryptosystems based on Lucas sequences and on elliptic curves over a ring are insecure when a linear relation is known between two plaintexts that are encrypted with a "small" public exponent. This attack is already known for the classical RSA system, but the proofs and the results here are different. 1 Introduction In numerous situations, the difference between two plaintexts is known, as for example, -- texts differing only from their date of compilation; -- letters sent to different destinators; -- retransmission of a message with a new ID number due to an error; -- : : : On the other hand, the security of public-key cryptosystems relies on trapdoor one-way functions. A trapdoor one-way function is a function easy to compute but infeasible to invert unless the trapdoor is known. Many trapdoor one-way functions are using a polynomial in a given algebraic structure (think about RSA). Recently, some researchers [9, 25, 5, 6] were able to exploit such a structur...