## On the security of RDSA (2003)

### Cached

### Download Links

- [www.ssi.gouv.fr]
- [www.di.ens.fr]
- [di.ens.fr]
- [www.iacr.org]
- [www.iacr.org]
- [www.ssi.gouv.fr]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology - EUROCRYPT 2003, Lecture Notes in Computer Science |

Citations: | 2 - 1 self |

### BibTeX

@INPROCEEDINGS{Fouque03onthe,

author = {Pierre-alain Fouque and Guillaume Poupard and Been Proposed I. Biehl and J. Buchmann and S. Hamdy and A. Meyer},

title = {On the security of RDSA},

booktitle = {Advances in Cryptology - EUROCRYPT 2003, Lecture Notes in Computer Science},

year = {2003},

pages = {462--476},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. A variant of Schnorr’s signature scheme called RDSA has

### Citations

922 | How to prove yourself: practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...rithm in groups of known prime order [13]. Such a zero-knowledge proof can be used as an interactive identification scheme and also be converted into a signature scheme using the Fiat-Shamir paradigm =-=[3]-=-. This scheme has motivated the design of many signature schemes, including the standard DSA [9]. Those variants are intended to achieve additional properties. Firstly, we can use a composite modulus ... |

783 | Factoring polynomials with rational coefficients. Mahematische Annalen 261
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ...kangaroos) finds the discrete log in time O( √ w) and space for O(log w) group elements.On the Security of RDSA 467 3.3 The LLL toolbox The lattice reduction algorithm of Lenstra, Lenstra and Lovász =-=[7]-=- has been widely used in cryptanalysis to break many kinds of cryptosystems. Details on lattice reduction techniques are out of the scope of this paper so we refer to [6] for details and extensive bib... |

644 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ... scheme The RDSA signature scheme is fully described in [1] and [2]. It performs computations in a finite abelian group G, written multiplicatively. The basic idea of RDSA is to transform the Schnorr =-=[14]-=- and the DSA [9] schemes in order to use groups of unknown order. We remind the RDSA scheme, using the original notations: 1. Key generation • randomly select an element γ ∈ G, • randomly select a pri... |

336 |
Efficient Identification and Signatures for Smart Cards
- Schnorr
(Show Context)
Citation Context ...heme, cryptanalysis, DSA variant, known-message attack, lattice reduction, GPS. 1 Introduction In 1989, C. Schnorr proposed a proof of knowledge of a discrete logarithm in groups of known prime order =-=[13]-=-. Such a zero-knowledge proof can be used as an interactive identification scheme and also be converted into a signature scheme using the Fiat-Shamir paradigm [3]. This scheme has motivated the design... |

317 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
- 2000
(Show Context)
Citation Context ...ractive identification scheme in a signature scheme. This heuristic has been widely used to design signature schemes, even if the resulting security is only guaranteed in the random oracle model (see =-=[10]-=- for general results). Figure 1 describes what we call RDSA identification scheme. Note: This scheme can be modified in order to make the signatures shorter, without reducing the security nor increasi... |

262 |
Monto Carlo Methods for index computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ...is approximately equal to (−a×e)/q and a ∈ [0, q − 1], the size of ℓ is the same as the size of e. Consequently, if e is small enough, the verifier can use an algorithm such as the Pollard rho method =-=[11]-=-, or even an exhaustive search, to compute ℓ from λ. In conclusion, if the verifier sends a small enough challenge e, he can compute ℓ and consequently learn a good approximation of (a × e)/q. Then it... |

242 | Lower bounds for discrete logarithms and related problems, in EUROCRYPT - Shoup - 1997 |

122 |
Self-certified public keys
- Girault
- 1991
(Show Context)
Citation Context ... the base are known. Other schemes achieve different combinations. Two variants allow to use groups of unknown order and bases whose order is also unknown. The first one, GPS, was proposed by Girault =-=[4]-=- and further analyzed by Poupard and Stern [12]. The second one, called RDSA, has been proposed by I. Biehl, J. Buchmann, S. Hamdy and A. Meyer [1] in order to be implemented in finite abelian groups ... |

70 | The insecurity of the digital signature algorithm with partially known nonces
- Nguyen, Shparlinski
(Show Context)
Citation Context ...his paper so we refer to [6] for details and extensive bibliography. It should be noted that the LLL algorithm has already been used by HowgraveGraham and Smart [5] and then by Nguyen and Shparlinski =-=[8]-=- to attack DSA if ephemeral keys, the equivalent of the k parameter in RDSA, are partially known. We use LLL to solve the following problem: given (e1, ...en) ∈ [0, q − 1] n , find integer coefficient... |

61 | On Diffie-Hellman Key Agreement with Short Exponents
- Oorschot, Wiener
- 1996
(Show Context)
Citation Context ...hout trying to take advantage of any additional algebraic structure. Furthermore, if it is known that the discrete logarithm lies within a restricted interval of width w, another algorithm of Pollard =-=[11, 16]-=- called the lambda method (or the method for catching kangaroos) finds the discrete log in time O( √ w) and space for O(log w) group elements.On the Security of RDSA 467 3.3 The LLL toolbox The latti... |

60 | Lattice Reduction: A Toolbox for the Cryptanalyst
- Joux, Stern
- 1998
(Show Context)
Citation Context ...f Lenstra, Lenstra and Lovász [7] has been widely used in cryptanalysis to break many kinds of cryptosystems. Details on lattice reduction techniques are out of the scope of this paper so we refer to =-=[6]-=- for details and extensive bibliography. It should be noted that the LLL algorithm has already been used by HowgraveGraham and Smart [5] and then by Nguyen and Shparlinski [8] to attack DSA if ephemer... |

51 |
bounds for discrete logarithms and related problems
- Lower
- 1997
(Show Context)
Citation Context ...age for O( √ n) elements so it is usually advised to use Pollard’s rho algorithm [11] which has, heuristically, a similar running time but requires only a negligible amount of memory. Shoup proved in =-=[15]-=- that those algorithms are optimal for computing discrete logarithms in any group, i.e. without trying to take advantage of any additional algebraic structure. Furthermore, if it is known that the dis... |

42 | Lattice attacks on digital signature schemes. Des
- Howgrave-Graham, Smart
(Show Context)
Citation Context ...on techniques are out of the scope of this paper so we refer to [6] for details and extensive bibliography. It should be noted that the LLL algorithm has already been used by HowgraveGraham and Smart =-=[5]-=- and then by Nguyen and Shparlinski [8] to attack DSA if ephemeral keys, the equivalent of the k parameter in RDSA, are partially known. We use LLL to solve the following problem: given (e1, ...en) ∈ ... |

33 | Security Analysis of a Practical ’On the Fly’ Authentication and Signature Generation
- Poupard, Stern
- 1998
(Show Context)
Citation Context ...ferent combinations. Two variants allow to use groups of unknown order and bases whose order is also unknown. The first one, GPS, was proposed by Girault [4] and further analyzed by Poupard and Stern =-=[12]-=-. The second one, called RDSA, has been proposed by I. Biehl, J. Buchmann, S. Hamdy and A. Meyer [1] in order to be implemented in finite abelian groups of unknown order such as the class group of ima... |

4 | A Signature Scheme Based on the Intractability of Computing Roots
- Biehl, Buchmann, et al.
- 2002
(Show Context)
Citation Context ...unknown. The first one, GPS, was proposed by Girault [4] and further analyzed by Poupard and Stern [12]. The second one, called RDSA, has been proposed by I. Biehl, J. Buchmann, S. Hamdy and A. Meyer =-=[1]-=- in order to be implemented in finite abelian groups of unknown order such as the class group of imaginary quadratic orders.On the Security of RDSA 463 Our results In this paper, we describe a total ... |

3 | A Survey on IQ Cryptography
- Buchmann, Hamdy
- 2001
(Show Context)
Citation Context ...e additional properties. Firstly, we can use a composite modulus instead of a prime modulus and keep its factorization secret. We can also use various groups with interesting cryptographic properties =-=[2]-=-. As a consequence, the order of the group in which the computations are performed may remain secret. Furthermore, the order of the publicly known bases used in those schemes can also be public or pri... |

1 | On the Security of RDSA 475 - Fiat, Shamir - 1987 |