Bleichenbacher, D., Bosma, W., and Lenstra, A. K. Some remarks on Lucas-based cryptosystems. In Advance in Cryptology -- Crypto'95 (1995), D. Coppersmith, Ed., vol. 963 of Lectures Notes in Computer Science, Springer-Verlag, pp. 386--396.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....that re 1 se 2 = 1. 4.2) Consequently, we have m = m re1 se2 = c r 1 c s This was first noticed by Simmons [68] KMOV is also homomorphic and is therefore susceptible to the same attack. This is not the case for LUC and Demytko s system. However, Bleichenbacher, Bosma and Lenstra [5] presented a signature forgery against LUC that requires two chosen signatures. Kaliski [36] established the same result for the Demytko s system. In his PhD. thesis, Bleichenbacher [3] shows how to forge a LUC signature from only one other signature. This was later adapted to Demytko s system ....

D. Bleichenbacher, W. Bosma, and A. K. Lenstra, Some remarks on Lucas-based cryptosystems, Advances in Cryptology -- Crypto '95 (D. Coppersmith, ed.), Lecture Notes in Computer Science, vol. 963, Springer-Verlag, 1995, pp. 386--396.

....be transmitted consists of m = n) elements of F p . Since these systems have n log p bits of security when exchanging m log p bits of information, they are more ecient than Die Hellman by a factor of n=m = 2, 3=2, and 3, respectively. See Rubin was partially supported by NSF grant DMS 0140378. [9, 12, 13, 16, 17, 1] for Lucas based systems and LUC, and [3, 6, 7] for XTR and related work. The cryptosystems based on algebraic tori introduced in this paper accomplish the same goal of attaining discrete log security in the eld F p while requiring the transmission of (n) elements of F p . However, they ....

....DSA and NybergRueppel signatures (see also x5 of [7] Note that it is easy to turn any torus based cryptosystem into an RSA like system whose security is based on the diculty of factoring, analogous to the LUC system of [12] Here, one views the torus T n over a ring Z=NZ. However, as shown in [1], such RSA based systems do not seem to have signi cant advantages over RSA. Parameter selection: Choose a prime power q and an integer n such that the torus T n over F q has an explicit rational parametrization, n log(q) 1024 (to obtain 1024 bit security) and n (q) is divisible by a prime ....

D. Bleichenbacher, W. Bosma, A. K. Lenstra, Some remarks on Lucas-based cryptosystems, in Advances in cryptology | CRYPTO '95, Lect. Notes in Comp. Sci. 963 (1995), Springer, Berlin, 386-396.

....However, Alice has no idea which is g y and which is g y , but that does not matter as she can determine U x 1 U x 2 by using her random key x. This is equal to S = g xy g xy , independent of the choice of U 1 and U 2 . In a similar way, Bob can construct S from A. It is indicated in [2], that the above scheme coincides with the variant of the Di#eHellman key exchange scheme that was proposed and analyzed by a series of authors; 15] where the name LUCDIF was proposed) 11] 10] 12] and [8] We will now proceed with showing two important properties of the LUCDIF ....

D. Bleichenbacher, W. Bosma, A.K. Lenstra, Some remarks on Lucas-Based Cryptosystems, CRYPTO '95 Proceedings, Springer-Verlag, pp. 386-396.

....it introduces message expansion by a factor of two. The Merkle Hellman knapsack system and the Chor Rivest encryption system can be very easily broken. A recent paper by Bleichenbacher shows that many of the supposed advantages of the LUC are either not present or are not as substantial as clamied [13]. Table 2: Public Key Encryption 5. Encryption Policy While the intention of using encryption is to protect the security of the communication data, the scope of using this technology has introduced many considerable government concerns. These include issues involving terrorists, foreign ....

D. Bleichenbacher, W. Bosma, and A. Lenstra. Some remarks on Lucas-based cryptosystems. In Advances in Cryptology Crypto '95, pages 386-396, Springer-Verlag, 1995.

....of degree 1, for which ms = Vs(m; 1) mod n is the root. Next, from polynomials R; S 2 ZZn [x] given by R(x) Vr (x; 1) Gamma mr and S(x) Vs(x; 1) Gamma ms , she computes gcd(Q; R) and recovers the message m. Remark. It is possible to speed up the computation by using the ideas developed in [1] (see [16] for KMOV Demytko) This will be done in a future work. 4.3 Combinations Broadcast encryption There are basically three ways for a cryptanalyst to recover a message 1. to force the retransmission; 2. to have a look in the bin; 3. to ask a signature. Therefore, by combining these ....

Bleichenbacher, D., Bosma, W., and Lenstra, A. K. Some remarks on Lucas-based cryptosystems. In Advance in Cryptology -- CRYPTO '95 (1995), D. Coppersmith, Ed., vol. 963 of Lecture Notes in Computer Science, Springer-Verlag, pp. 386--396.

....1 se 2 = 1: 4.2) Consequently, we have m = m re1 se2 = c r 1 c s 2 mod n: 4.3) This was first noticed by Simmons [68] KMOV is also homomorphic and is therefore susceptible to the same attack. This is not the case for LUC and Demytko s system. However, Bleichenbacher, Bosma and Lenstra [5] presented a signature forgery against LUC that requires two chosen signatures. Kaliski [36] established the same result for the Demytko s system. In his PhD. thesis, Bleichenbacher [3] shows how to forge a LUC signature from only one other signature. This was later adapted to Demytko s system ....

D. Bleichenbacher, W. Bosma, and A. K. Lenstra, Some remarks on Lucas-based cryptosystems, Advances in Cryptology -- Crypto '95 (D. Coppersmith, ed.), Lecture Notes in Computer Science, vol. 963, SpringerVerlag, 1995, pp. 386--396.

No context found.

D. Bleichenbacher, W. Bosma, and A. Lenstra. Some remarks on Lucas-based cryptosystems. In D. Coppersmith, editor, Advances 80 in Cryptology { CRYPTO '95, volume 963 of Lecture Notes in Computer Science, pages 386-396. Springer-Verlag, 1995.

....and is therefore not subject to the chosen message attack described in [8] The Lucas based cryptosystems and Demytko s elliptic curve cryptosystem seem to be resistant against homomorphic attack. However, the existence of a chosen message forgery that needs two messages has been described in [1]. Kaliski found a similar attack on Demytko s system [6] In this paper, we describe a new chosen message attack which needs only one message. This new attack shows that the RSA type cryptosystems are even closer related to RSA, i.e. it shows that all the attacks based on the multiplicative nature ....

D. Bleichenbacher, W. Bosma, and A. K. Lenstra. Some remarks on Lucas-based cryptosystems. In D. Coppersmith, editor, Advances in Cryptology -- CRYPTO '95, volume 963 of Lecture Notes in Computer Science, pages 386--396. Springer-Verlag, 1995.

....and is therefore not subject to the chosen message attack described in [8] The Lucas based cryptosystems and Demytko s elliptic curve cryptosystem seem to be resistant against homomorphic attack. However, the existence of a chosen message forgery that needs two messages has been described in [1]. Kaliski found a similar attack on Demytko s system [6] In this paper, we describe a new chosen message attack which needs only one message. This new attack shows that the RSA type cryptosystems are even closer related to RSA, i.e. it shows that all the attacks based on the multiplicative nature ....

D. Bleichenbacher, W. Bosma, and A. K. Lenstra. Some remarks on Lucas-based cryptosystems. In D. Coppersmith, editor, Advance in Cryptology -- Crypto '95, volume 963 of Lectures Notes in Computer Science, pages 386--396. Springer-Verlag, 1995.

No context found.

Bleichenbacher, D., Bosma, W., and Lenstra, A. K. Some remarks on Lucas-based cryptosystems. In Advance in Cryptology -- Crypto'95 (1995), D. Coppersmith, Ed., vol. 963 of Lectures Notes in Computer Science, Springer-Verlag, pp. 386--396.

No context found.

D. Bleichenbacher, W. Bosma, A. K. Lenstra, Some remarks on Lucas-based cryptosystems, in Advances in Cryptology | CRYPTO '95, Lect. Notes in Comp. Sci. 963, Springer, Berlin, 1995, 386-396.

No context found.

Bleichenbacher, D., Bosma, W., and Lenstra, A. K. Some remarks on Lucas-based cryptosystems. In Advance in Cryptology -- CRYPTO '95 (1995), D. Coppersmith, Ed., vol. 963 of Lecture Notes in Computer Science, Springer-Verlag, pp. 386--396.

No context found.

D. Bleichenbacher, W. Bosma, and A. Lenstra. Some remarks on Lucas-based cryptosystems. In D. Coppersmith, editor, Advances 80 Step 1: Choose a random integer a relatively prime to e. Step 2: Compute x j V a (m; 1) (mod n). Step 3: Get the signature y j V d (x; 1) (mod n) from the user. Step 4: Use Euclid's algorithm to find s; t such that as \Gamma et = 1.

No context found.

D. Bleichenbacher, W. Bosma and A. Lenstra, Some remarks on Lucas based cryptosystems, CRYPTO'95, Springer LNCS, 386-- 396, 1995. + 27

No context found.

D. Bleichenbacher, W. Bosma, A. Lenstra, "Some remarks on Lucas-based cryptosystems ", LNCS 963, Proc. Crypto'95, Springer-Verlag, (1997), pp. 386--396.

No context found.

D. Bleichenbacher, W. Bosma, A.K. Lenstra, Some remarks on Lucas--based cryptosystems, CRYPTO'95, Springer LNCS 386--396, LNCS 963, 1995.

No context found.

D. Bleichenbacher, W. Bosma, A.K. Lenstra, Some remarks on Lucas--based cryptosystems, CRYPTO'95, Springer LNCS 963, 386--396, 1995.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC