## How To Break The Direct RSA-Implementation Of Mixes (1990)

Venue: | Advances in Cryptology---EUROCRYPT '89 Proceedings |

Citations: | 44 - 0 self |

### BibTeX

@INPROCEEDINGS{Pfitzmann90howto,

author = {Birgit Pfitzmann and Andreas Pfitzmann},

title = {How To Break The Direct RSA-Implementation Of Mixes},

booktitle = {Advances in Cryptology---EUROCRYPT '89 Proceedings},

year = {1990},

pages = {373--381},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

MIXes are a means of untraceable communication based on a public key cryptosystem, as published by David Chaum in 1981 (CACM 24/2, 84-88) (=[6]). In the case where RSA is used as this cryptosystem directly, i.e. without composition with other functions (e.g. destroying the multiplicative structure), we show how the resulting MIXes can be broken by an active attack which is perfectly feasible in a typical MIX-environment. The attack does not affect the idea of MIXes as a whole: if the security requirements of [6] are concretized suitably and if a cryptosystem fulfils them, one can implement secure MIXes directly. However, it shows that present security notions for public key cryptosystems, which do not allow active attacks, do not suffice for a cryptosystem which is used to implement MIXes directly. We also warn of the same attack and others on further possible implementations of MIXes, and we mention several implementations which are not broken by any attack we know. I. INTRODUCTION: M...

### Citations

1178 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...y not suitable, because they are known to be vulnerable to active attacks, and versions of these attacks can still be applied directly in the MIX-environment: With the quadratic residuosity system of =-=[13]-=-, the attack of Example 6 in [15], where the attacker inserts an encrypted bit of someone else's message into his own message in a disguised form, is possible. With the system of [3] (the version as s... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...imes might. Nevertheless, there could be two problems for the attacker. First, the attacker must see the message M he wants to trace before he can form a suitable M*. In analogy to the terminology of =-=[14]-=-, one could call this a directed chosen ciphertext attack, directed against a particular input message. If the MIX uses the same key for many batches, this is no problem. If a new key is used for each... |

437 | The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability
- Chaum
- 1988
(Show Context)
Citation Context ...onymity, which can at the most be computationally secure. Meanwhile, other sender anonymity schemes have been published, which are information-theoretically secure, namely superposed sending (DC-net) =-=[7, 8]-=- and, against more limited attackers, RING-networks [18]. Nevertheless, MIXes are still a matter of interest, since their communication overhead is much smaller. More precisely, in the other schemes, ... |

417 | Security Without Identification: Transaction Systems to make Big Brother Obsolete - Chaum - 1985 |

134 |
RSA and rabin functions: certain parts are as hard as the whole
- Alexi, Chor, et al.
(Show Context)
Citation Context ...put to positive use for blind signatures and, thereby, for untraceable credentials and payments (e.g. [7]). It also forms a small substep in proofs of the security of single bits of RSA, from [15] to =-=[1]-=-). Birgit Pfitzmann, Andreas Pfitzmann: How to Break the Direct RSA-Implementation of MIXes 3 II.2.sTHE IDEA In our case, the difficulty with the well-known RSA-attack lies in the fact that the random... |

112 |
An efficient probabilistic public-key encryption scheme which hides all partial information
- Blum, Goldwasser
- 1985
(Show Context)
Citation Context ...uosity system of [13], the attack of Example 6 in [15], where the attacker inserts an encrypted bit of someone else's message into his own message in a disguised form, is possible. With the system of =-=[3]-=- (the version as secure as factorization) one can apply one of the attacks which the authors themselves probably mean when stating that the system is insecure against active attacks: (Remember that en... |

30 |
Signature Cryptanalysis of the RSA (MIT) Public-Key Cryptosystem
- Davida
- 1982
(Show Context)
Citation Context ...s, implementations, and cryptosystems are vulnerable. II.1.sHISTORY The attack is based upon the well-known attack on RSA, which exploits the fact that RSA is a multiplicative homomorphism, by Davida =-=[9]-=- in the version by Judy Moore (according to [11]). It has been adapted to other situations before (no guarantee on completeness): to cryptosystems with some abstract properties in [10, 17], to signatu... |

30 | A Chosen Text Attack on the RSA Cryptosystem and Some Discrete Logarithm Problems
- Desmedt, Odlykzo
- 1986
(Show Context)
Citation Context ...ed to other situations before (no guarantee on completeness): to cryptosystems with some abstract properties in [10, 17], to signatures with some redundancy in [16], or to yield a factoring algorithm =-=[12]-=-. It was put to positive use for blind signatures and, thereby, for untraceable credentials and payments (e.g. [7]). It also forms a small substep in proofs of the security of single bits of RSA, from... |

26 |
Why and How to Establish a Private Code on a Public Network
- Goldwasser, Micali, et al.
- 1982
(Show Context)
Citation Context ... It was put to positive use for blind signatures and, thereby, for untraceable credentials and payments (e.g. [7]). It also forms a small substep in proofs of the security of single bits of RSA, from =-=[15]-=- to [1]). Birgit Pfitzmann, Andreas Pfitzmann: How to Break the Direct RSA-Implementation of MIXes 3 II.2.sTHE IDEA In our case, the difficulty with the well-known RSA-attack lies in the fact that the... |

16 |
How to implement isdns without user observability - some remarks
- Pfitzmann
- 1985
(Show Context)
Citation Context ...he attacker cannot consider all pairs of output messages. For some time-critical services this seems impossible anyway, because there would not be enough messages to collect within the permitted time =-=[19]. An-=-yway, the attacker can also speed up his attack by computing the sets of values which occur in the left sides of Equation (h), i.e. V 1 := {f . N 1 . 2 -B | N 1 ��O} (including f . N . 2 -B ) and ... |

5 |
Modern Cryptology - A Tutorial, LNCS 325
- Brassard
- 1988
(Show Context)
Citation Context ...e via the same time-division network, or from different local networks using different local clocks, the time might still suffice. So all the participants must be forced to send (or to commit to, cf. =-=[5]-=-) considerable parts of their messages before the first one has completed his. Also, this measure can no longer be applied if messages pass several MIXes: Here, each MIX must be considered as a potent... |

5 |
A switched/broadcast ISDN to decrease user observability
- Pfitzmann
- 1984
(Show Context)
Citation Context ...Meanwhile, other sender anonymity schemes have been published, which are information-theoretically secure, namely superposed sending (DC-net) [7, 8] and, against more limited attackers, RING-networks =-=[18]-=-. Nevertheless, MIXes are still a matter of interest, since their communication overhead is much smaller. More precisely, in the other schemes, each participant has to send about as much in the physic... |

4 |
Denning: Digital Signatures with RSA and Other Public-Key Cryptosystems
- E
- 1984
(Show Context)
Citation Context ...rable. II.1.sHISTORY The attack is based upon the well-known attack on RSA, which exploits the fact that RSA is a multiplicative homomorphism, by Davida [9] in the version by Judy Moore (according to =-=[11]-=-). It has been adapted to other situations before (no guarantee on completeness): to cryptosystems with some abstract properties in [10, 17], to signatures with some redundancy in [16], or to yield a ... |

4 |
Waidner: Datenschutz garantierende offene Kommunikationsnetze; InformatikSpektrum 11/3
- Pfitzmann, Pfitzmann, et al.
- 1988
(Show Context)
Citation Context ...o provide sender anonymity for telephony using the cables of conventional telephone networks, i.e., the only way complete privacy can be introduced in public communication networks in the near future =-=[20]-=-. The idea behind MIX-networks is that a, hopefully trustworthy, station called MIX collects a number of messages from their senders, performs a cryptographic operation on each of them to change their... |

3 |
Chosen signatures cryptanalysis of public key cryptosystems
- Demillo, Merrit
- 1982
(Show Context)
Citation Context ...phism, by Davida [9] in the version by Judy Moore (according to [11]). It has been adapted to other situations before (no guarantee on completeness): to cryptosystems with some abstract properties in =-=[10, 17]-=-, to signatures with some redundancy in [16], or to yield a factoring algorithm [12]. It was put to positive use for blind signatures and, thereby, for untraceable credentials and payments (e.g. [7]).... |

2 |
Chaum: Untraceable Electronic
- L
- 1981
(Show Context)
Citation Context ...e Postfach 6980, D-7500 Karlsruhe 1, F. R. Germany ABSTRACT MIXes are a means of untraceable communication based on a public key cryptosystem, as published by David Chaum in 1981 (CACM 24/2, 84-88) (==-=[6]-=-). In the case where RSA is used as this cryptosystem directly, i.e. without composition with other functions (e.g. destroying the multiplicative structure), we show how the resulting MIXes can be bro... |

1 |
Non-interactive zero-knowledge and its applications; 20th STOC
- Blum, Feldman, et al.
- 1988
(Show Context)
Citation Context ...final consequence of discussions about both random strings and redundancy is that a public key cryptosystem used in the basic MIX-scheme should be probabilistic and secure against active attacks (cf. =-=[2], bu-=-t we have heard doubts about it; an interactive system, on the other hand, is quite unwieldy if several MIXes in a row are used [4]). We are happy to thank Manfred B��ttger and Michael Waidner for... |

1 | Untersuchung der Sicherheit von asymmetrischen Kryptosystemen und MIX-Implementierungen gegen aktive Angriffe; Studienarbeit am Institut f��r Rechnerentwurf und Fehlertoleranz, Universit��t Karlsruhe - B��ttger - 1989 |