Designs, Codes and Cryptography

, Volume 23, Issue 3, pp 297–316 | Cite as

How to Choose Secret Parameters for RSA-Type Cryptosystems over Elliptic Curves

  • Marc Joye
  • Jean-Jacques Quisquater
  • Tsuyoshi Takagi


Recently, and contrary to the common belief, Rivest and Silverman argued that the use of strong primes is unnecessary in the RSA cryptosystem. This paper analyzes how valid this assertion is for RSA-type cryptosystems over elliptic curves. The analysis is more difficult because the underlying groups are not always cyclic. Previous papers suggested the use of strong primes in order to prevent factoring attacks and cycling attacks. In this paper, we only focus on cycling attacks because for both RSA and its elliptic curve-based analogues, the length of the RSA-modulus n is typically the same. Therefore, a factoring attack will succeed with equal probability against all RSA-type cryptosystems. We also prove that cycling attacks reduce to find fixed points, and derive a factorization algorithm which (most probably) completely breaks RSA-type systems over elliptic curves if a fixed point is found.

RSA-type cryptosystems cycling attacks elliptic curves strong primes 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    S. Berkovits, Factoring via superencryption, Cryptologia, Vol. 6, No. 3 (1982) pp. 229–237.Google Scholar
  2. 2.
    B. Blakley and G. R. Blakley, Security of number theoretic cryptosystems against random attack, I, II, III, Cryptologia, Vol. 2, No. 4 (1978) pp. 305–312; Vol. 3, No. 1 (1979) pp. 29–42; Vol. 3, No. 2 (1979) pp. 105–118.Google Scholar
  3. 3.
    G. R. Blakey and I. Borosh, Rivest-Shamir-Adleman public key cryptosystems do not always conceal messages, Comp. & Maths. with Appls., Vol. 5 (1979) pp. 169–178.Google Scholar
  4. 4.
    N. Demytko, A new elliptic curve based analogue of RSA. In Advances in Cryptology—EUROCRYPT' 93 (T. Helleseth, ed.), volume 765 of Lecture Notes in Computer Science, Springer-Verlag (1994) pp. 40–49.Google Scholar
  5. 5.
    J. Gordon, Strong RSA keys, Electronics Letters, Vol. 20, No. 12 (1984) pp. 514–516.Google Scholar
  6. 6.
    J. A. Gordon, Strong primes are easy to find. In Advances in Cryptology—EUROCRYPT' 84 (T. Beth, N. Coth, I. Ingermarsson, eds.), volume 209 of Lecture Notes in Computer Science, Springer-Verlag (1985) pp. 216–223.Google Scholar
  7. 7.
    T. Herlestam, Critical remarks on some public-key cryptosystems, BIT, Vol. 17 (1978) pp. 493–496.Google Scholar
  8. 8.
    International Organization for Standardization, The RSA public-key cryptosystem, Annex C of ISO/IEC 9594-8, Geneva (Switzerland), 1989.Google Scholar
  9. 9.
    N. Koblitz, Elliptic curve cryptosystems, Math. of Comp., Vol. 48, No. 177 (1987) pp. 203–209.Google Scholar
  10. 10.
    K. Koyama, U. M. Maurer, T. Okamoto and S. A. Vanstone, New public-key schemes based on elliptic curves over the ring Zn. In Advances in Cryptology—CRYPTO' 91 (J. Feigenbaum, ed.), volume 576 of Lecture Notes in Computer Science, Springer-Verlag (1992) pp. 252–266.Google Scholar
  11. 11.
    D. E. Knuth and L. Trabb-Pardo, Analysis of a simple factorization algorithm, Theoretical Computer Sc., Vol. 3 (1976) pp. 321–348.Google Scholar
  12. 12.
    H. Kuwakado and K. Koyama, Efficient cryptosystems over elliptic curves based on a product of form-free primes, IEICE Trans. Fundamentals, Vol. E77-A, No. 8 (1994) pp. 1309–1318.Google Scholar
  13. 13.
    H. W. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics, Vol. 126 (1987) pp. 649–673.Google Scholar
  14. 14.
    The LiDIA Group, LiDIA—A library for computational number theory. Available at URL http://www., Technische Universität Darmstadt, Germany.Google Scholar
  15. 15.
    U. M. Maurer, Fast generation of secure RSA-moduli with almost maximal diversity. In Advances in Cryptology—EUROCRYPT' 89 (J.-J. Quisquater, J. Vandewalle, eds.), volume 434 of Lecture Notes in Computer Science, Springer-Verlag (1990) pp. 636–647.Google Scholar
  16. 16.
    U. M. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, Journal of Cryptology, Vol. 8, No. 3 (1995) pp. 123–155. An earlier version appeared in [15].Google Scholar
  17. 17.
    A. J. Menezes, Elliptic curve public key cryptosystems, Kluwer Academic Publishers (1993).Google Scholar
  18. 18.
    A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of applied cryptography, CRC Press (1997).Google Scholar
  19. 19.
    V. Miller, Use of elliptic curves in cryptography. In Advances in Cryptology—CRYPTO' 85 (H. C. Williams, ed.), volume 218 of Lecture Notes in Computer Science, Springer-Verlag (1986) pp. 417–426.Google Scholar
  20. 20.
    J. H. Moore, Protocol failures in cryptosystems. In Contemporary Cryptology (G. Simmons, ed.), IEEE Press (1992) pp. 541–558.Google Scholar
  21. 21.
    R. G. E. Pinch, On using Carmichael numbers for public-key encryption systems. In Cryptography and Coding (M. Darneel, ed.), volume 1355 of Lecture Notes in Computer Science, Springer-Verlag (1997) pp. 265–269.Google Scholar
  22. 22.
    H. Riesel, Prime Numbers and Computer Methods for Factorization, 2nd ed., Birkh¨auser, 1994.Google Scholar
  23. 23.
    R. L. Rivest, Remarks on a proposed cryptanalytic attack on the M.I.T. public-key cryptosystem, Cryptologia, Vol. 2, No. 1 (1978) pp. 62–65.Google Scholar
  24. 24.
    R. L. Rivest, Critical remarks on “Critical remarks on some public-key cryptosysterns” by T. Herlestam, BIT, Vol. 19 (1979) pp. 274–275.Google Scholar
  25. 25.
    R. L. Rivest and R. D. Silverman, Are 'strong' primes needed for RSA. In The 1997 RSA Laboratories Seminar Series, Seminars Proceedings, 1997.Google Scholar
  26. 26.
    R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, Vol. 21, No. 2, February (1978) pp. 120–126.Google Scholar
  27. 27.
    J. H. Silverman, The Arithmetic of Elliptic Curves, GTM 106, Springer-Verlag (1986).Google Scholar
  28. 28.
    R. D. Silverman, Fast generation of random, strong RSA primes, CryptoBytes, Vol. 3, No. 1 (1997) pp. 9–13.Google Scholar
  29. 29.
    G. J. Simmons and M. J. Norris, Preliminary comment on the M.I.T. public-key cryptosystem, Cryptologia, Vol. 1 (1977) pp. 406–414.Google Scholar
  30. 30.
    H. C. Williams, A p + 1 method of factoring, Math. of Comp., Vol. 39, No. 159, July (1982) pp. 225–234.Google Scholar
  31. 31.
    H. C. Williams and B. Schmid, Some remarks concerning the M.I.T. public-key cryptosystem, BIT, Vol. 19 (1979) pp. 525–538.Google Scholar

Copyright information

© Kluwer Academic Publishers 2001

Authors and Affiliations

  • Marc Joye
    • 1
  • Jean-Jacques Quisquater
    • 2
  • Tsuyoshi Takagi
    • 3
  1. 1.Laboratory of Cryptography and Information Security, Dept of Electrical EngineeringTamkang University, TamsuiTaipei HsienTaiwan, R.O.C.
  2. 2.UCL Crypto Group & Laboratoire de Microélectronique, Dép. d'ÉlectricitéUniversité de LouvainLouvain-la-NeuveBelgium
  3. 3.NTT Software LaboratoriesTokyoJapan

Personalised recommendations