N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....nor will we offer details of the calculations performed when making our comparison between the two systems. 2. Elliptic Curve Cryptosystems The proposed elliptic curve cryptosystems are analogs of existing schemes. It is possible to define elliptic curve analogs of the RSA cryptosystem [Dem94, KMOV92] and it is possible to define analogs of public key cryptosystems that are based on the discrete logarithm problem (such as ElGamal encryption [ElG85] and the DSA [NIST94] for instance) The case of analogs to the discrete logarithm problem can be divided into two classes. In the first class the ....

N. Demytko. A new elliptic curve based analogue of RSA. In Advances in Cryptology - , pages 40-49, Springer-Verlag, 1994. Eurocrypt'93

....The first scheme, called KMOV, was presented by Koyama, Maurer, Okamoto and Vanstone [7] It is based on elliptic curves of the form E n (0, b) E p (0, b)E q (0, b) or E n (a, 0) E p (a, 0)E q (a, 0) in order to have a message independent group order. Another scheme was proposed by Demytko [5]. It has the particularity to only use the first coordinate of the points of elliptic curves. It relies on the fact that an integer x must be the x coordinate of a fixed elliptic curve E p (a, b) or of its twist E p (a, b) We refer to the original papers for a complete description of these ....

Demytko, N. A new elliptic curve based analogue of RSA. In Advances in Cryptology -- EUROCRYPT '93 (1994), T. Helleseth, Ed., vol. 765 of Lecture Notes in Computer Science, Springer-Verlag, pp. 40--49.

....This system was afterwards slightly modified and rephrased in terms of Lucas sequences by Smith and Lennon [70, 72] More recently, Koyama, Maurer, Okamoto and Vanstone [41] exhibited new one way trapdoor functions similar to RSA on elliptic curves, the so called KMOV cryptosystem. Later, Demytko [20] also pointed out a new one way trapdoor function on elliptic curves to produce an analogue of RSA. There are numerous mathematical attacks on RSA. They can basically be classified into three categories independently of the protocol in use for encryption or signature: 1. attacks exploiting the ....

....the parameter b = c 1 mod n. Then, he recovers the original message with its secret key d by computing M = dC on the curve E n (0, b) Remark 3.10. As mentioned in [41] from Lemma 3.7, it is also possible to work on a curve of the form E n (a, 0) by choosing a = m m 1 3.4. Demytko [20]. In this cryptosystem, each user chooses once for all the parameters a, b and e. Let m be the message to be encoded. The Demytko s system is based on the fact that if m (modulo p) is not the x coordinate of a point on E p (a, b) it will be the x coordinate of a point on the twisted curve E p ....

N. Demytko, A new elliptic curve based analogue of RSA, Advances in Cryptology -- Eurocrypt '93 (T. Helleseth, ed.), Lecture Notes in Computer Science, vol. 765, Springer-Verlag, 1994, pp. 40--49.

....or to the signature verification operation. In this paper we restrict our attention to public key cryptosystems in which the former computation can be sped up using the Chinese remaindering algorithm. Examples of such cryptosystems are: RSA [16] LUC [19] KMOV [11] and Demytko s cryptosystem [6]. We show that devices implementing the signature generation of any of these cryptosystems may be tricked into revealing their secret key, if the following three conditions are met: 1) the message as signed is known; 2) a certain type of faulty behavior occurs during signature generation; 3) ....

....(m) # d (m) mod n, and the verification function as # e (s) # e (s) mod n, where ed 1 (mod lcm #E p (a, b) #E q (a, b) #E p (a, b) #E q (a, b) If s # gcd (mod n) n will give q. Ep (a, b) denotes the complementary group of Ep (a, b) See the original paper [6] for a detailed description. 3 Acknowledgements We thank Francois Koeune for some useful comments. ....

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, pp. 40--49. Lecture Notes in Computer Science, vol. 765. Springer-Verlag, Berlin, 1994.

....polynomials can be rephrased in terms of Lucas sequences [2, 14] The Lucas sequences play the same role in this scheme as exponentiations in RSA. In 1985, Koblitz and Miller independently suggested the use of elliptic curves in cryptography [7, 9] Afterwards, Koyama et al. 8] and Demytko [4] exhibited new one way trapdoor functions on elliptic curves in order to produce analogues of RSA. Demytko s system has the particularity to only use the first coordinate and is therefore not subject to the chosen message attack described in [8] The Lucas based cryptosystems and Demytko s ....

....read the appendix. We present our attack in Section 3 and apply it in Section 4. In Section 5, we revisit the common modulus failure. Finally, we conclude in Section 6. 2 RSA type cryptosystems In this section, we present cryptosystems based on Lucas sequences [10, 11, 14] and on elliptic curves [4]. We only outline the systems, for a detailed description we refer to the original papers. 2.1 Lucas based RSA The Lucas based scheme can briefly be described as follows. Each user A chooses two large primes p and q and an exponent e that is relatively prime to (p 1) q 1) computes n = pq, ....

[Article contains additional citation context not shown here]

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1994.

....primes. 1. Introduction The so called RSA [26] is certainly one of the most popular and studied cryptosystem. In 1985, Koblitz and Miller independently suggested the use of elliptic curves in cryptography [9, 19] After this breakthrough, elliptic curve based analogues of RSA were proposed [10, 4]. RSA type systems belong to the family of public key cryptosystems. A publickey cryptosystem is a pair of public encryption function fK and a secret decryption function f K indexed by a key K and representing a permutation on a nite set M of messages. The particularity of such systems is ....

....P by computing P = d]Q with his secret key d. The only problem is to imbed messages as points on a given elliptic curve without the knowledge of the secret factors p and q. A rst solution was proposed by Koyama, Maurer, Okamoto and Vanstone [10] Another one was later proposed by Demytko [4]. 2.1. KMOV KMOV cryptosystem uses a family of supersingular elliptic curves of the form En (0; b) y b: 4) The main property of this system is that if p and q are both congruent to 2 mod 3, then Nn = lcm(p 1; q 1) whatever the value of parameter b. Therefore, to encrypt a message M = ....

[Article contains additional citation context not shown here]

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology { EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40-49. Springer-Verlag, 1994.

....of the commutative property of the logarithm in a finite Abelian group and the intractability of the discrete logarithm problem. The RSA Rabin class includes RSA [39] Rabin [38] Williams [42, 43] LUC [41] Kurosawa Itoh Takeuchi [23] Cubic RSA [24] and the elliptic curve versions of RSA [22, 13]. The Diffie Hellman ElGamal class includes the DiffieHellman [14] ElGamal [15] and the elliptic hyperelliptic curve versions of the Diffie Hellman and ElGamal [28, 21, 8] Several other techniques have been proposed such as the GoldwasserMicali scheme [18] based on quadratic residuosity, the ....

Demytko, N.: A New Elliptic Curve Based Analogue of RSA, Proc. of Eurocrypt'93, LNCS 765, Springer-Verlag, pp.40-49 (1994).

....called KMOV, was presented by Koyama, Maurer, Okamoto and Vanstone [8] It is based on elliptic curves of the form E n (0; b) E p (0; b) Theta E q (0; b) or E n (a; 0) E p (a; 0) Theta E q (a; 0) in order to have a message independent group order. Another scheme was proposed by Demytko [6]. It has the particularity to only use the first coordinate of the points of elliptic curves. It relies on the fact that an integer x must be the x coordinate of a fixed elliptic curve E p (a; b) or of its twist E p (a; b) We refer to the original papers for a complete description of these ....

Demytko, N. A new elliptic curve based analogue of RSA. In Advance in Cryptology -- Eurocrypt '93 (1994), T. Helleseth, Ed., vol. 765 of Lectures Notes in Computer Science, Springer-Verlag, pp. 40--49.

....an ecient and semantically secure elliptic curve cryptosystem with expansion factor 2. To our knowledge there is no previous elliptic curve cryptosystem based on factoring enjoying these properties. The design of our scheme is based on [8] but using as underlying primitive the Demytko s scheme [6], instead of [10] This enables to use elliptic curves with arbitrary parameters to design the scheme, in contrast with [8] where only supersingular curves were possible. The new proposed cryptosystem uses elliptic curves over the ring Z n 2, where n is an RSA modulus. Its semantic security is ....

....on this new assumption. The computational cost of the new scheme is discussed in section 4. Finally, section 5 contains the conclusions. For a brief description of the results about elliptic curves over the ring Z n 2 used in this paper see [8] 2 Demytko s scheme revisited Demytko proposed in [6] an elliptic curve RSA based scheme. He uses a xed randomly chosen elliptic curve E n (a; b) over the ring Z n , where n = pq is an RSA modulus. Let t p = p 1 jE p (a; b)j, t q = q 1 jE q (a; b)j and e an (small) integer such that gcd(e; p 1 t p ) gcd(e; q 1 t q ) 1 : 1) Let a;b ....

[Article contains additional citation context not shown here]

N. Demytko. A new elliptic curve based analogue of RSA. EUROCRYPT '93, LNCS 765 40-49 (1993).

....if we can count it, we can easily factor n. Furthermore, we also prove that if we can solve the elliptic curve discrete logarithm problem modulo n, we can easily factor n. 4. 1 Introduction Elliptic curves can be applied to public key cryptosystems, and as such several schemes have been proposed [14][26] 27] 28] 39] 41] There are two typical elliptic curve cryptosystems: ElGamal type scheme [26] 41] and RSA type schemes [14] 27] 28] The security of the ElGamal type elliptic curve cryptosystem is based on the difficulty of solving a discrete logarithm over elliptic curve modulo a prime. ....

....problem modulo n, we can easily factor n. 4. 1 Introduction Elliptic curves can be applied to public key cryptosystems, and as such several schemes have been proposed [14] 26] 27] 28] 39] 41] There are two typical elliptic curve cryptosystems: ElGamal type scheme [26] 41] and RSA type schemes [14][27] 28] The security of the ElGamal type elliptic curve cryptosystem is based on the difficulty of solving a discrete logarithm over elliptic curve modulo a prime. However, the security of an RSA type elliptic curve cryptosystem is based on the difficulty of factoring a large composite. It has ....

N. Demytko, "A new elliptic curve based analogue of RSA," Proc. of EUROCRYPT'93, LNCS765, pp.40-49, 1994.

....3 and then M = d]C where the secret key d is determined by the requirement that de j 1 mod lcmfp 1; q 1g. We see that this is amenable to the Wiener attack using the same parameters as before: indeed, d is one of the four possible deciphering exponents employed in the Luc system. Demytko [14] proposes using a fixed elliptic curve E(a; b) with equation Y 2 = X 3 aX b with modulus N = pq with no special restrictions on the prime factors. Write p 1 Gamma t p for the order of the group E(a; b) modulo p: by Hasse s theorem we know that jt p j 2 p p. Similarly, the order of E(a; ....

N. Demytko, A new elliptic curve based analogue of RSA, Advances in cryptology --- Eurocrypt '93, Springer, 1994, pp. 40--49, Lecture Notes in Computer Science 765.

....[8] Rivest, Shamir and Adleman [29] presented the RSA cryptosystem. After this breakthrough, many generalizations were presented (e.g. using polynomials) and broken. Recently, it has been adapted to work with other structures. In [16] Koyama, Maurer, Okamoto and Vanstone, and, later Demytko [7] pointed out the existence of new one way trapdoor functions similar to the RSA on elliptic curves defined over a ring. In 1993, the system proposed by Muller and Nobauer [22] in 1981, re emerged to construct the LUC cryptosystem [32] This latter system uses a special type of Lucas sequences, ....

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '95, volume 765 of Lecture Notes in Computer Science pages 40--49. Springer-Verlag, 1993.

.... to be immune to the MOV attack [23] and proposed the real world application of elliptic curves to the signature and identification schemes of smart cards [22] In 1993, Demytko presented a new analogue of RSA based on elliptic curves over a ring Zn that overcame the limitations of earlier versions [6], and Menezes and Vanstone proposed hardware implementations that would improve elliptic curve computations over finite fields [20] Recently, the notion of con 1 The analogue of the Di#e Hellman scheme appears to be around 20 faster than the Di#e Hellman key exchange protocol. CHAPTER 4. ....

.... [20, 30] Special techniques are being developed for calculating inverses or reciprocals more e#ciently (this is the subject we will present next) but for now, it would be advisable to avoid inversions as much as possible, making good use of the properties of projective coordinates [6, 20]. CHAPTER 4. ELLIPTIC CURVE CRYPTOSYSTEMS 54 Example Suppose we have an elliptic curve E over a finite field K of characteristic #= 2, 3. Therefore, this is an elliptic curve defined by equation 3.2. We shall consider addition and subtraction in the field K to be negligible computations since ....

[Article contains additional citation context not shown here]

N. Demytko. A New Elliptic Curve Based Analogue of RSA. Advances in Cryptology - EUROCRYPT '93, pp. 40--49, 1994.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1994.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. In Advances in Cryptology - Proceedings of EUROCRYPT 93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1993.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1994.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1994.

No context found.

Demytko, N. A new elliptic curve based analogue of RSA. In Advance in Cryptology -- Eurocrypt'93 (1993), T. Helleseth, Ed., vol. 765 of Lectures Notes in Computer Science, Springer-Verlag, pp. 40--49.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1994.

No context found.

N. Demytko, \A New Elliptic Curve Based Analogue of RSA," Proc. of Eurocrypt'93, 1993, pp. 40-49.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1994.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '95, volume 765 of Lecture Notes in Computer Science pages 40--49. Springer-Verlag, 1993.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology -- EUROCRYPT '93, volume 765 of Lecture Notes in Computer Science, pages 40--49. Springer-Verlag, 1994.

No context found.

Demytko, N. A new elliptic curve based analogue of RSA. In Advance in Cryptology -- EUROCRYPT '93 (1993), T. Helleseth, Ed., vol. 765 of Lecture Notes in Computer Science, Springer-Verlag, pp. 40--49.

No context found.

N. Demytko. A new elliptic curve based analogue of RSA. EUROCRYPT '93, LNCS 765 40-49 (1993).

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC