Abstract
Recently, and contrary to the common belief, Rivest and Silverman argued that the use of strong primes is unnecessary in the RSA cryptosystem. This paper analyzes how valid this assertion is for RSA-type cryptosystems over elliptic curves. The analysis is more difficult because the underlying groups are not always cyclic. Previous papers suggested the use of strong primes in order to prevent factoring attacks and cycling attacks. In this paper, we only focus on cycling attacks because for both RSA and its elliptic curve-based analogues, the length of the RSA-modulus n is typically the same. Therefore, a factoring attack will succeed with equal probability against all RSA-type cryptosystems. We also prove that cycling attacks reduce to find fixed points, and derive a factorization algorithm which (most probably) completely breaks RSA-type systems over elliptic curves if a fixed point is found.
Similar content being viewed by others
References
S. Berkovits, Factoring via superencryption, Cryptologia, Vol. 6, No. 3 (1982) pp. 229–237.
B. Blakley and G. R. Blakley, Security of number theoretic cryptosystems against random attack, I, II, III, Cryptologia, Vol. 2, No. 4 (1978) pp. 305–312; Vol. 3, No. 1 (1979) pp. 29–42; Vol. 3, No. 2 (1979) pp. 105–118.
G. R. Blakey and I. Borosh, Rivest-Shamir-Adleman public key cryptosystems do not always conceal messages, Comp. & Maths. with Appls., Vol. 5 (1979) pp. 169–178.
N. Demytko, A new elliptic curve based analogue of RSA. In Advances in Cryptology—EUROCRYPT' 93 (T. Helleseth, ed.), volume 765 of Lecture Notes in Computer Science, Springer-Verlag (1994) pp. 40–49.
J. Gordon, Strong RSA keys, Electronics Letters, Vol. 20, No. 12 (1984) pp. 514–516.
J. A. Gordon, Strong primes are easy to find. In Advances in Cryptology—EUROCRYPT' 84 (T. Beth, N. Coth, I. Ingermarsson, eds.), volume 209 of Lecture Notes in Computer Science, Springer-Verlag (1985) pp. 216–223.
T. Herlestam, Critical remarks on some public-key cryptosystems, BIT, Vol. 17 (1978) pp. 493–496.
International Organization for Standardization, The RSA public-key cryptosystem, Annex C of ISO/IEC 9594-8, Geneva (Switzerland), 1989.
N. Koblitz, Elliptic curve cryptosystems, Math. of Comp., Vol. 48, No. 177 (1987) pp. 203–209.
K. Koyama, U. M. Maurer, T. Okamoto and S. A. Vanstone, New public-key schemes based on elliptic curves over the ring Zn. In Advances in Cryptology—CRYPTO' 91 (J. Feigenbaum, ed.), volume 576 of Lecture Notes in Computer Science, Springer-Verlag (1992) pp. 252–266.
D. E. Knuth and L. Trabb-Pardo, Analysis of a simple factorization algorithm, Theoretical Computer Sc., Vol. 3 (1976) pp. 321–348.
H. Kuwakado and K. Koyama, Efficient cryptosystems over elliptic curves based on a product of form-free primes, IEICE Trans. Fundamentals, Vol. E77-A, No. 8 (1994) pp. 1309–1318.
H. W. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics, Vol. 126 (1987) pp. 649–673.
The LiDIA Group, LiDIA—A library for computational number theory. Available at URL http://www. informatik.tu-darmadt.de/TI/LiDIA, Technische Universität Darmstadt, Germany.
U. M. Maurer, Fast generation of secure RSA-moduli with almost maximal diversity. In Advances in Cryptology—EUROCRYPT' 89 (J.-J. Quisquater, J. Vandewalle, eds.), volume 434 of Lecture Notes in Computer Science, Springer-Verlag (1990) pp. 636–647.
U. M. Maurer, Fast generation of prime numbers and secure public-key cryptographic parameters, Journal of Cryptology, Vol. 8, No. 3 (1995) pp. 123–155. An earlier version appeared in [15].
A. J. Menezes, Elliptic curve public key cryptosystems, Kluwer Academic Publishers (1993).
A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of applied cryptography, CRC Press (1997).
V. Miller, Use of elliptic curves in cryptography. In Advances in Cryptology—CRYPTO' 85 (H. C. Williams, ed.), volume 218 of Lecture Notes in Computer Science, Springer-Verlag (1986) pp. 417–426.
J. H. Moore, Protocol failures in cryptosystems. In Contemporary Cryptology (G. Simmons, ed.), IEEE Press (1992) pp. 541–558.
R. G. E. Pinch, On using Carmichael numbers for public-key encryption systems. In Cryptography and Coding (M. Darneel, ed.), volume 1355 of Lecture Notes in Computer Science, Springer-Verlag (1997) pp. 265–269.
H. Riesel, Prime Numbers and Computer Methods for Factorization, 2nd ed., Birkh¨auser, 1994.
R. L. Rivest, Remarks on a proposed cryptanalytic attack on the M.I.T. public-key cryptosystem, Cryptologia, Vol. 2, No. 1 (1978) pp. 62–65.
R. L. Rivest, Critical remarks on “Critical remarks on some public-key cryptosysterns” by T. Herlestam, BIT, Vol. 19 (1979) pp. 274–275.
R. L. Rivest and R. D. Silverman, Are 'strong' primes needed for RSA. In The 1997 RSA Laboratories Seminar Series, Seminars Proceedings, 1997.
R. L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, Vol. 21, No. 2, February (1978) pp. 120–126.
J. H. Silverman, The Arithmetic of Elliptic Curves, GTM 106, Springer-Verlag (1986).
R. D. Silverman, Fast generation of random, strong RSA primes, CryptoBytes, Vol. 3, No. 1 (1997) pp. 9–13.
G. J. Simmons and M. J. Norris, Preliminary comment on the M.I.T. public-key cryptosystem, Cryptologia, Vol. 1 (1977) pp. 406–414.
H. C. Williams, A p + 1 method of factoring, Math. of Comp., Vol. 39, No. 159, July (1982) pp. 225–234.
H. C. Williams and B. Schmid, Some remarks concerning the M.I.T. public-key cryptosystem, BIT, Vol. 19 (1979) pp. 525–538.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Joye, M., Quisquater, JJ. & Takagi, T. How to Choose Secret Parameters for RSA-Type Cryptosystems over Elliptic Curves. Designs, Codes and Cryptography 23, 297–316 (2001). https://doi.org/10.1023/A:1011219027181
Issue Date:
DOI: https://doi.org/10.1023/A:1011219027181