. We present some observations on public-key cryptosystems that use the Chinese remaindering algorithm. Our results imply that careless implementations of such systems could be vulnerable. Only one faulty signature, in some explained context, is enough to recover the secret key. Keywords. Public-key cryptosystems, Faulty computations, Chinese remaindering. 1 Introduction In public-key cryptosystems two distinct computations can be distinguished: the computation that makes use of the secret, public key pair, and the one that only makes use of the public key. The former usually corresponds to the secret decryption or to the signature generation operation, the latter to the public encryption or to the signature verification operation. In this paper we restrict our attention to public key cryptosystems in which the former computation can be sped up using the Chinese remaindering algorithm. Examples of such cryptosystems are: RSA [16], LUC [19], KMOV [11], and Demytko's cryptosystem [6]. ...

We introduce cryptography based on algebraic tori, give a new public key system called CEILIDH, and compare it to other discrete log based systems including LUC and XTR. Like those systems, we obtain small key sizes. While LUC and XTR are essentially restricted to exponentiation, we are able to perform multiplication as well. We also disprove the open conjectures from [2], and give a new algebro-geometric interpretation of the approach in that paper and of LUC and XTR.

This paper gives a survey of some ways to improve the ef- ciency of discrete log-based cryptography by using the restriction of scalars and the geometry and arithmetic of algebraic tori and abelian varieties.

This article is divided into two parts. The rst part describes the known candidates of trapdoor one-way permutations. The second part presents a new candidate trapdoor one-way permutation. This candidate is based on properties of multivariate polynomials on nite elds, and has similar characteristics to T. Matsumoto, H. Imai, and J. Patarin's schemes. What makes trapdoor one-way permutations particularly interesting is the fact that they immediately provide ciphering, signature, and authentication asymmetric schemes. Our candidate performs excellently in secret key, and secret key computations can be implemented in low-cost smart-cards, i.e. without co-processors. Key words : Trapdoor one-way permutations, multivariate polynomials, research of new asymmetric bijective schemes. Notes: This paper is the extended version of the paper with the same title published at ICICS'97. In this extended version, we have taken into account the recent results of [5]. Part I Known candidates ...

. In this paper, we show that the presence of transient faults can leak some secret information. We prove that only one faulty RSAsignature is needed to recover one bit of the secret key. Thereafter, we extend this result to Lucas-based and elliptic curve systems. Keywords. RSA, Lucas sequences, elliptic curves, transient faults. 1 Introduction At the last Workshop on Security Protocols, Bao, Deng, Han, Jeng, Narasimhalu and Ngair from the Institute of Systems Science (Singapore) exhibited new attacks against several cryptosystems [2]. These attacks exploit the presence of transient faults. By exposing a device to external constraints, one can induce some faults with a non-negligible probability [1]. In this paper, we show that these attacks are of very general nature and remain valid for cryptosystems based on other algebraic structures. We will illustrate this topic on the Lucas-based and elliptic curve cryptosystems. Moreover, we will focus on the signatures generation, reducing t...

In this paper, we address the following problem: " Is it possible to weaken/attack a scheme when a (provably) secure cryptosystem is used? ". The answer is yes. We exploit weak error-handling methods. Our attack relies on the cryptanalyst being able to modify some ciphertext and then getting access to the decryption of this modified ciphertext. Moreover, it applies on many cryptosystems, including RSA, Rabin, LUC, KMOV, Demytko, ElGamal and its analogues, 3-pass system, knapsack scheme, etc. . .

. A protocol for computationally secure "on-line" secret-sharing is presented, based on the intractability of the Diffie--Hellman problem, in which the participants ' shares can be reused. Introduction. Cachin [1] presents a protocol for "on-line" secret sharing with general access structures, with shares as short as the secret and in which participants may be dynamically added or deleted without having to redistribute new shares secretly to the existing participants. These capabilities are gained by storing additional authentic, but not secret, information in a publicly accessible central location. This proposal does not allow the shares to be reused after the secret has been reconstructed without a further distributed computation sub-protocol, although there is a modification allowing a predetermined number of multiple secrets to be reconstructed in a specified order. In this letter we present a modification of the protocol which allows for an arbitrary number of secrets to be ...

proefschrift ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de Rector Magnificus, prof.dr. R.A. van Santen, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op woensdag 4 juni 2003 om 16.00 uur door

. We show that the attack of Wiener on RSA cryptosystems with a short deciphering exponent extends to systems using other groups such as elliptic curves, and Luc. Introduction. Wiener [1] showed that the RSA cryptosystem has a weakness if the private deciphering exponent is chosen too small relative to the modulus. In this note we observe that the attack extends to other systems based on groups whose order modulo p is close to p: for example, systems based on elliptic curves and the Luc system. Wiener's attack on RSA. Suppose that N = pq is the modulus for an RSA cryptosystem where p and q are primes of the same order of magnitude. The enciphering exponent, or public key, e and deciphering exponent, or secret key, d are related by de j 1 mod lcmfp \Gamma 1; q \Gamma 1g. In applications we may assume that the highest common factor h of p \Gamma 1 and q \Gamma 1 is small, so that de = 1+k(p \Gamma 1)(q \Gamma 1)=h for some integer k. Wiener [1] observed that we have e N = k h...

Abstract. We give a mathematical interpretation in terms of algebraic tori of Lucas-based cryptosystems, XTR, and the conjectural generalizations in [2]. We show that the varieties underlying these systems are quotients of algebraic tori by actions of products of symmetric groups. Further, we use these varieties to disprove conjectures from [2]. 1