Gustavus J. Simmons and Michael J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406-414, 1977.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....encryption function fK , it is computationally infeasible to recover f K . Moreover, it might be suitable that the encryption function does not let the message unchanged, i.e. given a message m 2 M, we want that fK (m) 6= m. This is known as the messageconcealing problem [3] Simmons and Norris [29] exploited this feature for possibly recovering a plaintext from the only public information. Their attack, the so1 called cycling attack, relies on the cycle detection of the ciphertext. This was later generalized by Williams and Schmid [31] see also [7, 1] There are basically two ways to ....

....k that satis es the equation c (mod n) 13) then we can obviously recover the plaintext m by computing m = c mod n. Note that we do not have to factor the public modulus n, so this might be a serious failure for the RSA cryptosystem. This attack, rstly proposed by Simmons and Norris [29], was later extended by Williams and Schmid [31] see also [7] in the following way. Let P(t) be a polynomial. They showed that if the ciphertext c has a period such that 1 (mod n) 14) for some integer g, then the plaintext m can be recovered. 4.2. Generalizing the cycling attack We can ....

G.J. Simmons and M.J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406-414, 1977. 15

....and, together with the Diffie Hellman key exchange scheme [6] is one of the most important public key systems. It is often thought that breaking the RSA system is as hard as factoring the public modulus n used in the system, but this has never been proved. The attack by Simmons and Norris [14] involving repeated encryptions has been shown to be unlikely to succeed if the primes dividing the modulus n are chosen carefully [12] On the other hand, it has been pointed out that there are ways to employ the RSA system that can be cryptanalyzed without factoring n. For example, Knuth s ....

G. T. Simmons and J. N. Norris, Preliminary comments on the M.I.T. public-key cryptosystem, Cryptologia 1 (1977), 406-414.

....function fK , it is computationally infeasible to recover f Gamma1 K . Moreover, it might be suitable that the encryption function does not let the message unchanged, i.e. given a message m 2 M, we want that fK (m) 6= m. This is known as the messageconcealing problem [3] Simmons and Norris [29] exploited this feature for possibly recovering a plaintext from the only public information. Their attack, the soTechnical Report No. TI 35 97 Technische Universitat Darmstadt November called cycling attack, relies on the cycle detection of the ciphertext. This was later generalized by Williams ....

....equation c e k j c (mod n) 13) then we can obviously recover the plaintext m by computing m = c e k Gamma1 mod n. Note that we do not have to factor the public modulus n, so this might be a serious failure for the RSA cryptosystem. This attack, firstly proposed by Simmons and Norris [29], was later extended by Williams and Schmid [31] see also [7] in the following way. Let P(t) be a polynomial. They showed that if the ciphertext c has a period such that c P(g) j 1 (mod n) 14) for some integer g, then the plaintext m can be recovered. 4.2. Generalizing the cycling attack We ....

G.J. Simmons and M.J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406--414, 1977.

....an algebraic expression in p has no impact on the validity of this observation. However, a non smoothness condition on p Gamma 1 is justified for a different reason. One way of deciphering ciphertexts in the RSA public key cryptosystem [79] without factoring the modulus is by iterated encryption [84]. In Appendix 2 a detailed analysis of this attack is given, and Theorem 6 states sufficient non restrictive conditions on p and q that allow to provably foil this attack for any fixed given public exponent e. These conditions can be satisfied at no extra computational cost by a simple ....

G. Simmons and M. Norris, Preliminary comments on the M.I.T public key cryptosystem, Cryptologia, Vol. 1, No. 4, pp. 406-414, Oct. 1977.

....desirable prime is quite within the bound of practicality (see the next section) There is another reason why we may prefer the above form of prime for RSA moduli. One way of deciphering a ciphertext in the RSA system is to repeatedly encrypt the ciphertext until the original ciphertext comes out [42] (see also [37] This can be seen from the observation that there always exists an integer k (n) for some b such that b e k = b mod n. 5 We can easily show that the number of b s satisfying this recurrence relation is equal to (1 gcd(e k Gamma 1; p Gamma 1) 1 gcd(e k Gamma 1; ....

G.Simmons and M.Norris, Preliminary comments on the M.I.T. public key cryptosystem, Cryptologia, 1(4), 1977, pp.406-414.

....: a d of d integers. The described method for generating primes can be turned into a method for generating random secure RSA moduli (see [6] One of the security constraints provably satisfied by the generated moduli is that the iterated encryption attack, first mentioned by Simmons and Norris [12], is infeasible. The generated numbers are claimed to be virtually uniformly distributed over the set of integers that lie in a given interval, are the product of exactly two primes and satisfy the security constraints. This claim is justified in Section 3 by considering the probability ....

G. Simmons and M. Norris, Preliminary comments on the M.I.T public key cryptosystem, Cryptologia, vol. 1, no. 4, pp. 406-414, Oct. 1977.

No context found.

Gustavus J. Simmons and Michael J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406-414, 1977.

No context found.

Gustavus J. Simmons and Michael J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406--414, 1977.

No context found.

Gustavus J. Simmons and Michael J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406-414, 1977.

No context found.

G.J. Simmons and M.J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406--414, 1977.

No context found.

Gustavus J. Simmons and Michael J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406--414, 1977.

No context found.

G.J. Simmons and M.J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406--414, 1977.

No context found.

G.J. Simmons and M.J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406--414, 1977.

No context found.

Gustavus J. Simmons and Michael J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406-414, 1977.

No context found.

G.J. Simmons and M.J. Norris. Preliminary comment on the M.I.T. public-key cryptosystem. Cryptologia, 1:406--414, 1977.

No context found.

G. Simmons and M. Norris, Preliminary comments on the M.I.T public key cryptosystem, Cryptologia, Vol. 1, No. 4, Oct. 1977, pp. 406-414.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC