The Insecurity of Esign in Practical Implementations

  title={The Insecurity of Esign in Practical Implementations},
  author={Pierre-Alain Fouque and Nick Howgrave-Graham and Gwena{\"e}lle Martinet and Guillaume Poupard},
Provable security usually makes the assumption that a source of perfectly random and secret data is available. However, in practical applications, and especially when smart cards are used, ran- dom generators are often far from being perfect or may be monitored using probing or electromagnetic analysis. The consequence is the need of a careful evaluation of actual security when idealized random genera- tors are implemented. In this paper, we show that Esign signature scheme, like many cryptosys… 

A Survey of ESIGN : State of the Art and Proof of Security

ESIGN was developed as an improvement to RSA, whereas ESIGN offers improved computational complexity, yet maintains the complexity of the e-th root mod (n) problem that provides security.

Protocol Engineering Principles for Cryptographic Protocols Design

  • Ling DongKefei ChenM. WenYanfei Zheng
  • Computer Science, Mathematics
    Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007)
  • 2007
This paper regards cryptographic Protocol design as system engineering, hence it can efficiently indicate implicit assumptions behind cryptographic protocol design, and present operational principles on uncovering these subtleties.

Engineering Principles for Security Design of Protocols

Cryptographic protocol engineering is a new notion introduced in this book to give a set of principles for cryptographic protocol design, which is derived from software engineering method.

D-S Theory-based Trust Model FIRE^+ in Multi-agent Systems

  • Pingping LuBin LiMaolin XingLiang Li
  • Computer Science
    Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007)
  • 2007
Fire+ trust model using utility loss of issue to evaluate trust values is presented, which introduces the concept of information-amount to derive each issue 's weight so as to gain the whole trust value of the target agent.



Flaws in Applying Proof Methodologies to Signature Schemes

This work found that the ESIGN proof does not hold in the usual model of security, but in a more restricted one, and gives more examples, showing that provable security is more subtle than it at first appears.

The Insecurity of the Digital Signature Algorithm with Partially Known Nonces

A polynomial-time algorithm that provably recovers the signer's secret DSA key when a few consecutive bits of the random nonces k are known for a number of DSA signatures at most linear in log q, under a reasonable assumption on the hash function used in DSA.

Cryptanalysis: a survey of recent results

Attacks on the knapsack cryptosystems, congruential generators, and a variety of two key secrecy and signature schemes are discussed, and some of the basic tools available to the cryptanalyst are explained.

"Pseudo-Random" Number Generation Within Cryptographic Algorithms: The DDS Case

It is shown that if random numbers for DSS are generated using a linear congruential pseudorandom number generator (LCG) then the secret key can be quickly recovered after seeing a few signatures, illustrating the high vulnerability of the DSS to weaknesses in the underlying random number generation process.

How to Break Okamoto's Cryptosystem by Reducing Lattice Bases

It is shown here that it can, for any odd n, solve, in polynomial probabilistic time, quadratic equations modulo n, even if the factorisation of n is hidden, provided the authors are given a sufficiently good approximation of the solutions.

Attacking Unbalanced RSA-CRT Using SPA

Efficient implementations of RSA on computationally limited devices, such as smartcards, often use the CRT technique in combination with Garner’s algorithm in order to make the computation of modular

Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes

We show that computing the most significant bits of the secret key in a Diffie-Hellman key-exchange protocol from the public keys of the participants is as hard as computing the secret key itself.

An Attack on RSA Given a Small Fraction of the Private Key Bits

We show that for low public exponent rsa, given a quarter of the bits of the private key an adversary can recover the entire private key. Similar results (though not as strong) are obtained for

A Fast Signature Scheme Based on Quadratic Inequalities

A new digital signature scheme is proposed in which the computation time is several hundred times faster than the RSA scheme and in which the key length and signature length are almost comparable to

Simplified OAEP for the RSA and Rabin Functions

  • D. Boneh
  • Computer Science, Mathematics
  • 2001
It is shown that for the Rabin and RSA trapdoor functions a much simpler padding scheme is sufficient for chosen ciphertext security in the random oracle model and that only one round of a Feistel network is sufficient.