Hung-Min Sun,Mu-En Wu

2005-01-01

Abstract:Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speedup RSA decryption. According to RSA-CRT, Wiener sug- gested another RSA variant, Rebalanced RSA-CRT, to further speedup RSA-CRT decryption by shifting decryption cost to encryption cost. However, such an approach will make RSA en- cryption very time-consuming because the public exponent e in Rebalanced RSA-CRT will be of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N)? We solve this problem by designing a variant of Rebalanced RSA-CRT with dp and dq of 198 bits. This variant has the public exponent e =2 511 +1such that its encryption is about 3 times faster than that of the original Rebalanced RSA-CRT.

Hung-Min Sun,Cheng-Ta Yang,Mu-En Wu

DOI: https://doi.org/10.1587/transfun.e92.a.912

2009-01-01

Abstract:In some applications, a short private exponent d is chosen to improve the decryption or signing process for RSA public key cryptosystem. However. in a typical RSA, if the private exponent d is selected first, the public exponent e should be of the same order Of magnitude as phi(N). Sun et al. devised three RSA variants Using unbalanced prime factors p and q to lower the computational cost. Unfortunately. Durfee & Nguyen broke the illustrated instances of the first and third variants by solving small roots to trivariate modular polynomial equations. They also indicated that the instances With Unbalanced primes p and q are more insecure than the instances with balanced p and q. This investigation focuses on designing a new RSA variant with balanced p and q, and short exponents d and e, to improve the Security of an RSA variant against the Durfee & Nguyen's attack, and the other existing attacks. Furthermore, the proposed variant (Scheme A) is also extended to another RSA variant (Scheme B) in which p and q are balanced, and a trade-off between the lengths of d and e is enable. In addition, We provide the security analysis and feasibility analysis of the proposed schemes.

Zhiyuan Liu,Xiaofei Wang,Guohua Cui,Jun Li

DOI: https://doi.org/10.13245/j.hust.2008.01.018

2008-01-01

Abstract:Technology of RSA (Ron Rivest, AdiShamir and Leonard Adleman) signcrypt was discussed. On the basis of universal padding from Coron's method, a new hybrid signcryption scheme using RSA was proposed. Assuming the intractability of RSA problem, the scheme was provably secure under the random oracle model. The simulation indicated that this scheme could signcrypt the message of any length and provide the non-repudiation in a simple manner, and its communication overload was only one RSA modular length. The scheme exceeds the traditional signature to encryption scheme in the bandwidth of message recovery.

Hung-Min Sun,M. Jason Hinek,Mu-En Wu

2005-01-01

Abstract:In 1982, Quisquater & Couvreur proposed a variant of RSA based on the Chinese Remainder Theorem, called RSA-CRT, to speed up RSA decryption. In 1990, Wiener suggested another variant, called Rebalanced RSA-CRT, which further speeds up RSA decryption by shifting decryption costs to encryption costs. However, this approach essentially maximizes the encryption time since the public exponent e in Rebalanced RSA-CRT is generally about the same order of magnitude as the RSA modulus. In this work1, we introduce two variants of Rebalanced RSA-CRT in which the public exponent e is much smaller than the modulus, thus reducing the encryption costs, while maintaining low decryption costs. For a 1024-bit modulus, our first variant (Scheme A) offers encryption times that are at least 2.6 times faster than that in the original Rebalanced RSA-CRT, while the second variant (Scheme B) offers encryption times at least 3 times faster. In both variants, the decrease in encryption costs is obtained at the expense of slightly increased decryption costs and increased key generation costs. Thus, the variants proposed here are best suited for applications which require low encryption/decryption costs but do not require key generation on the fly.

吕皖丽,钟诚

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.05.046

2004-01-01

Abstract:The existed ECDSA scheme does not fit for multisignature. This paper first improves the ECDSA scheme, and presents a digital signature approach based on the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP). Moreover, the paper presents a multisignature scheme also based on the difficulty of solving the ECDLP. The analysis shows that the two schemes are correctness and robust.

Hung-Min Sun,Mu-En Wu,Wei-Chi Ting,M. Jason Hinek

DOI: https://doi.org/10.1109/tit.2007.901248

IF: 2.5

2007-01-01

IEEE Transactions on Information Theory

Abstract:We present new variants of an RSA whose key generation algorithms output two distinct RSA key pairs having the same public and private exponents. This family of variants, called dual RSA, can be used in scenarios that require two instances of RSA with the advantage of reducing the storage requirements for the keys. Two applications for dual RSA, blind signatures and authentication/secrecy, are proposed. In addition, we also provide the security analysis of dual RSA. Compared to normal RSA, the security boundary should be raised when applying dual RSA to the types of small-d, small-e, and rebalanced-RSA.

Hung-Min Sun,Cheng-Ta Yang

DOI: https://doi.org/10.1007/978-3-540-30580-4_14

2005-01-01

Abstract:In typical RSA, it is impossible to create a key pair (e,d) such that both are simultaneously much shorter than φ (N). This is because if d is selected first, then e will be of the same order of magnitude as φ (N), and vice versa. At Asiacrypt'99, Sun et al. designed three variants of RSA using prime factors p and q of unbalanced size. The first RSA variant is an attempt to make the private exponent d short below N0.25 and N0.292 which are the lower bounds of d for a secure RSA as argued first by Wiener and then by Boneh and Durfee. The second RSA variant is constructed in such a way that both d and e have the same bit-length $\frac{1}{2}\log _{2}N+56$. The third RSA variant is constructed by such a method that allows a trade-off between the lengths of d and e. Unfortunately, at Asiacrypt'2000, Durfee and Nguyen broke the illustrated instances of the first RSA variant and the third RSA variant by solving small roots to trivariate modular polynomial equations. Moreover, they showed that the instances generated by these three RSA variants with unbalanced p and q in fact become more insecure than those instances, having the same sizes of exponents as the former, in RSA with balanced p and q. In this paper, we focus on designing a new RSA variant with balanced d and e, and balanced p and q in order to make such an RSA variant more secure. Moreover, we also extend this variant to another RSA variant in which allows a trade-off between the lengths of d and e. Based on our RSA variants, an application to entity authentication for defending the stolen-secret attack is presented.

Hung-Min Sun,Mu-En Wu

2005-01-01

Abstract:Based on the Chinese Remainder Theorem (CRT), Quisquater and Couvreur proposed an RSA variant, RSA-CRT, to speed up RSA decryption. Then, Wiener suggested another RSA variant, Rebalanced RSA-CRT, to further accelerate RSA-CRT decryption by shifting decryp- tion cost to encryption cost. However, such an approach makes RSA encryption very time- consuming because the public exponent e in Rebalanced RSA-CRT is of the same order of magnitude as φ(N). In this paper we study the following problem: does there exist any secure variant of Rebalanced RSA-CRT, whose public exponent e is much shorter than φ(N) ?W e solve this problem by designing two variants of Rebalanced RSA-CRT, Scheme A and Scheme B. In Scheme A, we focus on designing a variant in which dp and dq are of 160 bits, and e =2 567 +1. Thus the encryption time is reduced to about 1 2.7 of the time required by the original Rebalanced RSA-CRT. Scheme B is a variant in which dp and dq are of 198 bits, and e =2 511 +1 .T hus its encryption is about 3 times faster than that of Rebalanced RSA-CRT, but the decryption is a little slower than that of Rebalanced RSA-CRT.

Liangliang Wang,Mi Wen,Kefei Chen,Zhongqin Bi,Yu Long

DOI: https://doi.org/10.1007/978-3-319-69471-9_19

2017-01-01

Abstract:Through the application of certificateless signature, certificate management in traditional signatures can be simplified. Furthermore, the key escrow problem in identity-based signatures can be solved as well. As history has shown, there has not been a general pairing-free certificateless signature scheme which is mainly designed with modular exponentiation and modular multiplication that can possess resistance to Type I and Type II adversaries so far. Therefore, a new hard mathematic problem is firstly defined in this paper, which is called variant of RSA problem. In the next step, a new general pairing-free certificateless signature scheme is proposed based on the newly defined variant of RSA problem and the well known discrete logarithm problem. Fortunately, the proposed scheme is also the first RSA-based certificateless signature scheme that can possess resistance to Type I and Type II adversaries. In addition, a formal security proof is provided to demonstrate that, under adaptively chosen message attacks, the proposed scheme is provably secure against Type I and Type II adversaries in the random oracle model. When compared with other known pairing-free certificateless signature schemes of the same type, the computation cost of our scheme is slightly higher, however, a higher security level can be achieved.

LiDong Han,XiaoYun Wang,GuangWu Xu

DOI: https://doi.org/10.1007/s11432-010-4029-2

2010-01-01

Science China Information Sciences

Abstract:This paper concerns the RSA system with private CRT-exponents. Since Chinese remainder rep- resentation provides efficiency in computation, such system is of some practical significance. In this paper, an existing attack to small private CRT-exponents is analyzed. It is indicated that this attack makes nice use of lattice in RSA analysis, but some argument does not hold in general. Several counterexamples are constructed. Refinements and more precise statements of the attack are given.

Hung-Min Sun,Mu-En Wu,M. Jason Hinek,Cheng-Ta Yang,Vincent S. Tseng

DOI: https://doi.org/10.1016/j.jss.2009.04.001

2009-01-01

Abstract:In 1982, Quisquater and Couvreur proposed an RSA variant, called RSA-CRT, based on the Chinese Remainder Theorem to speed up RSA decryption. In 1990, Wiener suggested another RSA variant, called Rebalanced-RSA, which further speeds up RSA decryption by shifting decryption costs to encryption costs. However, this approach essentially maximizes the encryption time since the public exponent e is generally about the same order of magnitude as the RSA modulus. In this paper, we introduce two variants of Rebalanced-RSA in which the public exponent e is much smaller than the modulus, thus reducing the encryption costs, while still maintaining low decryption costs. For a 1024-bit RSA modulus, our first variant (Scheme A) offers encryption times that are at least 2.6 times faster than that in the original Rebalanced-RSA, while the second variant (Scheme B) offers encryption times at least 3 times faster. In both variants, the decrease in encryption costs is obtained at the expense of slightly increased decryption costs and increased key generation costs. Thus, the variants proposed here are best suited for applications which require low costs in encryption and decryption.

Liu Xiaochuan,Chen Enhong

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.08.092

2010-01-01

Abstract:Based on elliptic curve digital signature function,a structured multi-signature scheme with the combination of sequential and broadcasting algorithms is proposed in this paper.At the same time,we also analyze the security of the scheme.The scheme is more flexible than others and can be adapted to various complex multi-signature structures.It can also satisfy with the safety properties required by the digital signature including non-forgeability,non-repudiation,forward-secure,anti-collusion attacks,replay attack prevention and forward security,etc.

Huafeng Wu,Haiguang Chen,Qiang Zhou,Chuanshan Gao

DOI: https://doi.org/10.1109/snpd.2007.33

2007-01-01

Abstract:We present an efficient improvement of the strong RSA signature scheme [1], which is very similar to Fischlin sig nature [2]. Both two signatures are based on strong RSA assumption. In the original scheme, the signer has to choose a prime with prescribed length in signing phase. Except that, three generators of QRn should be chosen in the set-up phase. Our scheme removes or relaxes these restrictions. It only needs to choose two generators of QRn and an odd. Our scheme saves about 1/2 computational cost of the original scheme. Moreover, we propose a blind signature scheme and a partially blind signature scheme based on the basic scheme. To the best of our knowledge, it's the first time to propose such a blind signature scheme and a partially blind signature scheme based on strong RSA assumption.

Duo Liu,Ping Luo,Yi-Qi Dai

DOI: https://doi.org/10.1007/s11390-007-9005-y

2007-01-01

Abstract:The concept of multisignature, in which multiple signers can cooperate to sign the same message and any verifier can verify the validity of the multi-signature, was first introduced by Itakura and Nakamura. Several multisignature schemes have been proposed since. Chen et al. proposed a new digital multi-signature scheme based on the elliptic curve cryptosystem recently. In this paper, we show that their scheme is insecure, for it is vulnerable to the so-called active attacks, such as the substitution of a “false” public key to a “true” one in a key directory or during transmission. And then the attacker can sign a legal signature which other users have signed and forge a signature himself which can be accepted by the verifier.

Yanli Ren,Shuozhong Wang,Xinpeng Zhang,Min-Shiang Hwang

2015-01-01

Abstract:In a batch verifying scheme, multiple RSA digital signatures can be verified simultaneously in just one exponential operation time. Currently, the verifier could not easily detect where the signature-verification fault was located in most schemes, if the batch verification fails. In this article, we proposed a new batch verifying multiple RSA digital signatures scheme based on a cube. The scheme can detect accurately where the signature-verification fault is located. Moreover, once the total number of signatures is fixed, the size of exponentiation operations is independent from the number of illegal signatures in our scheme. Therefore, our scheme has a better performance and higher efficiency than the previous ones. Finally, we described an extend batch verifying scheme under the condition of n-dimension.

Zhenhua Chen,Shundong Li,Youwen Zhu,Jianhua Yan,Xinli Xu

DOI: https://doi.org/10.1002/sec.1283

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:There are many researches on the polynomial-based verifiable (k, n) multi-secret sharing scheme (VMSSS), but none of them focuses on the Chinese remainder theorem (CRT)-based VMSSS so far. For the first time, we provide a cheater identifiable multi-secret sharing scheme based on CRT as an alternative method for VMSSS, which is unconditionally secure when the number of cheaters t <= (k - 1)/3. We adopt an encoding method, which makes multiple secrets to be transferred as a single one. In addition, we utilize a single keyed message authenticated code (MAC) to detect and identify cheaters in the reconstruction phase. Then, combine these two methods with a CRT-based Asmuth-Bloom's SSS to achieve our design goals. In our scheme, all participants share a single key of MAC rather than each participant possesses an independent key to check the validity of shares, and the size of share is independent in any of n, k, and t. Analyses show that our scheme is more efficient and secure than existing ones. Finally, as an example of the practical impact of our work, we present how our techniques can be applied to secure sum computation. Copyright (C) 2015 John Wiley & Sons, Ltd.

Shaohua Tang

2004-01-01

Journal of Information and Computational Science

Abstract:A new secret sharing and a new threshold RSA signature scheme are presented. The secret sharing scheme is characterized by fast computation as well as simple and secure operations, since only simple addition and union operations are adopted in this algorithm. The secret is divided into N pieces, and each piece is delivered to each different participant. Any K or greater than K participants out of N can reconstruct the secret, but any (M-1) or less than (M-1) participants would fail to recover the secret, where M = ⌈N/(N-K+1)⌉. This secret sharing scheme is applied to digital signature to construct a new threshold RSA signature. Each participant should calculate the partial signature for the message by using its own piece of shadow. Any K or greater than K participants out of N can combine each partial signature to form a complete signature for the message. But any (M-1) or less than (M-1) participants would fail to calculate the complete signature. During the phases of partial signature generation and partial signature combination, the RSA private key is never reconstructed and each participant's partial secret (shadow) is not necessary to expose to others, thus the secret of the RSA private key will not be exposed. Two schemes possess the security of threshold cryptography.

Hung-Min Sun,Mu-En Wu,Ron Steinfeld,Jian Guo,Huaxiong Wang

DOI: https://doi.org/10.1007/978-3-540-89641-8_4

2008-01-01

Abstract:LSBS-RSA denotes an RSA system with modulus primes, p and q , sharing a large number of least significant bits. In ISC 2007 , Zhao and Qi analyzed the security of short exponent LSBS-RSA. They claimed that short exponent LSBS-RSA is much more vulnerable to the lattice attack than the standard RSA. In this paper, we further raise the security boundary of the Zhao-Qi attack by considering another polynomial. Our improvemet supports the result of analogue Fermat factoring on LSBS-RSA, which claims that p and q cannot share more than $\frac{n}{4}$ least significant bits, where n is the bit-length of pq . In conclusion, it is a trade-off between the number of sharing bits and the security level in LSBS-RSA. One should be more careful when using LSBS-RSA with short exponents.

Wuqiang Shen,Shaohua Tang

DOI: https://doi.org/10.1093/comjnl/bxv056

2015-01-01

The Computer Journal

Abstract:At present, 'mixed-type' multivariate schemes are relatively rare except the Dragon scheme and its variants (Little Dragon Two scheme and Poly-Dragon scheme). However, they are insecure. In this paper, we first define a particular polynomial called Three-color Polynomial (this polynomial has three-class variables, and the form of the associated symmetric matrix of its quadratic part is similar to the 'three-color model' in colorimetry. So we call it three-color polynomial), and its corresponding Three-color Map. Based on the three-color map, we then present a mixed multivariate signature scheme named RGB (it means Red-Green-Blue, because the central map of this scheme is a three-color map, and the 'three-color' stands for RGB in colorimetry), which is a variant of the Unbalanced Oil-Vinegar (UOV) signature scheme. Compared with UOV, each polynomial of the central map of RGB has more cross-terms among all the variables {Y, Z, T}. The variable Y has much to do with message values. To a certain degree, the variable Y stands for the message values. This means that the message values can be more fully mixed with other variable values in the central map, and the adversary is very difficult to forge the signature. Thus, in theory RGB is more secure than UOV. Through detailed analysis, we find that RGB can resist current known algebraic attacks under proper parameters, such as exhaustive search attack, separation attack, MinRank attack and direct attack (other algebraic attacks are inapplicable for RGB). Besides, our experiments show that under choosing the security level of 2(80), the signing time of Magma implementation of RGB is 0.046 s on an ordinary Linux-PC with 2.50 GHz, and the signing time of its C implementation is similar to 0.003 s on an 800 MHz machine. The comparisons show that the signing speed of RGB is faster than that of Sflash(nu 2), Quartz, UOV, Rainbow and RSA-1024, and is slightly slower than that of ECDSA-163 and NTRUSign-251. Overall, this new scheme can attain very good performance in terms of security and efficiency.

Yao Lu,Rui Zhang,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-319-07536-5_10

2014-01-01

Abstract:In Crypto'03, Blomer and May provided several partial key exposure attacks on CRT-RSA. In their attacks, they suppose that an attacker can either succeed to obtain the most significant bits (MSBs) or the least significant bits (LSBs) of d(p) = d mod (p - 1) in consecutive order. For the case of known LSBs of dp, their algorithm is polynomial-time only for small public exponents e (i.e. e = poly(log N)). However, in some practical applications, we prefer to use large e (Like e approximate to d(p), to let the public and private operations with the same computational effort). In this paper, we propose some lattice-based attacks for this extended setting. For known LSBs case, we introduce two approaches that work up to e < N-3/8. Similar results (though not as strong) are obtained for MSBs case. We also provide detailed experimental results to justify our claims.