Results 1  10
of
21
REACT: Rapid Enhancedsecurity Asymmetric Cryptosystem Transform
 CTRSA 2001, volume 2020 of LNCS
, 2001
"... Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem ..."
Abstract

Cited by 77 (21 self)
 Add to MetaCart
(Show Context)
Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and decryption, and the reduction is very tight. Furthermore, advantages of REACT beyond OAEP are numerous: 1. it is more general since it applies to any partially trapdoor oneway function (a.k.a. weakly secure publickey encryption scheme) and therefore provides security relative to RSA but also to the DiffieHellman problem or the factorization; 2. it is possible to integrate symmetric encryption (block and stream ciphers) to reach very high speed rates; 3. it provides a key distribution with session key encryption, whose overall scheme achieves chosenciphertext security even with weakly secure symmetric scheme. Therefore, REACT could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.
Security and Privacy Issues in Epassports
, 2005
"... Within the next year, travelers from dozens of nations may be carrying a new form of passport in response to a mandate by the United States government. The epassport, as it is sometimes called, represents a bold initiative in the deployment of two new technologies: RadioFrequency Identification (R ..."
Abstract

Cited by 57 (5 self)
 Add to MetaCart
Within the next year, travelers from dozens of nations may be carrying a new form of passport in response to a mandate by the United States government. The epassport, as it is sometimes called, represents a bold initiative in the deployment of two new technologies: RadioFrequency Identification (RFID) and biometrics. Important in their own right, epassports are also the harbinger of a wave of nextgeneration ID cards: several national governments plan to deploy identity cards integrating RFID and biometrics for domestic use. We explore the privacy and security implications of this impending worldwide experiment in nextgeneration authentication technology. We describe privacy and security issues that apply to epassports, then analyze these issues in the context of the International Civil Aviation Organization (ICAO) standard for epassports.
ChosenCiphertext Security for any OneWay Cryptosystem
 In PKC ’00, LNCS 1751
, 2000
"... Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. ..."
Abstract

Cited by 41 (12 self)
 Add to MetaCart
(Show Context)
Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. More concretely, any suitable problem providing a oneway cryptosystem can be efficiently derived into a chosenciphertext secure encryption scheme. Indeed, the overhead only consists of two hashing and a XOR. As application, we provide the most efficient El Gamal encryption variant, therefore secure relative to the computational DiffieHellman problem. Furthermore, we present the first scheme whose security is relative to the factorization of large integers, with a perfect reduction (factorization is performed within the same time and with identical probability of success as the security break).
Why Textbook ElGamal and RSA Encryption are Insecure (Extended Abstract)
, 2000
"... We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both ElGamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often poss ..."
Abstract

Cited by 24 (4 self)
 Add to MetaCart
We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both ElGamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of both systems.
Signing on a Postcard
 In Proceedings of Financial Cryptography
, 2000
"... We investigate the problem of signing short messages using a scheme that minimizes the total length of the original message and the appended signature. This line of research was motivated by several postal services interested by stamping machines capable of producing digital signatures. Although ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We investigate the problem of signing short messages using a scheme that minimizes the total length of the original message and the appended signature. This line of research was motivated by several postal services interested by stamping machines capable of producing digital signatures. Although several message recovery schemes exist, their security is questionable. This paper proposes variants of DSA and ECDSA allowing partial recovery: the signature is appended to a truncated message and the discarded bytes are recovered by the verification algorithm.
Fault attacks on rsa signatures with partially unknown messages
 Proceedings of ches 2009, lncs
, 2009
"... Abstract. Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90’s, Boneh, DeMillo and Lipton [6] introduced faultbased attacks on crtrsa. These attacks factor the signer’s modulus when the message padding function is deterministic. However, ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Fault attacks exploit hardware malfunctions to recover secrets from embedded electronic devices. In the late 90’s, Boneh, DeMillo and Lipton [6] introduced faultbased attacks on crtrsa. These attacks factor the signer’s modulus when the message padding function is deterministic. However, the attack does not apply when the message is partially unknown, for example when messages contain some randomness which is recovered only when verifying a correct signature. In this paper we successfully extends rsa fault attacks to a large class of partially known message configurations. The new attacks rely on Coppersmith’s algorithm for finding small roots of multivariate polynomial equations. We illustrate the approach by successfully attacking several randomized versions of the iso/iec 97962 encoding standard. Practical experiments show that a 2048bit modulus can be factored in less than a minute given one faulty signature containing 160 random bits and an unknown 160bit message digest. Keywords: Fault attacks, digital signatures, rsa, Coppersmith’s theorem, iso/iec 97962.
Fault Attacks Against emv Signatures
"... Abstract. At ches 2009, Coron, Joux, Kizhvatov, Naccache and Paillier (cjknp) exhibited a fault attack against rsa signatures with partially known messages. This attack allows factoring the public modulus N. While the size of the unknown message part (ump) increases with the number of faulty signatu ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. At ches 2009, Coron, Joux, Kizhvatov, Naccache and Paillier (cjknp) exhibited a fault attack against rsa signatures with partially known messages. This attack allows factoring the public modulus N. While the size of the unknown message part (ump) increases with the number of faulty signatures available, the complexity of cjknp’s attack increases exponentially with the number of faulty signatures. This paper describes a simpler attack, whose complexity is polynomial in the number of faults; consequently, the new attack can handle much larger umps. The new technique can factor N in a fraction of a second using ten faulty emv signatures – a target beyond cjknp’s reach. We show how to apply the attack even when N is unknown, a frequent situation in reallife attacks.
Secure and private distribution of online video and several related cryptographic issues
 In ACISP
, 2001
"... Abstract. With the rapid growth of broadband infrastructure, it is thought that the bottleneck for videoondemand service through Internet is being cleared. However, digital video content protection and consumers privacy protection emerge as new major obstacles. In this paper we propose an online v ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. With the rapid growth of broadband infrastructure, it is thought that the bottleneck for videoondemand service through Internet is being cleared. However, digital video content protection and consumers privacy protection emerge as new major obstacles. In this paper we propose an online video distribution system with strong content security and privacy protection. We mainly focus on the study of security and privacy problems related to the system. Besides presenting the new system, we intensively discuss some relevant cryptographic issues, such as content protection, private information retrieval, superspeed encryption/decryption for video, and PKC with fast decryption etc. The paper can be viewed as one that proposes practical solutions to real life problems, as well as one that presents applied cryptography research. 1
On the Joint Security of Encryption and Signature in EMV ⋆
"... Abstract. We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single keypair is used for both signature and encryption. We give a theoretical attack for EMV’s current RSAbased algorithms, showing how access to a partial decr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We provide an analysis of current and future algorithms for signature and encryption in the EMV standards in the case where a single keypair is used for both signature and encryption. We give a theoretical attack for EMV’s current RSAbased algorithms, showing how access to a partial decryption oracle can be used to forge a signature on a freely chosen message. We show how the attack might be integrated into EMV’s CDA protocol flow, enabling an attacker with a wedge device to complete an offline transaction without knowing the cardholder’s PIN. Finally, the elliptic curve signature and encryption algorithms that are likely to be adopted in a forthcoming version of the EMV standards are analyzed in the single keypair setting, and shown to be secure. 1
Randomization Enhanced Blind Signature Schemes Based on RSA
, 1999
"... In this letter, we show that FanChenYeh’s blind signature scheme and ChienJanTseng’s partially blind signature scheme are vulnerable to the chosen–plaintext attack. We also show that both schemes can be modified so that the chosen– plaintext attack is impossible. But, still ChienJanTseng’s p ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
In this letter, we show that FanChenYeh’s blind signature scheme and ChienJanTseng’s partially blind signature scheme are vulnerable to the chosen–plaintext attack. We also show that both schemes can be modified so that the chosen– plaintext attack is impossible. But, still ChienJanTseng’s partially blind signature scheme is vulnerable. It fails to satisfy the partial blindness property.