How to choose secret parameters for RSA - typecryptosystems over
نویسنده
چکیده
Recently, and contrary to the common belief, Rivest and Silverman argued that the use of strong primes is unnecessary in the RSA cryptosystem. This paper analyzes how valid this assertion is for RSA-type cryptosystems over elliptic curves. The analysis is more diicult because the underlying groups are not always cyclic. Previous papers suggested the use of strong primes in order to prevent factoring attacks and cycling attacks. In this paper, we only focus on cycling attacks because for both RSA and its elliptic curve-based analogues, the length of the RSA-modulus n is typically the same. Therefore, a factoring attack will succeed with equal probability against all RSA-type cryptosystems. We also prove that cycling attacks reduce to nd xed points, and derive a factorization algorithm which (most probably) completely breaks RSA-type systems over elliptic curves if a xed point is found.
منابع مشابه
How to choose secret parameters for RSA and its extensions to elliptic curves
Recently, and contrary to the common belief, Rivest and Silverman argued that the use of strong primes is unnecessary in the RSA cryptosystem. This paper analyzes how valid this assertion is for RSA and its extensions to elliptic curves. Over elliptic curves, the analysis is more difficult because the underlying groups are not always cyclic. Previous papers suggested the use of strong primes in...
متن کاملSplit Knowledge Generation of RSA Parameters
We show how it is possible for two parties to cooperate in generating the parameters for an RSA encryption system in such a w a y that neither individually has the ability to decrypt enciphered data. In order to decrypt data the two parties instead follow the cooperative procedure described.
متن کاملUcl Crypto Group Technical Report Series Faulty Rsa Encryption Faulty Rsa Encryption
The authors show that the presence of transient faults is dangerous when encrypting messages with the RSA cryptosystem. In particular, they show how a cryptanalyst can recover a plaintext without knowing the secret parameters.
متن کاملReconstruction and Error Correction of RSA Secret Parameters from the MSB Side
This paper discusses the factorization of the RSA modulus when some ‘partial information’ about the bits of the RSA secret parameters are known. Heninger and Shacham (Crypto 2009) considered the reconstruction of RSA secret parameters from a few randomly known bits, and Henecka, May and Meurer (Crypto 2010) studied the reconstruction of secret parameters when all the bits are known with some pr...
متن کاملBreaking Public Keys - How to Determine an Unknown RSA Public Modulus
Not surprisingly, the common use of any public key crypto system involves publishing the public key and keeping the private key secret. There are however a few applications where both the private and public key are kept secret, thereby effectively converting a public key crypto algorithm to a symmetric algorithm. We show that if the RSA cryptosystem is used in such a symmetric application, it i...
متن کامل