Bleichenbacher D., On the security of KMOV public key cryptosystem. LNCS Crypto'97v.1294, 235-348(1997).  Home/Search   Document Details and Download   Summary   Related Articles   Check

....may enable to prove several attacks which are for now, only heuristic. Indeed, there are applications to the security of the RSA encryption scheme when a very low public exponent or a low private exponent is used (see [16] for a survey) and related schemes such as the KMOV cryptosystem (see [12]) In particular, the experimental evidence of [19, 12, 46] shows that the method is very effective in practice for certain polynomials. 24 Remarks. In the case of univariate polynomials, there was basically no choice over the polynomials q u;v (x) x used to generate the appropriate ....

....for now, only heuristic. Indeed, there are applications to the security of the RSA encryption scheme when a very low public exponent or a low private exponent is used (see [16] for a survey) and related schemes such as the KMOV cryptosystem (see [12] In particular, the experimental evidence of [19, 12, 46] shows that the method is very effective in practice for certain polynomials. 24 Remarks. In the case of univariate polynomials, there was basically no choice over the polynomials q u;v (x) x used to generate the appropriate univariate integer polynomial equation satisfied by all small ....

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In 1997.

....points. He then deduced rigorous polynomial attacks, as opposed to traditional heuristic lattice based attacks. Finding small integer roots of a modular polynomial equation has great practical significance, for instance with the low exponent RSA encryption scheme, or the KMOV cryptosystem (see [1]) More precisely, in the case of low exponent RSA, such roots are related to the problems of encryption of stereotyped messages, random padding and broadcast applications. However, Coppersmith did not deal with practical issues: the practical behaviour of his attack was unclear. On the one hand, ....

....Coppersmith s theorems, one might still obtain fairly good results. In this paper, we present extensive experiments with Coppersmith s method applied to the low exponent RSA case, and discuss various trade offs together with practical improvements. To our knowledge, only limited experiments (see [1, 9]) had previously been carried out. Our experiments tend to validate Coppersmith s approach. Most of the time, we obtained experimental bounds close to the maximal theoretical bounds. For instance, sending e linearly related messages to participants with the same public exponent e is theoretically ....

[Article contains additional citation context not shown here]

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto '97, volume 1294 of LNCS, pages 235--248. Springer-Verlag, 1997.

....may enable to prove several attacks which are for now, only heuristic. Indeed, there are applications to the security of the RSA encryption scheme when a very low public exponent or a low private exponent is used (see [13] for a survey) and related schemes such as the KMOV cryptosystem (see [9]) In particular, the experimental evidence of [15, 9] shows that the method is very effective in practice for certain polynomials. Remarks. In the case of univariate polynomials, there was basically no choice over the polynomials q u;v (x) N h Gamma1 Gammav used to generate the ....

....for now, only heuristic. Indeed, there are applications to the security of the RSA encryption scheme when a very low public exponent or a low private exponent is used (see [13] for a survey) and related schemes such as the KMOV cryptosystem (see [9] In particular, the experimental evidence of [15, 9] shows that the method is very effective in practice for certain polynomials. Remarks. In the case of univariate polynomials, there was basically no choice over the polynomials q u;v (x) N h Gamma1 Gammav used to generate the appropriate univariate integer polynomial equation satisfied by ....

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto '97, volume 1294 of LNCS. IACR, Springer-Verlag, 1997.

....e w( 2 c mod n: If b 1 = 1 then e w( w( For b 1 = 1 we obtain w( as e w( c s e w( s c c(s w) s w c 4.2 Further Security Requirements Although by the introduction of the hash function, the attacks of applying Proposition 6. 1 (similar to those in [5, 8, 15]) seem to be complicated, the question remains whether any attacks exploiting some partial information about E(w) respectively h(a(w) mod n) can successfully be mounted. This stems from the fact that any deterministic encryption function E already per se exposes some information on the message. ....

....schemes of section 2.2 that are being applied within our algorithms. Proposition 6.1. Let b 1 be xed and E(w) as well a(w) be given. Then there is an ecient algorithm for evaluating the underlying message w. Proof. For establishing this result we adopt the ideas of the attack developed in [5]. Let A = a(w) 1 = 2c and B = 2A 1. Then w = cB: We may assume that A mod n exists. We now consider the extension R = ZZ[x] x cB; n) i.e. the elements of R are polynomials of degree 1 at most with coecients modulo n. All arithmetic operations (addition, multiplication, ....

[Article contains additional citation context not shown here]

D. Bleichenbacher, On the Security of the KMOV Public Key Cryptosystem, Advances in Cryptology - Crypto'97, LNCS 1294, Springer-Verlag (1997) pp. 235 - 248.

....Since our cryptosystem can be viewed as an improvement of KMOV scheme, let us brie y comment why the most known attacks on KMOV do not apply to our new scheme. In most cases these attacks extend previous successful attacks on RSA (see [2] for a recent overview) The attacks on KMOV described in [19, 1, 15] do not apply to our scheme, at least in their actual formulation, because they take advantage of KMOV scheme not being probabilistic. These attacks, to name a few, use the fact that the message and the ciphertext are points on the same curve (see [19, 1] or use homomorphic properties when a ....

....The attacks on KMOV described in [19, 1, 15] do not apply to our scheme, at least in their actual formulation, because they take advantage of KMOV scheme not being probabilistic. These attacks, to name a few, use the fact that the message and the ciphertext are points on the same curve (see [19, 1]) or use homomorphic properties when a sender encrypts the same message with di erent keys (as the common attack modulus in [15] 7 Conclusions and further research In this paper we have presented a new elliptic curve based scheme over the ring Z n 2, with n an RSA modulus. We prove that the ....

D. Bleichenbacher. On the security of the KMOV public key cryptosystems. CRYPTO '97, LNCS 1294 235-248 (1997) 10

....We carried out cryptanalysis of secret keys up to d N 0:278 . We also compared our experimental results with the experimental results of Boneh and Durfee. In [3] they only provided examples with d N 0:265 . In all cases we considered, our method was faster. 1 This includes among others [1, 4, 8, 12] 2 The Boneh Durfee Lattice In this section we review the lattice attack by Boneh and Durfee on low exponent RSA. For an introduction into lattice theory and lattice basis reduction, we refer to the textbooks [9, 17] Descriptions of Wiener s RSA attack and the method of Coppersmith can be ....

D. Bleichenbacher, \On the Security of the KMOV public key cryptosystem", Proc. of Crypto '97

....such cryptosystems. It has been proven that the difficulty of breaking the Rabin cryptosystem is computationally equivalent to the difficulty of factoring problem [53] In addition, it has been pointed out that the Koyama scheme can be easily broken if this scheme is used under special conditions [8]. In this thesis, we describe the relationship between the factoring problem and a certain algebraic geometric problem related to the difficulty of breaking the KMOV cryptosystem. Moreover, we generalize the RSA cryptosystem by using multi variate rational functions and analyze its security. The ....

....One of them is the Koyama scheme [28] This scheme is based on operations over singular cubic curves: y 2 axy = x 3 . It has been proven that breaking this scheme (or obtaining the whole plaintext) is computationally equivalent to breaking the original RSA scheme. Furthermore, Bleichenbacher [8] proved that if an attacker knows half of the plaintext, he can recover the other half of the plaintext in polynomial time. In this chapter, we generalize the Koyama scheme by using multi variate rational functions. Then, we evaluate the speed of encryption and decryption of the generalized ....

[Article contains additional citation context not shown here]

D. Bleichenbacher, "On the Security of the KMOV Public Key Cryptosystem," Proc. of CRYPTO'97, LNCS 1294, pp. 235--248, 1997.

....independent equations. It is still an open problem to state precisely when this can be guaranteed, although all experiments to date suggest this is an accurate heuristic assumption to make when inequality (3) holds. We note that a similar assumption is used in the work of Bleichenbacher [1] and Jutla [8] The second problem is more down to earth: how can we make sure that vol(L) is small enough to satisfy inequality (3) Note that Hadamard s bound is unlikely to be useful. Indeed, in general, some of the coecients of f(x; y) are about the size of e, so that kh u1 ;u 2 ;v (xX; yY )k ....

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto '97, volume 1294 of LNCS, pages 235-248. IACR, Springer-Verlag, 1997.

....explain their running time. In our case, the heuristic assumption we make is that the two shortest vectors in an LLL reduced basis give rise to algebraically independent polynomials. Our experiments con rm this assumption. We note that a similar assumption is used in the work of Bleichenbacher [1] and Jutla [7] Our work raises two natural open problems. The rst is to make our attack rigorous. More importantly, our work is an application of Coppersmith s techniques to bivariate modular polynomials. It is becoming increasingly important to rigorously prove that these techniques can be ....

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In proceedings Crypto '97, Lecture Notes in Computer Science, vol. 1294, Springer-Verlag, pp. 235-248, 1997.

....independent equations. It is still an open problem to state precisely when this can be guaranteed, although all experiments to date suggest this is an accurate heuristic assumption to make when inequality (3) holds. We note that a similar assumption is used in the work of Bleichenbacher [1] and Jutla [8] The second problem is more down to earth: how can we make sure that vol(L) is small enough to satisfy inequality (3) Note that Hadamard s bound is unlikely to be useful. Indeed, in general, some of the coefficients of f(x; y) are about the size of e, so that kh u1 ;u2 ;v (xX; yY ....

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto '97, volume 1294 of LNCS, pages 235--248. IACR, Springer-Verlag, 1997. 13

....may enable to prove several attacks which are for now, only heuristic. Indeed, there are applications to the security of the RSA encryption scheme when a very low public exponent or a low private exponent is used (see [13] for a survey) and related schemes such as the KMOV cryptosystem (see [9]) In particular, the experimental evidence of [15, 9] shows that the method is very effective in practice for certain polynomials. Remarks. In the case of univariate polynomials, there was basically no choice over the polynomials q u;v (x) N h Gamma1 Gammav x u P (x) v used to generate ....

....for now, only heuristic. Indeed, there are applications to the security of the RSA encryption scheme when a very low public exponent or a low private exponent is used (see [13] for a survey) and related schemes such as the KMOV cryptosystem (see [9] In particular, the experimental evidence of [15, 9] shows that the method is very effective in practice for certain polynomials. Remarks. In the case of univariate polynomials, there was basically no choice over the polynomials q u;v (x) N h Gamma1 Gammav x u P (x) v used to generate the appropriate univariate integer polynomial equation ....

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto '97, volume 1294 of LNCS. IACR, Springer-Verlag, 1997.

....modulus for all users, have shown to be vulnerable ( 8, 12] respectively) as well. Finally, it was suggested to use other group structures, such as elliptic curves or Lucas functions [14, 9, 17] but as was discovered recently, these variants do not provide better security than the basic scheme [1 3]. In 1986 de Jonge and Chaum suggested a generalization of the RSA signature scheme [13] and discussed several of its instances. In particular, they showed that many special cases are vulnerable to adaptive attacks [7] that make use of the multiplicative property of the RSA scheme. They came up ....

D. Bleichenbacher, "On the Security of the KMOV Public Key cryptosystem", LNCS 1294, Proc. Crypto'97, Springer-Verlag, (1997), pp. 235--248.

....As cryptology is a fast developing area and especially elliptic curve cryptology gets currently much attention the results in this document with respect to security and performance of systems are subject to change. For example recent results on the security of the KMOV systems are given in [Ble97]. A list of acknowledgments was obsolete in the original version of this thesis. To the best of my remembrance I will try to reconstruct a list of acknowledgments, that I would have given in February 1997. I would like to thank my supervisors from the NBV Marcel van Asperdt and Patrick Bours for ....

D. Bleichenbacher, On the Security of the KMOV Public Key Cryptosystem, Advances in Cryptology - Crypto '97, LNCS 1294, SpringerVerlag, 1997, pp. 235--248.

....explain their running time. In our case, the heuristic assumption we make is that the two shortest vectors in an LLL reduced basis give rise to algebraically independent polynomials. Our experiments confirm this assumption. We note that a similar assumption is used in the work of Bleichenbacher [1] and Jutla [5] Our work raises two natural open problems. The first is to make our attack rigorous. More importantly, our work is an application of Coppersmith s techniques to bivariate modular polynomials. It is becoming increasingly important to rigorously prove that these techniques can be ....

D. Bleichenbacher, "On the security of the KMOV public key cryptosystems", Proc. of Crypto '97, pp. 235--248.

....points. He then deduced rigorous polynomial attacks, as opposed to traditional heuristic lattice based attacks. Finding small integer roots of a modular polynomial equation has great practical significance, for instance with the low exponent RSA encryption scheme, or the KMOV cryptosystem (see [1]) More precisely, in the case of low exponent RSA, such roots are related to the problems of encryption of stereotyped messages, random padding and broadcast applications. However, Coppersmith did not deal with practical issues: the practical behaviour of his attack was unclear. On the one hand, ....

....Coppersmith s theorems, one might still obtain fairly good results. In this paper, we present extensive experiments with Coppersmith s method applied to the low exponent RSA case, and discuss various trade offs together with practical improvements. To our knowledge, only limited experiments (see [1, 9]) had previously been carried out. Our experiments tend to validate Coppersmith s approach. Most of the time, we obtained experimental bounds close to the maximal theoretical bounds. For instance, sending e linearly related messages to participants with the same public exponent e is theoretically ....

[Article contains additional citation context not shown here]

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In Proc. of Crypto '97, volume 1294 of LNCS, pages 235--248. Springer-Verlag, 1997.

....explain their running time. In our case, the heuristic assumption we make is that the two shortest vectors in an LLL reduced basis give rise to algebraically independent polynomials. Our experiments con rm this assumption. We note that a similar assumption is used in the work of Bleichenbacher [1] and Jutla [5] Our work raises two natural open problems. The rst is to make our attack rigorous. More importantly, our work is an application of Coppersmith s techniques to bivariate modular polynomials. It is becoming increasingly important to rigorously prove that these techniques can be ....

D. Bleichenbacher, \On the security of the KMOV public key cryptosystem", Proc. of Crypto '97, pp. 235-248.

No context found.

Bleichenbacher D., On the security of KMOV public key cryptosystem. LNCS Crypto'97v.1294, 235-348(1997).

No context found.

D. Bleichenbacher, \On the Security of the KMOV public key cryptosystem", Proc. of Crypto '97

No context found.

D. Bleichenbacher, "On the Security of the KMOV public key cryptosystem", Advances in Cryptology - Crypto '97, Lecture Notes in Computer Science vol. 1294. Springer-Verlag, pp. 235--248, 1997

No context found.

Blichenbacher D. , On the security of KMOV public key cryptosystem. LNCS Crypto'97v.1294, 235-348,1997.

No context found.

D. Bleichenbacher. On the security of the KMOV public key cryptosystem. In proceedings Crypto '97, Lecture Notes in Computer Science, vol. 1294, Springer-Verlag, pp. 235-248, 1997.

No context found.

D. Bleichenbacher, On the security of the KMOV public key cryptosystem, CRYPTO'97, Springer LNCS 1294, 235--248, 1997.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC