Results 11  20
of
36
A New and Optimal ChosenMessage Attack on RSAType Cryptosystems
 Signatures in the Presence of Transient Faults 7 in the proceedings of the International Conference on Information and Communications Security
, 1997
"... Chosenmessage attack on RSA is usually considered as an inherent property of its homomorphic structure. In this paper, we show that nonhomomorphic RSAtype cryptosystems are also susceptible to a chosenmessage attack. In particular, we prove that only one message is needed to mount a successful c ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
Chosenmessage attack on RSA is usually considered as an inherent property of its homomorphic structure. In this paper, we show that nonhomomorphic RSAtype cryptosystems are also susceptible to a chosenmessage attack. In particular, we prove that only one message is needed to mount a successful chosenmessage attack against the Lucasbased systems and Demytko's elliptic curve system.
Low exponent attack against elliptic curve RSA
, 1995
"... Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers. This is true even if timestamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers. This is true even if timestamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver. This paper shows that elliptic curve RSA is not secure in the same scinario. It is shown that the KMOV scheme and Demytko's scheme are not secure if e = 5; n 2 1024 and the number of receivers = 428. In Demytko's scheme, e can take the value of 2. In this case, this system is not secure if the number of receiver = 11 for n 2 175 . 1 Introduction Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers [1]. This is true even if timestamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver. On the other hand, el...
Publickey cryptography and invariant theory, arXiv:math.cs. CR/0207080
"... Publickey cryptosystems are suggested based on invariants of groups. We give also an overview of known cryptosystems which involve groups. 1 ..."
Abstract

Cited by 5 (5 self)
 Add to MetaCart
Publickey cryptosystems are suggested based on invariants of groups. We give also an overview of known cryptosystems which involve groups. 1
Reducing the Elliptic Curve Cryptosystem of MeyerMüller to the Cryptosystem of RabinWilliams
, 1996
"... . At Eurocrypt'96, Meyer and Muller presented a new Rabintype cryptosystem based on elliptic curves. In this paper, we will show that this cryptosystem may be reduced to the cryptosystem of WilliamsRabin. 1 Introduction In 1991, Koyama, Maurer, Okamoto and Vanstone [15] pointed out the existence o ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
. At Eurocrypt'96, Meyer and Muller presented a new Rabintype cryptosystem based on elliptic curves. In this paper, we will show that this cryptosystem may be reduced to the cryptosystem of WilliamsRabin. 1 Introduction In 1991, Koyama, Maurer, Okamoto and Vanstone [15] pointed out the existence of new oneway trapdoor functions similar to the RSA on elliptic curves over a ring. At Eurocrypt'96, Meyer and Muller presented an other elliptic RSAtype cryptosystem with a public encryption exponent equal to 2. We will show that this cryptosystem may be reduced to the cryptosystem of RabinWilliams [20, 22]. The remainder of the paper is organized as follows. Section 2 describes the cryptosystem of Meyer and Muller. In Section 3, we show how it may be reduced to the cryptosystem of RabinWilliams. Finally, we conclude in Section 4. CG1996/4 c fl1996 by UCL Crypto Group For more informations, see http://www.dice.ucl.ac.be/crypto/techreports.html Presented at the rump session of Eurocr...
Cryptanalysis of RSAType Cryptosystems: A Visit
 DIMACS Series in Discr. Math. ant Th. Comp. Sci., AMS
, 1998
"... . This paper surveys RSAtype implementations based on Lucas sequences and on elliptic curves. The main focus is the way how some known attacks on RSA were extended to LUC, KMOV and Demytko's system. It also gives some directions for the choice of the most appropriate RSAtype system for a given app ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
. This paper surveys RSAtype implementations based on Lucas sequences and on elliptic curves. The main focus is the way how some known attacks on RSA were extended to LUC, KMOV and Demytko's system. It also gives some directions for the choice of the most appropriate RSAtype system for a given application. 1. INTRODUCTION In 1978, Rivest, Shamir and Adleman [63] introduced the socalled RSA cryptosystem. Its security mainly relies on the difficulty of factoring carefully chosen large integers. After this breakthrough, other structures were proposed to produce analogues to RSA. So, Muller and Nobauer [54, 55] presented a cryptosystem using Dickson polynomials. This system was afterwards slightly modified and rephrased in terms of Lucas sequences by Smith and Lennon [70, 72]. More recently, Koyama, Maurer, Okamoto and Vanstone [41] exhibited new oneway trapdoor functions similar to RSA on elliptic curves, the socalled KMOV cryptosystem. Later, Demytko [20] also pointed out a new one...
On nonabelian homomorphic publickey cryptosystems
, 2002
"... An important problem of modern cryptography concerns secret publickey computations in algebraic structures. We construct homomorphic cryptosystems being (secret) epimorphisms f: G → H, where G,H are (publically known) groups and H is finite. A letter of a message to be encrypted is an element h ∈ H ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
An important problem of modern cryptography concerns secret publickey computations in algebraic structures. We construct homomorphic cryptosystems being (secret) epimorphisms f: G → H, where G,H are (publically known) groups and H is finite. A letter of a message to be encrypted is an element h ∈ H, while its encryption g ∈ G is such that f(g) = h. A homomorphic cryptosystem allows one to perform computations (operating in a group G) with encrypted information (without knowing the original message over H). In this paper certain homomorphic cryptosystems are constructed for the first time for nonabelian groups H (earlier, homomorphic cryptosystems were known only in the Abelian case). In fact, we present such a system for any solvable (fixed) group H. 1
Faulty RSA encryption
, 1997
"... . The authors show that the presence of transient faults is dangerous when encrypting messages with the RSA cryptosystem. In particular, they show how a cryptanalyst can recover a plaintext without knowing the secret parameters. 1 Introduction Simmons pointed out in [1] that the use of a common RSA ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
. The authors show that the presence of transient faults is dangerous when encrypting messages with the RSA cryptosystem. In particular, they show how a cryptanalyst can recover a plaintext without knowing the secret parameters. 1 Introduction Simmons pointed out in [1] that the use of a common RSA [2] modulus is dangerous. Indeed, if the same message m is encrypted with coprime public encryption keys e 1 and e 2 , then it can easily be recovered as follows. Let c 1 = m e1 mod n and c 2 = m e2 mod n be the ciphertexts corresponding to message m. Since gcd(e 1 ; e 2 ) = 1, there exist u; v 2 ZZ such that ue 1 +ve 2 = 1. Therefore, message m is recovered as m = m ue1+ve2 j c u 1 c v 2 (mod n): (1) In the next Section, we will show that a similar technique enables to recover a plaintext in the presence of transient faults. 2 Faulty RSA encryption We suppose that an error occurs during the computation of the ciphertext. More precisely, if e = P t\Gamma1 i=0 e i 2 i denotes...
EPOC: Efficient Probabilistic PublicKey Encryption
"... We describe a novel publickey cryptosystem, EPOC (Efficient Probabilistic PublicKey Encryption), which has three versions: EPOC1, EPOC2 and EPOC3. EPOC1 is a publickey encryption system that uses a oneway trapdoor function and a random function (hash function). EPOC2 and EPOC3 are public ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We describe a novel publickey cryptosystem, EPOC (Efficient Probabilistic PublicKey Encryption), which has three versions: EPOC1, EPOC2 and EPOC3. EPOC1 is a publickey encryption system that uses a oneway trapdoor function and a random function (hash function). EPOC2 and EPOC3 are publickey encryption systems that use a oneway trapdoor function, two random functions (hash functions) and a symmetrickey encryption (e.g., onetime padding and blockciphers).
Public Key Cryptosystems using Elliptic Curves
, 1997
"... This report is a survey on public key cryptosystems that use the theory of elliptic curves. A considerable part will be about the theory of elliptic curves. Encryption systems, digital signature schemes and key agreement schemes using elliptic curves will be described. Their workload and bandwidth w ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This report is a survey on public key cryptosystems that use the theory of elliptic curves. A considerable part will be about the theory of elliptic curves. Encryption systems, digital signature schemes and key agreement schemes using elliptic curves will be described. Their workload and bandwidth will be addressed and some attacks will be described. For all systems the security is based either on the elliptic curve discrete logarithm problem or on the difficulty of factorization. The differences between conventional and elliptic curve systems shall be addressed. Systems based on the elliptic curve discrete logarithm problem can be used with shorter keys to provide the same security, compared to similar conventional systems. Elliptic curve systems based on factoring are slightly more resistant as conventional systems against some attacks.
On Security of Koyama Scheme
 Eprint Archive2005/153, http://eprint.iacr.org/2005/153.pdf
, 2005
"... An attack is possible upon all three RSA analogue PKCs based on singular cubic curves given by Koyama. While saying so, Seng et al observed that the scheme become insecure if a linear relation is known between two plaintexts. In this case, attacker has to compute greatest common divisor of two polyn ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
An attack is possible upon all three RSA analogue PKCs based on singular cubic curves given by Koyama. While saying so, Seng et al observed that the scheme become insecure if a linear relation is known between two plaintexts. In this case, attacker has to compute greatest common divisor of two polynomials corresponding to those two plaintexts. However, the computation of greatest common divisor of two polynomials is not e#cient. For the reason, the degree e of both polynomials, an encryption exponent, is quite large. In this paper, we propose an algorithm, which makes the attack considerably e#cient. Subsequently, we identify isomorphic attack on the Koyama schemes by using the isomorphism between two singular cubic curves.