Results 1  10
of
41
Cryptanalysis of short RSA secret exponents
 IEEE Transactions on Information Theory
, 1990
"... Abstract. A cryptanalytic attack on the use of short RSA secret exponents is described. This attack makes use of an algorithm based on continued fractions which finds the numerator and denominator of a fraction in polynomial time when a close enough estimate of the fraction is known. The public expo ..."
Abstract

Cited by 141 (1 self)
 Add to MetaCart
Abstract. A cryptanalytic attack on the use of short RSA secret exponents is described. This attack makes use of an algorithm based on continued fractions which finds the numerator and denominator of a fraction in polynomial time when a close enough estimate of the fraction is known. The public exponent e and the modulus pq can be used to create an estimate of a fraction which involves the secret exponent d. The algorithm based on continued fractions uses this estimate to discover sufficiently short secret exponents. For a typical case where e < pq, GCD(p1, q1) is small, and p and q have approximately the same number of bits, this attack will discover secret exponents with up to approximately onequarter as many bits as the modulus. Ways to combat this attack, ways to improve it, and two open problems are described. This attack poses no threat to the normal case of RSA where the secret exponent is approximately the same size as the modulus. This is because this attack uses information provided by the public exponent and, in the normal case, the public exponent can be chosen almost independently of the modulus. Key Words. RSA, cryptanalysis, continued fraction, short exponent. 1.
New PublicKey Schemes Based on Elliptic Curves over the Ring Z_n
, 1991
"... Three new trapdoor oneway functions are proposed that are based on elliptic curves over the ring Z_n. The first class of functions is a naive construction, which can be used only in a digital signature scheme, and not in a publickey cryptosystem. The second, preferred class of function, does not s ..."
Abstract

Cited by 46 (0 self)
 Add to MetaCart
Three new trapdoor oneway functions are proposed that are based on elliptic curves over the ring Z_n. The first class of functions is a naive construction, which can be used only in a digital signature scheme, and not in a publickey cryptosystem. The second, preferred class of function, does not suffer from this problem and can be used for the same applications as the RSA trapdoor oneway function, including zeroknowledge identification protocols. The third class of functions has similar properties to the Rabin trapdoor oneway functions. Although the security of these proposed schemes is based on the difficulty of factoring n, like the RSA and Rabin schemes, these schemes seem to be more secure than those schemes from the viewpoint of attacks without factoring such as low multiplier attacks.
A Chosen Text Attack on the RSA Cryptosystem and Some Discrete Logarithm Schemes
, 1986
"... some discrete logarithm schemes ..."
Cryptovirology: ExtortionBased Security Threats and Countermeasures
 In Proceedings of the IEEE Symposium on Security and Privacy
, 1996
"... Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of Cryptovirology which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean th ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. In this paper we present the idea of Cryptovirology which employs a twist on cryptography, showing that it can also be used offensively. By being offensive we mean that it can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents. In this paper we analyze potential threats and attacks that rogue use of cryptography can cause when combined with rogue software (viruses, Trojan horses), and demonstrate them experimentally by presenting an implementation of a cryptovirus that we have tested (we took careful precautions in the process to insure that the virus remained contained). Publickey cryptography is essential to the attacks that we demonstrate (which we call "cryptovirological attacks"). We also suggest countermeasures and mechanis...
How to Forge DESEncrypted Messages in 2^28 Steps
, 1996
"... In this paper we suggest keycollision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of the size of the key space. As a result, in some circumstances, some DES keys can be recovered while they are still in use, and these keys can then be used to forge messag ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
In this paper we suggest keycollision attacks, and show that the theoretic strength of a cipher cannot exceed the square root of the size of the key space. As a result, in some circumstances, some DES keys can be recovered while they are still in use, and these keys can then be used to forge messages: in particular, one key of DES can be recovered with complexity 2 28 , and one key of (threekey) tripleDES can be recovered with complexity 2 84 .
On the design of RSA with short secret exponent
 Proc. of Asiacrypt ’99, LNCS
, 1999
"... Based on continued fractions Wiener showed that a typical RSA system can be to ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
Based on continued fractions Wiener showed that a typical RSA system can be to
Tilborg, “Binding ElGamal: a frauddetectable alternative to keyescrow proposals
 Advances in Cryptology — Proc. of Eurocrypt ’97, LNCS 1233
, 1997
"... Abstract. We propose a concept for a worldwide information security infrastructure that protects lawabiding citizens, but not criminals, even if the latter use it fraudulently (i.e. when not complying with the agreed rules). It can be seen as a middle course between the inflexible but fraudresistan ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. We propose a concept for a worldwide information security infrastructure that protects lawabiding citizens, but not criminals, even if the latter use it fraudulently (i.e. when not complying with the agreed rules). It can be seen as a middle course between the inflexible but fraudresistant KMIproposal [8] and the flexible but nonfraudresistant concept used in TISCKE [2]. Our concept consists of adding binding data to the latter concept, which will not prevent fraud by criminals but makes it at least detectable by third parties without the need of any secret information. In [19], we depict a worldwide framework in which this concept could present a security tool that is flexible enough to be incorporated in any national cryptography policy, on both the domestic and foreign use of cryptography. Here, we present a construction for binding data for ElGamal type public key encryption schemes. As a side result we show that a particular simplification in a multiuser version of ElGamal does not affect its security.