Results 1  10
of
10
Attacking and repairing batch verification schemes
 IN ADVANCES IN CRYPTOLOGY— ASIACRYPT 00
, 2000
"... Batch verification can provide large computational savings when several signatures, or other constructs, are verified together. Several batch verification algorithms have been published in recent years, in particular for both DSAtype and RSA signatures. We describe new attacks on several of these ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
Batch verification can provide large computational savings when several signatures, or other constructs, are verified together. Several batch verification algorithms have been published in recent years, in particular for both DSAtype and RSA signatures. We describe new attacks on several of these published schemes. A general weakness is explained which applies to almost all known batch verifiers for discrete logarithm based signature schemes. It is shown how this weakness can be eliminated given extra properties about the underlying group structure. A new general batch verifier for exponentiation in any cyclic group is also described as well as a batch verifier for modified RSA signatures.
Cryptanalysis of Unbalanced RSA with Small CRTExponent
, 2002
"... We present latticebased attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than and the decryption exponent d is small modulo p1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. Extractin ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
We present latticebased attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than and the decryption exponent d is small modulo p1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. Extracting this root is in both methods equivalent to the factorization of the modulus N = pq. Applying a method of Coppersmith, one can construct from a bivariate modular equation a bivariate polynomial f(x, y) over Z that has the same small root. In our first method, we prove that one can extract the desired root of f(x, y) in polynomial time. This method works up to # 0.382. Our second method uses a heuristic to find the root. This method improves upon the first one by allowing larger values of d modulo p1.
Tunable Balancing of RSA
 Proceedings of ACISP 2005, Lecture Notes in Computer Science
, 2005
"... Abstract. We propose a key generation method for RSA moduli which allows the cost of the public operations (encryption/verifying) and the private operations (decryption/signing) to be balanced according to the application requirements. Our method is a generalisation of using small public exponents a ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. We propose a key generation method for RSA moduli which allows the cost of the public operations (encryption/verifying) and the private operations (decryption/signing) to be balanced according to the application requirements. Our method is a generalisation of using small public exponents and small Chinese remainder (CRT) private exponents. Our results are most relevant in the case where the cost of private operations must be optimised. We give methods for which the cost of private operations is the same as the previous fastest methods, but where the public operations are significantly faster. For example, the fastest known (1024 bit) RSA decryption is using small CRT private exponents and moduli which are a product of three primes. In this case we equal the fastest known decryption time and also make the encryption time around 4 times faster. The paper gives an analysis of the security of keys generated by our method, and several new attacks. The ingredients of our analysis include several ideas of Coppersmith and a new technique which exploits linearisation. We also present a new birthday attack on low Hammingweight private exponents. 1
C.T.Yang, ―RSA with balanced short exponents and its application to entity authentication
 in Public Key Cryptology— PKC 2005, Lecture Notes in Computer Science. NewYork
"... Abstract. In typical RSA, it is impossible to create a key pair (e, d) such that both are simultaneously much shorter than φ(N). This is because if d is selected first, then e will be of the same order of magnitude as φ(N), and vice versa. At Asiacrypt’99, Sun et al. designed three variants of RSA u ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
Abstract. In typical RSA, it is impossible to create a key pair (e, d) such that both are simultaneously much shorter than φ(N). This is because if d is selected first, then e will be of the same order of magnitude as φ(N), and vice versa. At Asiacrypt’99, Sun et al. designed three variants of RSA using prime factors p and q of unbalanced size. The first RSA variant is an attempt to make the private exponent d short below N 0.25 and N 0.292 which are the lower bounds of d for a secure RSA as argued first by Wiener and then by Boneh and Durfee. The second RSA variant is constructed in such a way that both d and e have the same bitlength 1 2 log 2 N + 56. The third RSA variant is constructed by such a method that allows a tradeoff between the lengths of d and e. Unfortunately, at Asiacrypt’2000, Durfee and Nguyen broke the illustrated instances of the first RSA variant and the third RSA variant by solving small roots to trivariate modular polynomial equations. Moreover, they showed that the instances generated by these three RSA variants with unbalanced p and q in fact become more insecure than those instances, having the same sizes of exponents as the former, in RSA with balanced p and q. In this paper, we focus on designing a new RSA variant with balanced d and e, and balanced p and q in order to make such an RSA variant more secure. Moreover, we also extend this variant to another RSA variant in which allows a tradeoff between the lengths of d and e. Based on our RSA variants, an application to entity authentication for defending the stolensecret attack is presented.
Cryptanalysis of Short Exponent RSA with Primes Sharing Least Signi…cant Bits 1 HungMin Sun, 1 MuEn Wu,
, 2008
"... LSBSRSA denotes an RSA system with modulus primes, p and q, sharing a large number of least signi…cant bits. In ISC 2007, Zhao and Qi analyzed the security of short exponent LSBSRSA. They claimed that short exponent LSBSRSA is much more vulnerable to the lattice attack than the standard RSA. In t ..."
Abstract
 Add to MetaCart
LSBSRSA denotes an RSA system with modulus primes, p and q, sharing a large number of least signi…cant bits. In ISC 2007, Zhao and Qi analyzed the security of short exponent LSBSRSA. They claimed that short exponent LSBSRSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we point out that there exist some errors in the calculation of Zhao & Qi’s attack. After recalculating, the result shows that their attack is unable for attacking RSA with primes sharing bits. Consequently, we give a revised version to make their attack feasible. We also propose a new method to further extend the security boundary, compared with the revised version. The proposed attack also supports the result of analogue Fermat factoring on LSBSRSA, which claims least signi…cant bits, where n is the bitlength of pq. In conclusion, it is a tradeo ¤ between the number of sharing bits and the security level in LSBSRSA. One should be more careful when using LSBSRSA with short exponents. that p and q cannot share more than n 4 Keywords: RSA, least signi…cant bits (LSBs), LSBSRSA, short exponent attack, lattice reduction technique, the BonehDurfee attack. 1
Generalization of Boneh Durfee’s Attack for Arbitrary Public Exponent RSA
"... In 2000, BonehDurfee extended the bound for low private exponent from 0.25 (provided by wiener) to 0.292 with public exponent size is same as modulus size. They have used powerful lattice reduction algorithm (LLL) with coppersmith’s theory of polynomials. In this paper we generalize their attack to ..."
Abstract
 Add to MetaCart
In 2000, BonehDurfee extended the bound for low private exponent from 0.25 (provided by wiener) to 0.292 with public exponent size is same as modulus size. They have used powerful lattice reduction algorithm (LLL) with coppersmith’s theory of polynomials. In this paper we generalize their attack to arbitrary public exponent.
Lattice based Attacks on Small Private Exponent RSA: A Survey
"... Lattice basis reduction algorithms have contributed a lot to cryptanalysis of RSA crypto system. With coppersmith’s theory of polynomials, these algorithms are searching for the weak instances of Numbertheoretic cryptography, mainly RSA. In this paper we present several lattice based attacks on low ..."
Abstract
 Add to MetaCart
Lattice basis reduction algorithms have contributed a lot to cryptanalysis of RSA crypto system. With coppersmith’s theory of polynomials, these algorithms are searching for the weak instances of Numbertheoretic cryptography, mainly RSA. In this paper we present several lattice based attacks on low private exponent of RSA.
Cryptanalysis of Unbalanced RSA with Small CRTExponent
"... Abstract. We present latticebased attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than N β and the decryption exponent d is small modulo p − 1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. ..."
Abstract
 Add to MetaCart
Abstract. We present latticebased attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than N β and the decryption exponent d is small modulo p − 1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. Extracting this root is in both methods equivalent to the factorization of the modulus N = pq. Applying a method of Coppersmith, one can construct from a bivariate modular equation a bivariate polynomial f(x, y) over Z that has the same small root. In our first method, we prove that one can extract the desired root of f(x, y) in polynomial time. This method works up to β < 3− √ 5 2 ≈ 0.382. Our second method uses a heuristic to find the root. This method improves upon the first one by allowing larger values of d modulo p − 1 provided that β ≤ 0.23.
Enhancing Security in Cloud computing using Public Key Cryptography with Matrices
"... Cloud applications increasing demand for led to an ever growing need for security mechanisms. Cloud computing is a technique to leverage on distributed computing resources one do not own using internet facility in pay per use strategy on demand. A user can access cloud services as a utility service ..."
Abstract
 Add to MetaCart
Cloud applications increasing demand for led to an ever growing need for security mechanisms. Cloud computing is a technique to leverage on distributed computing resources one do not own using internet facility in pay per use strategy on demand. A user can access cloud services as a utility service and begin to use them almost instantly. These features that make cloud computing so flexible with the fact that services are accessible any where any time lead to several potential risks. The most serious concerns are the possibility of lack of confidentiality, integrity and authentication among the cloud users and service providers. The key intent of this research work is to investigate the existing security schemes and to ensure data confidentiality, integrity and authentication. In our model symmetric and asymmetric cryptographic algorithms are adopted for the optimization of data security in cloud computing. These days encryption techniques which use large keys (RSA and other schemes based on exponentiation of integers) is seldom used for data encryption due to computational overhead. Their usage is restricted to transport of keys for symmetric key encryption and in signature schemes where data size is generally small. Public Key Cryptography with Matrices is a threestage secured algorithm. We generate a system of nonhomogeneous linear equations and using this system, we describe algorithms for key agreement and public encryption whose security is based on solving system of equations over the ring of integers which comes under the NPComplete problems. Keywords cryptography, encryption, decryption I.