## Cryptanalysis of RSA-Type Cryptosystems: A Visit (1998)

### Cached

### Download Links

Venue: | DIMACS Series in Discr. Math. ant Th. Comp. Sci., AMS |

Citations: | 3 - 0 self |

### BibTeX

@INPROCEEDINGS{Joye98cryptanalysisof,

author = {Marc Joye and Jean-Jacques Quisquater},

title = {Cryptanalysis of RSA-Type Cryptosystems: A Visit},

booktitle = {DIMACS Series in Discr. Math. ant Th. Comp. Sci., AMS},

year = {1998},

pages = {21--31}

}

### OpenURL

### Abstract

. This paper surveys RSA-type implementations based on Lucas sequences and on elliptic curves. The main focus is the way how some known attacks on RSA were extended to LUC, KMOV and Demytko's system. It also gives some directions for the choice of the most appropriate RSA-type system for a given application. 1. INTRODUCTION In 1978, Rivest, Shamir and Adleman [63] introduced the so-called RSA cryptosystem. Its security mainly relies on the difficulty of factoring carefully chosen large integers. After this breakthrough, other structures were proposed to produce analogues to RSA. So, Muller and Nobauer [54, 55] presented a cryptosystem using Dickson polynomials. This system was afterwards slightly modified and rephrased in terms of Lucas sequences by Smith and Lennon [70, 72]. More recently, Koyama, Maurer, Okamoto and Vanstone [41] exhibited new one-way trapdoor functions similar to RSA on elliptic curves, the so-called KMOV cryptosystem. Later, Demytko [20] also pointed out a new one-...

### Citations

3043 | A Method for Obtaining Digital Signatures and Public Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...ed to LUC, KMOV and Demytko’s system. It also gives some directions for the choice of the most appropriate RSA-type system for a given application. 1. INTRODUCTION In 1978, Rivest, Shamir and Adleman =-=[63]-=- introduced the so-called RSA cryptosystem. Its security mainly relies on the difficulty of factoring carefully chosen large integers. After this breakthrough, other structures were proposed to produc... |

2823 | New directions in cryptography - Diffie, Hellman - 1976 |

1157 | A public key cryptosystem and a signature scheme based on discrete logarithms - ElGamal - 1985 |

929 | A course in computational algebraic number theory - Cohen - 1996 |

833 | The arithmetic of elliptic curves - Silverman - 1986 |

753 | Identity-base Cryptosystems and Signature Schemes - Shamir - 1984 |

724 | Elliptic curve cryptosystems - Koblitz - 1987 |

702 |
The Art of Computer Programming, Volume 2: Seminumerical Algorithms, 3rd ed
- Knuth
- 1998
(Show Context)
Citation Context ...er messagem, if the same modulusnis m=mre1+se2=cr1cs2modn: re1+se2=1: used and if the public encryption keyse1ande2are relatively prime. Indeed, sincegcd(e1;e2)=1, by the extended Euclidean algorithm =-=[38]-=-, there existsr;s2Zsuch that (4.2) Consequently, we have (4.3) This was first noticed by Simmons [68]. KMOV is also homomorphic and is therefore susceptible to the same attack. This is not the case fo... |

548 | Use of Elliptic Curves in Cryptography - Miller - 1986 |

310 | On the Importance of Checking Cryptographic Protocols for Faults
- Boneh, DeMillo, et al.
(Show Context)
Citation Context ...categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the polynomial structure of RSA [11, 14, 25, 29, 47, 57]; 2. attacks based on its homomorphic nature =-=[2, 7, 15, 17, 19, 22, 21, 16, 26]-=-; 3. attacks resulting of a bad choice of parameters [74]. Most of known attacks on RSA can more or less successfully be extended to their Lucas and elliptic curves based analogues. Rather than review... |

297 | An Introduction to the Theory of - Hardy, Wright - 1960 |

293 | Digitalized signatures and public key functions as intractable as factorization - RABIN - 1979 |

288 | Elliptic Curve Public Key Cryptosystems - Menezes - 1993 |

200 | Speeding the Pollard and elliptic curve methods of factorization - Montgomery - 1987 |

184 |
Small solutions to polynomial equations and low exponent vulnerabilities
- Coppersmith
- 1997
(Show Context)
Citation Context ...ematical attacks on RSA. They can basically be classified into three categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the polynomial structure of RSA =-=[11, 14, 25, 29, 47, 57]-=-; 2. attacks based on its homomorphic nature [2, 7, 15, 17, 19, 22, 21, 16, 26]; 3. attacks resulting of a bad choice of parameters [74]. Most of known attacks on RSA can more or less successfully be ... |

174 | Elliptic curves over finite fields and the computation of square roots mod p - Schoof - 1985 |

145 | Cryptanalysis of short RSA secret exponents
- Wiener
- 1990
(Show Context)
Citation Context ... exploiting the polynomial structure of RSA [11, 14, 25, 29, 47, 57]; 2. attacks based on its homomorphic nature [2, 7, 15, 17, 19, 22, 21, 16, 26]; 3. attacks resulting of a bad choice of parameters =-=[74]-=-. Most of known attacks on RSA can more or less successfully be extended to their Lucas and elliptic curves based analogues. Rather than reviewing in details all the attacks, we have chosen three repr... |

80 | Low-exponent rsa with related messages
- Coppersmith, Franklin, et al.
- 1996
(Show Context)
Citation Context ...ematical attacks on RSA. They can basically be classified into three categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the polynomial structure of RSA =-=[11, 14, 25, 29, 47, 57]-=-; 2. attacks based on its homomorphic nature [2, 7, 15, 17, 19, 22, 21, 16, 26]; 3. attacks resulting of a bad choice of parameters [74]. Most of known attacks on RSA can more or less successfully be ... |

74 | Rational Points on Elliptic Curves - Silverman, Tate - 1992 |

72 | Prime Numbers and Computer Methods for Factorization - Riesel - 1985 |

71 | A modification of the RSA public-key encryption procedure - Williams - 1980 |

54 | Cryptographic Protocols - DeMillo, Lynch, et al. - 1982 |

46 | New public-key schemes based on elliptic curves over the ring zn
- Koyama, Maurer, et al.
(Show Context)
Citation Context ...tem using Dickson polynomials. This system was afterwards slightly modified and rephrased in terms of Lucas sequences by Smith and Lennon [70, 72]. More recently, Koyama, Maurer, Okamoto and Vanstone =-=[41]-=- exhibited new one-way trapdoor functions similar to RSA on elliptic curves, the so-called KMOV cryptosystem. Later, Demytko [20] also pointed out a new one-way trapdoor function on elliptic curves to... |

41 | A public-key cryptosystem and a digital signature system based on the Lucas function analogue to discrete logarithms - Smith, Skinner - 1995 |

39 |
On Using RSA with Low Exponent in a Public Key Network
- Hastad
- 1986
(Show Context)
Citation Context ...ematical attacks on RSA. They can basically be classified into three categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the polynomial structure of RSA =-=[11, 14, 25, 29, 47, 57]-=-; 2. attacks based on its homomorphic nature [2, 7, 15, 17, 19, 22, 21, 16, 26]; 3. attacks resulting of a bad choice of parameters [74]. Most of known attacks on RSA can more or less successfully be ... |

37 |
A new elliptic curve based analogue of RSA
- Demytko
(Show Context)
Citation Context ...d Lennon [70, 72]. More recently, Koyama, Maurer, Okamoto and Vanstone [41] exhibited new one-way trapdoor functions similar to RSA on elliptic curves, the so-called KMOV cryptosystem. Later, Demytko =-=[20]-=- also pointed out a new one-way trapdoor function on elliptic curves to produce an analogue of RSA. There are numerous mathematical attacks on RSA. They can basically be classified into three categori... |

35 | Breaking public key cryptosystems on tamper resistant dives in the presence of transient faults
- Bao, Deng, et al.
- 1997
(Show Context)
Citation Context ...categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the polynomial structure of RSA [11, 14, 25, 29, 47, 57]; 2. attacks based on its homomorphic nature =-=[2, 7, 15, 17, 19, 22, 21, 16, 26]-=-; 3. attacks resulting of a bad choice of parameters [74]. Most of known attacks on RSA can more or less successfully be extended to their Lucas and elliptic curves based analogues. Rather than review... |

32 |
Digital signatures with RSA and other public-key cryptosystems
- Denning
- 1984
(Show Context)
Citation Context ...categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the polynomial structure of RSA [11, 14, 25, 29, 47, 57]; 2. attacks based on its homomorphic nature =-=[2, 7, 15, 17, 19, 22, 21, 16, 26]-=-; 3. attacks resulting of a bad choice of parameters [74]. Most of known attacks on RSA can more or less successfully be extended to their Lucas and elliptic curves based analogues. Rather than review... |

31 |
Chosen signature cryptanalysis of the rsa (mit) public key cryptosystem
- Davida
- 1982
(Show Context)
Citation Context |

31 | A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes
- Desmedt, Odlyzko
- 1986
(Show Context)
Citation Context |

31 | LUC: A new public key system
- Smith, Lennon
- 1993
(Show Context)
Citation Context ... to RSA. So, Müller and Nöbauer [54, 55] presented a cryptosystem using Dickson polynomials. This system was afterwards slightly modified and rephrased in terms of Lucas sequences by Smith and Lennon =-=[70, 72]-=-. More recently, Koyama, Maurer, Okamoto and Vanstone [41] exhibited new one-way trapdoor functions similar to RSA on elliptic curves, the so-called KMOV cryptosystem. Later, Demytko [20] also pointed... |

28 | The little book of big primes - Ribenboim - 1991 |

20 |
Memo on RSA signature generation in the presence of faults
- Lenstra
- 1996
(Show Context)
Citation Context |

19 |
A “weak” privacy protocol using the RSA crypto algorithm
- Simmons
- 1983
(Show Context)
Citation Context ...ently seem to be resistant. However, multiplicative attacks can sometimes be rewritten in order to be applicable on these latter systems. We shall illustrate this topic with the common modulus attack =-=[68]-=-. The last category of attacks does not really result from a weakness of RSA but rather from a bad implementation. Parameters have to be carefully chosen. Unfortunately, there is no general recipe to ... |

18 |
A Further Weakness in the Common Modulus Protocol for the RSA Cryptosystem
- DeLaurentis
- 1984
(Show Context)
Citation Context |

16 |
Some remarks on Lucas-based cryptosystems
- Bleichenbacher, Bosma, et al.
- 1995
(Show Context)
Citation Context ... first noticed by Simmons [68]. KMOV is also homomorphic and is therefore susceptible to the same attack. This is not the case for LUC and Demytko’s system. However, Bleichenbacher, Bosma and Lenstra =-=[5]-=- presented a signature forgery against LUC that requires two chosen signatures. Kaliski [36] established the same result for the Demytko’s system. In his PhD. thesis, Bleichenbacher [3] shows how to f... |

16 | Elliptic curves: Diophantine analysis, Grundlehren der Mathematischen Wissenschaften 231 - Lang - 1978 |

15 | Elliptic Curves, Graduate Texts - Husemöller - 2003 |

12 |
Factorization and Primality Testing. Undergraduate Texts in Mathematics
- Bressoud
- 1989
(Show Context)
Citation Context ... will be the x-coordinate of a point on the twisted curveEp(a;b). It is useful to introduce some notation. Since the computation of they-coordinate can be avoided (by using the algorithm described in =-=[8]-=-, for example),k?pxwill denote the x-coordinate Nn;2=`cm(p+1�ap;q+1+aq) ofktimes the pointP=(px;py). To encryptm, Alice computesc=e?m. To decrypt Nn;3=`cm(p+1+ap;q+1�aq) the ciphertextc, Bob computesd... |

12 |
Attacks on some RSA signatures
- Jonge, Chaum
- 1986
(Show Context)
Citation Context |

12 |
Selective forgery of RSA signatures using redundancy
- Girault, Misarsky
- 1997
(Show Context)
Citation Context |

12 |
Some remarks on public-key cryptosystems
- Müller, Nöbauer
- 1981
(Show Context)
Citation Context ... Its security mainly relies on the difficulty of factoring carefully chosen large integers. After this breakthrough, other structures were proposed to produce analogues to RSA. So, Müller and Nöbauer =-=[54, 55]-=- presented a cryptosystem using Dickson polynomials. This system was afterwards slightly modified and rephrased in terms of Lucas sequences by Smith and Lennon [70, 72]. More recently, Koyama, Maurer,... |

10 | Precautions taken against various potential attacks - Guillou, Quisquater, et al. - 1991 |

9 | On the importance of securing your bins: The garbage-man-inthe-middle attack - Joye, Quisquater - 1997 |

8 |
A linear protocol failure for RSA with exponent three, Rump Session, Crypto ’95 (not in proceedings
- Franklin, Reiter
(Show Context)
Citation Context |

8 | Elliptic Curves, Mathematical Notes - Knapp - 1992 |

6 |
Factoring polynomials with integer coefficients. Mathematische Annalen 261
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ...relation is of ordere2for elliptic curves systems [34], the attack applies for public exponent up to'16 bits, instead of 32 bits as for RSA and LUC. Furthermore, by lattice basis reduction techniques =-=[48]-=-, Coppersmith [13] showed that if (the difference between the two messages) is unknown, thenm1andm2can sometimes be recovered. In fact, let%()be the resultant inxofPandQ, which is an univariate polyno... |

5 | A new and optimal chosen message attack on RSA-type cryptosystems, Unpublished manuscript
- Bleichenbacher, Joye, et al.
(Show Context)
Citation Context ...tablished the same result for the Demytko’s system. In his PhD. thesis, Bleichenbacher [3] shows how to forge a LUC signature from only one other signature. This was later adapted to Demytko’s system =-=[6]-=-. This enables to exhibit the common modulus protocol failure as follows. We shall only illustrate the attack on LUC and refer to [6] for the attack on m=12Vr(c1;1)Vs(c2;1)+c21�4 Demytko’s system. Let... |

5 | Low exponent attack against elliptic curve - Kurosawa, Okada, et al. - 1995 |

4 |
Some serious protocol failures for RSA with exponenteof less than'32 bits, Presented at the conference of cryptography, CIRM Luminy
- Patarin
- 1995
(Show Context)
Citation Context |