# How to Choose Secret Parameters for RSA-Type Cryptosystems over Elliptic Curves

## Abstract

Recently, and contrary to the common belief, Rivest and Silverman argued that the use of strong primes is unnecessary in the RSA cryptosystem. This paper analyzes how valid this assertion is for RSA-type cryptosystems over elliptic curves. The analysis is more difficult because the underlying groups are not always cyclic. Previous papers suggested the use of strong primes in order to prevent factoring attacks and cycling attacks. In this paper, we only focus on cycling attacks because for both RSA and its elliptic curve-based analogues, the length of the RSA-modulus *n* is typically the same. Therefore, a factoring attack will succeed with equal probability against all RSA-type cryptosystems. We also prove that cycling attacks reduce to find fixed points, and derive a factorization algorithm which (most probably) completely breaks RSA-type systems over elliptic curves if a fixed point is found.

## Preview

Unable to display preview. Download preview PDF.

## References

- 1.S. Berkovits, Factoring via superencryption,
*Cryptologia*, Vol. 6, No. 3 (1982) pp. 229–237.Google Scholar - 2.B. Blakley and G. R. Blakley, Security of number theoretic cryptosystems against random attack, I, II, III,
*Cryptologia*, Vol. 2, No. 4 (1978) pp. 305–312; Vol. 3, No. 1 (1979) pp. 29–42; Vol. 3, No. 2 (1979) pp. 105–118.Google Scholar - 3.G. R. Blakey and I. Borosh, Rivest-Shamir-Adleman public key cryptosystems do not always conceal messages,
*Comp. & Maths. with Appls.*, Vol. 5 (1979) pp. 169–178.Google Scholar - 4.N. Demytko, A new elliptic curve based analogue of RSA. In Advances in Cryptology—EUROCRYPT' 93 (T. Helleseth, ed.), volume 765 of Lecture Notes in Computer Science, Springer-Verlag (1994) pp. 40–49.Google Scholar
- 5.J. Gordon, Strong RSA keys,
*Electronics Letters*, Vol. 20, No. 12 (1984) pp. 514–516.Google Scholar - 6.J. A. Gordon, Strong primes are easy to find. In Advances in Cryptology—EUROCRYPT' 84 (T. Beth, N. Coth, I. Ingermarsson, eds.), volume 209 of Lecture Notes in Computer Science, Springer-Verlag (1985) pp. 216–223.Google Scholar
- 7.T. Herlestam, Critical remarks on some public-key cryptosystems,
*BIT*, Vol. 17 (1978) pp. 493–496.Google Scholar - 8.International Organization for Standardization, The RSA public-key cryptosystem, Annex C of
*ISO/IEC 9594-8,*Geneva (Switzerland), 1989.Google Scholar - 9.N. Koblitz, Elliptic curve cryptosystems,
*Math. of Comp.*, Vol. 48, No. 177 (1987) pp. 203–209.Google Scholar - 10.K. Koyama, U. M. Maurer, T. Okamoto and S. A. Vanstone, New public-key schemes based on elliptic curves over the ring Z
*n*. In Advances in Cryptology—CRYPTO' 91 (J. Feigenbaum, ed.), volume 576 of Lecture Notes in Computer Science, Springer-Verlag (1992) pp. 252–266.Google Scholar - 11.D. E. Knuth and L. Trabb-Pardo, Analysis of a simple factorization algorithm,
*Theoretical Computer Sc.*, Vol. 3 (1976) pp. 321–348.Google Scholar - 12.H. Kuwakado and K. Koyama, Efficient cryptosystems over elliptic curves based on a product of form-free primes,
*IEICE Trans. Fundamentals*, Vol. E77-A, No. 8 (1994) pp. 1309–1318.Google Scholar - 13.H. W. Lenstra, Jr., Factoring integers with elliptic curves,
*Annals of Mathematics*, Vol. 126 (1987) pp. 649–673.Google Scholar - 14.The LiDIA Group, LiDIA—A library for computational number theory. Available at URL http://www. informatik.tu-darmadt.de/TI/LiDIA, Technische Universität Darmstadt, Germany.Google Scholar
- 15.U. M. Maurer, Fast generation of secure RSA-moduli with almost maximal diversity. In Advances in Cryptology—EUROCRYPT' 89 (J.-J. Quisquater, J. Vandewalle, eds.), volume 434 of Lecture Notes in Computer Science, Springer-Verlag (1990) pp. 636–647.Google Scholar
- 16.U. M. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters,
*Journal of Cryptology*, Vol. 8, No. 3 (1995) pp. 123–155. An earlier version appeared in [15].Google Scholar - 17.A. J. Menezes,
*Elliptic curve public key cryptosystems*, Kluwer Academic Publishers (1993).Google Scholar - 18.A. J. Menezes, P. C. van Oorschot and S. A. Vanstone,
*Handbook of applied cryptography*, CRC Press (1997).Google Scholar - 19.V. Miller, Use of elliptic curves in cryptography. In Advances in Cryptology—CRYPTO' 85 (H. C. Williams, ed.), volume 218 of Lecture Notes in Computer Science, Springer-Verlag (1986) pp. 417–426.Google Scholar
- 20.J. H. Moore, Protocol failures in cryptosystems. In Contemporary Cryptology (G. Simmons, ed.), IEEE Press (1992) pp. 541–558.Google Scholar
- 21.R. G. E. Pinch, On using Carmichael numbers for public-key encryption systems. In Cryptography and Coding (M. Darneel, ed.), volume 1355 of Lecture Notes in Computer Science, Springer-Verlag (1997) pp. 265–269.Google Scholar
- 22.H. Riesel,
*Prime Numbers and Computer Methods for Factorization*, 2nd ed., Birkh¨auser, 1994.Google Scholar - 23.R. L. Rivest, Remarks on a proposed cryptanalytic attack on the M.I.T. public-key cryptosystem,
*Cryptologia*, Vol. 2, No. 1 (1978) pp. 62–65.Google Scholar - 24.R. L. Rivest, Critical remarks on “Critical remarks on some public-key cryptosysterns” by T. Herlestam,
*BIT*, Vol. 19 (1979) pp. 274–275.Google Scholar - 25.R. L. Rivest and R. D. Silverman, Are 'strong' primes needed for RSA. In
*The 1997 RSA Laboratories Seminar Series*, Seminars Proceedings, 1997.Google Scholar - 26.R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems,
*Communications of the ACM*, Vol. 21, No. 2, February (1978) pp. 120–126.Google Scholar - 27.J. H. Silverman,
*The Arithmetic of Elliptic Curves*, GTM 106, Springer-Verlag (1986).Google Scholar - 28.R. D. Silverman, Fast generation of random, strong RSA primes,
*CryptoBytes*, Vol. 3, No. 1 (1997) pp. 9–13.Google Scholar - 29.G. J. Simmons and M. J. Norris, Preliminary comment on the M.I.T. public-key cryptosystem,
*Cryptologia*, Vol. 1 (1977) pp. 406–414.Google Scholar - 30.H. C. Williams, A
*p*+ 1 method of factoring,*Math. of Comp.*, Vol. 39, No. 159, July (1982) pp. 225–234.Google Scholar - 31.H. C. Williams and B. Schmid, Some remarks concerning the M.I.T. public-key cryptosystem,
*BIT*, Vol. 19 (1979) pp. 525–538.Google Scholar