Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers. This is true even if time-stamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver. This paper shows that elliptic curve RSA is not secure in the same scinario. It is shown that the KMOV scheme and Demytko's scheme are not secure if e = 5; n 2 1024 and the number of receivers = 428. In Demytko's scheme, e can take the value of 2. In this case, this system is not secure if the number of receiver = 11 for n 2 175 . 1 Introduction Hastad showed that low exponent RSA is not secure if the same message is encrypted to several receivers [1]. This is true even if time-stamp is used for each receiver. For example, let e = 3. Then if the number of receivers = 7, the eavesdropper can find the plaintext from the seven ciphertexts of each receiver. On the other hand, el...

. At Eurocrypt'96, Meyer and Muller presented a new Rabintype cryptosystem based on elliptic curves. In this paper, we will show that this cryptosystem may be reduced to the cryptosystem of Williams-Rabin. 1 Introduction In 1991, Koyama, Maurer, Okamoto and Vanstone [15] pointed out the existence of new one-way trapdoor functions similar to the RSA on elliptic curves over a ring. At Eurocrypt'96, Meyer and Muller presented an other elliptic RSA-type cryptosystem with a public encryption exponent equal to 2. We will show that this cryptosystem may be reduced to the cryptosystem of Rabin-Williams [20, 22]. The remainder of the paper is organized as follows. Section 2 describes the cryptosystem of Meyer and Muller. In Section 3, we show how it may be reduced to the cryptosystem of Rabin-Williams. Finally, we conclude in Section 4. CG--1996/4 c fl1996 by UCL Crypto Group For more informations, see http://www.dice.ucl.ac.be/crypto/techreports.html Presented at the rump session of Eurocr...

. This paper surveys RSA-type implementations based on Lucas sequences and on elliptic curves. The main focus is the way how some known attacks on RSA were extended to LUC, KMOV and Demytko's system. It also gives some directions for the choice of the most appropriate RSA-type system for a given application. 1. INTRODUCTION In 1978, Rivest, Shamir and Adleman [63] introduced the so-called RSA cryptosystem. Its security mainly relies on the difficulty of factoring carefully chosen large integers. After this breakthrough, other structures were proposed to produce analogues to RSA. So, Muller and Nobauer [54, 55] presented a cryptosystem using Dickson polynomials. This system was afterwards slightly modified and rephrased in terms of Lucas sequences by Smith and Lennon [70, 72]. More recently, Koyama, Maurer, Okamoto and Vanstone [41] exhibited new one-way trapdoor functions similar to RSA on elliptic curves, the so-called KMOV cryptosystem. Later, Demytko [20] also pointed out a new one-...

Abstract—We present an overview of end-to-end encryption solutions for convergecast traffic in wireless sensor networks that support in-network processing at forwarding intermediate nodes. Other than hop-by-hop based encryption approaches, aggregator nodes can perform in-network processing on encrypted data. Since it is not required to decrypt the incoming ciphers before aggregating, substantial advantages are 1) neither keys nor plaintext is available at aggregating nodes, 2) the overall energy consumption of the backbone can be reduced, 3) the system is more flexible with respect to changing routes, and finally 4) the overall system security increases. We provide a qualitative comparison of available approaches, point out their strengths, respectively weaknesses, and investigate opportunities for further research. Index Terms—Cryptography, wireless sensor networks, convergecast, concealed data aggregation. Ç 1

. The authors show that the presence of transient faults is dangerous when encrypting messages with the RSA cryptosystem. In particular, they show how a cryptanalyst can recover a plaintext without knowing the secret parameters. 1 Introduction Simmons pointed out in [1] that the use of a common RSA [2] modulus is dangerous. Indeed, if the same message m is encrypted with coprime public encryption keys e 1 and e 2 , then it can easily be recovered as follows. Let c 1 = m e1 mod n and c 2 = m e2 mod n be the ciphertexts corresponding to message m. Since gcd(e 1 ; e 2 ) = 1, there exist u; v 2 ZZ such that ue 1 +ve 2 = 1. Therefore, message m is recovered as m = m ue1+ve2 j c u 1 c v 2 (mod n): (1) In the next Section, we will show that a similar technique enables to recover a plaintext in the presence of transient faults. 2 Faulty RSA encryption We suppose that an error occurs during the computation of the ciphertext. More precisely, if e = P t\Gamma1 i=0 e i 2 i denotes...

We describe a novel public-key cryptosystem, EPOC (Efficient Probabilistic Public-Key Encryption), which has three versions: EPOC-1, EPOC-2 and EPOC-3. EPOC-1 is a publickey encryption system that uses a one-way trapdoor function and a random function (hash function). EPOC-2 and EPOC-3 are public-key encryption systems that use a one-way trapdoor function, two random functions (hash functions) and a symmetric-key encryption (e.g., one-time padding and block-ciphers).

This report is a survey on public key cryptosystems that use the theory of elliptic curves. A considerable part will be about the theory of elliptic curves. Encryption systems, digital signature schemes and key agreement schemes using elliptic curves will be described. Their workload and bandwidth will be addressed and some attacks will be described. For all systems the security is based either on the elliptic curve discrete logarithm problem or on the difficulty of factorization. The differences between conventional and elliptic curve systems shall be addressed. Systems based on the elliptic curve discrete logarithm problem can be used with shorter keys to provide the same security, compared to similar conventional systems. Elliptic curve systems based on factoring are slightly more resistant as conventional systems against some attacks.

An attack is possible upon all three RSA analogue PKCs based on singular cubic curves given by Koyama. While saying so, Seng et al observed that the scheme become insecure if a linear relation is known between two plaintexts. In this case, attacker has to compute greatest common divisor of two polynomials corresponding to those two plaintexts. However, the computation of greatest common divisor of two polynomials is not e#cient. For the reason, the degree e of both polynomials, an encryption exponent, is quite large. In this paper, we propose an algorithm, which makes the attack considerably e#cient. Subsequently, we identify isomorphic attack on the Koyama schemes by using the isomorphism between two singular cubic curves.

Given an RSA modulus n, a ciphertext c and the encryption exponent e, one can construct the sequence x 0 = c mod n; x i+1 = x e i mod n; i = 0; 1; : : : until gcd(x i+1 \Gamma x 0 ; n) 6= 1 or i ? B, B a given boundary. If i B, there are two cases. Case 1: gcd(x i+1 \Gamma x 0 ; n) = n. In this case x i = m and the secret message m can be recovered. Case 2: 1 6= gcd(x i+1 \Gamma x 0 ; n) 6= n. In this case, the RSA modulus n can be factorised. If i B, then Case 2 is much more likely to occur than Case 1. This attack is called a cycling attack. We introduce some new generalised cycling attacks. These attacks work without the knowledge of e and c. Therefore, these attacks can be used as factorisation algorithms. We introduce Lucas sequences V (P; 1), the Carmichael function (\Delta) and we define the \Omega\Gamma \Delta; \Delta) function. The attacks involve Lucas sequences. The Carmichael and the Omega functions then describe an upper bound of the complexity of the attacks. We als...

6> Vn(P; Q) from Dickson polynomials Vn(P; Q) = [ n 2 ] X i=0 n n \Gamma i ` n \Gamma i i ' (\GammaQ) i P n\Gamma2i Fact: Vn(V k (P; Q); Q k ) = V nk (P; Q). In particular, if Q = 1, then Vn(V k (P; 1); 1) = V nk (P; 1) = V k (Vn(P; Q); 1). The above fact forms the basis for many RSA and ElGamal type cryptosystems based on Lucas sequences. Observe th