In this article we offer guidelines for the determination of key sizes for symmetric cryptosystems, RSA, and discrete logarithm based cryptosystems both over finite fields and over groups of elliptic curves over prime fields. Our recommendations are based on a set of explicitly formulated parameter settings, combined with existing data points about the cryptosystems.

We show that if the private exponent d used in the RSA public-key cryptosystem is less than N^0.292 then the system is insecure. This is the first improvement over an old result of Wiener showing that when d is less than N^0.25 the RSA system is insecure. We hope our approach can be used to eventually improve the bound to d less than N^0.5.

Abstract not found

Abstract not found

We show how to efficiently generate RSA keys on a low power handheld device with the help of an untrusted server. Most of the key generation work is offloaded onto the server. However, the server learns no information about the key it helped generate. We experiment with our techniques and show they result in up to a factor of 5 improvement in key generation time. The resulting RSA key looks like an RSA key for paranoids. It can be used for encryption and key exchange, but cannot be used for signatures.

We present lattice-based attacks on RSA with prime factors p and q of unbalanced size. In our scenario, the factor q is smaller than and the decryption exponent d is small modulo p-1. We introduce two approaches that both use a modular bivariate polynomial equation with a small root. Extracting this root is in both methods equivalent to the factorization of the modulus N = pq. Applying a method of Coppersmith, one can construct from a bivariate modular equation a bivariate polynomial f(x, y) over Z that has the same small root. In our first method, we prove that one can extract the desired root of f(x, y) in polynomial time. This method works up to # 0.382. Our second method uses a heuristic to find the root. This method improves upon the first one by allowing larger values of d modulo p-1.

Based on continued fractions Wiener showed that a typical RSA system can be to-

We present a new cryptosystem based on ideal arithmetic in quadratic orders. The method of our trapdoor is different from the Diffie-Hellman key distribution scheme or the RSA cryptosystem. The plaintext m is encrypted by mp r , where p is a fixed element and r is a random integer, so our proposed cryptosystem is a probabilistic encryption scheme and has the homomorphy property. The most prominent property of our cryptosystem is the cost of the decryption, which is of quadratic bit complexity in the length of the public key. Our implementation shows that it is comparably as fast as the encryption time of the RSA cryptosystem with e = 2 16 + 1. The security of our cryptosystem is closely related to factoring the discriminant of a quadratic order. When we choose appropriate sizes of the parameters, the currently known fast algorithms, for examples, the elliptic curve method, the number field sieve, the Hafner-McCurley algorithm, are not applicable. We also discuss that the chosen cip...

The key length used for a cryptographic protocol determines the highest security it can offer. If the key is found or ‘broken’, the security is undermined. Thus, key lengths must be chosen in accordance with the desired security. In practice, key lengths are mostly determined by standards, legacy system compatibility issues, and vendors. From a theoretical point of view selecting key lengths is more involved. Understanding the relation between security and key lengths and the impact of anticipated and unexpected cryptanalytic progress, requires insight into the design of the cryptographic methods and the mathematics involved in the attempts at breaking them. In this chapter practical and theoretical aspects of key size selection are discussed.

Recently, handheld devices have become one of the most popular computing tools. Although handheld devices are able to perform anything that a PC can do, their lack of computing power makes it next to impossible to perform some heavy calculations. Hence it appears very useful to have a combination of a handheld with a PC, where the PC can perform heavy calculations to assist the handheld. However, we must be assured that the PC will not have learnt anything from the interaction. In this paper, we show two schemes which involve some server-aided computation where the server has not learnt anything from the interaction with the handheld device. The first scheme is to generate a strong prime number in a handheld, which can be used as a candidate for the RSA algorithm. The second scheme is to allow the server to behave as an authentication oracle on behalf of the handheld. The handheld will prepare a message that needs to be authenticated by sending it to the server in a blinded form, so that the server will not learn about the message. On the other hand, the handheld will not learn about the server's secret.