bart.preneel(AT)esat.kuleuven.be

Abstract not found

Abstract. ISO 9796-1, published in 1991, was the first standard specifying a digital signature scheme with message recovery. In [4], Coron, Naccache and Stern described an attack on a slight modification of ISO 9796-1. Then, Coppersmith, Halevi and Jutla turned it into an attack against the standard in full [2]. They also proposed five countermeasures for repairing it. In this paper, we show that all these countermeasures can be attacked, either by using already existing techniques (including a very recent one), or by introducing new techniques, one of them based on the decomposition of an integer into sums of two squares.

Abstract. We show that computing e-th roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and xi denotes small integers of the attacker’s choosing. The attack comes in two flavors: – A first version is illustrated here by producing selective roots of the form xi + c in Ln ( 1 q 3 32

Keywords. RSA signatures, fixed-pattern padding, affine redundancy. 1 Introduction RSA was invented in 1977 by Rivest, Shamir and Adleman [8], and is now themost widely used public-key cryptosytem. RSA is commonly used for providing privacy and authenticity of digital data, and securing web traffic between serversand browsers. A very common practice for signing with RSA is to first hash the message,add some padding, and then raise the result to the power of the decryption exponent. This paradigm is the basis of numerous standards such as PKCS #1v2.0 [9].

. This paper surveys RSA-type implementations based on Lucas sequences and on elliptic curves. The main focus is the way how some known attacks on RSA were extended to LUC, KMOV and Demytko's system. It also gives some directions for the choice of the most appropriate RSA-type system for a given application. 1. INTRODUCTION In 1978, Rivest, Shamir and Adleman [63] introduced the so-called RSA cryptosystem. Its security mainly relies on the difficulty of factoring carefully chosen large integers. After this breakthrough, other structures were proposed to produce analogues to RSA. So, Muller and Nobauer [54, 55] presented a cryptosystem using Dickson polynomials. This system was afterwards slightly modified and rephrased in terms of Lucas sequences by Smith and Lennon [70, 72]. More recently, Koyama, Maurer, Okamoto and Vanstone [41] exhibited new one-way trapdoor functions similar to RSA on elliptic curves, the so-called KMOV cryptosystem. Later, Demytko [20] also pointed out a new one-...

In this paper, we introduce a conceptually very simple and demonstrative algorithm for finding small solutions (x, y) of ax+y = c mod N , where gcd(a, N) = 1.

We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures that was presented at Crypto 2001. For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9 n bits. Thus, the security 64 provided by short fixed-pattern padding is negligible compared to the security it is supposed to provide.

This paper deals with products of moderate-size primes, familiarly known as smooth numbers. Smooth numbers play an crucial role in information theory, signal processing and cryptography. We present various properties of smooth numbers relating to their enumeration, distribution and occurrence in various integer sequences. We then turn our attention to cryptographic applications in which smooth numbers play a pivotal role. 1 1