On the security of the KMOV public key cryptosystem

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1294)


This paper analyzes the KMOV public key cryptosystem, which is an elliptic curve based analogue to RSA. It was believed that this cryptosystem is more secure against attacks without factoring such as the Håstad-attack in broadcast application. Some new attacks on KMOV are presented in this paper that show the converse. In particular, it is shown that some attacks on RSA which work only when a small public exponent e is used can be extended to KMOV, but with no restriction on e. The implication of these attacks on related cryptosystems are also discussed.


Elliptic Curve Elliptic Curf Chinese Remainder Theorem Linear Polynomial Modular Equation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    J. Borst. Public key cryptosystems using elliptic curves. Master's thesis, Eindhoven University of Technology, Feb. 1997.Google Scholar
  2. 2.
    H. Cohen. A Course in Computational Algebraic Number Theory. Number 138 in Graduate Texts in Mathematics. Springer Verlag, 1993.Google Scholar
  3. 3.
    D. Coppersmith. Finding a small root of a univariate modular equation. In Advances in Cryptology — EUROCRYPT '96, volume 1070 of Lecture Notes in Computer Science, pages 155–165. Springer Verlag, 1996.Google Scholar
  4. 4.
    D. Coppersmith, M. Franklin, J. Patarin, and M. Reiter. Low exponent RSA with related messages. In Advances in Cryptology — EUROCRYPT '96, volume 1070 of Lecture Notes in Computer Science, pages 1–9. Springer Verlag, 1996.Google Scholar
  5. 5.
    N. Demytko. A new elliptic curve based analogue of RSA. In T. Helleseth, editor, Advances in Cryptology — EUROCRYPT '93, volume 765 of Lecture notes in computer science, pages 40–49. Springer-Verlag, 1994.Google Scholar
  6. 6.
    J. Håstad. Solving simultaneous modular equations of low degree. SIAM J. Computing, 17(2):336–341, Apr. 1988.zbMATHCrossRefGoogle Scholar
  7. 7.
    M. Joye and J.-J. Quisquater. Overview and security analysis of RSA-type cryptosystems against various attacks. In Proc. of DIMACS workshop on network threats, Nov. 1996.Google Scholar
  8. 8.
    M. Joye and J.-J. Quisquater. Protocol failure for RSA-like functions using Lucas sequences and elliptic curves over a ring. In M. Lomas, editor, Security Protocols, volume 1189 of Lecture Notes in Computer Science, pages 93–100. Springer Verlag, 1997.Google Scholar
  9. 9.
    N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48(177):203–209, 1987.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    K. Koyama. Fast RSA-type schemes based on singular cubic curves y 2+axy=x 3 (mod n). In Advances in Cryptology — EUROCRYPT '95, volume 921 of Lecture Notes in Computer Science, pages 329–340. Springer, 1995.Google Scholar
  11. 11.
    K. Koyama, U. Maurer, T. Okamoto, and S. Vanstone. New public-key schemes based on elliptic curves over the ring Z n. In J. Feigenbaum, editor, Advances in Cryptology — CRYPTO '91, volume 576, pages 252–266. Springer Verlag, 1992. Lecture Notes in Computer Science.Google Scholar
  12. 12.
    K. Kurosawa, K. Okada, and S. Tsujii. Low exponent attack against elliptic curve RSA. In Advances in Cryptology — ASIACRYPT 94, volume 917, pages 376–383. Springer Verlag, 1995.Google Scholar
  13. 13.
    H. Kuwakado and K. Koyama. Efficient cryptosystems over elliptic curves based on a product of form-free primes. IEICE Transactions on fundamentals of electronics, communications and computer sciences, E77-A(8):1309–1318, Aug. 1994.Google Scholar
  14. 14.
    H. Kuwakado and K. Koyama. Security of RSA-type cryptosystems over elliptic curves against Håstad attack. Electronic Letters, 30(22):1843–1844, Oct. 1994.CrossRefGoogle Scholar
  15. 15.
    A. Menezes, editor. Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, 1993.Google Scholar
  16. 16.
    V. S. Miller. Use of elliptic curves in cryptography. In H. C. Williams, editor, Advances in Cryptology — CRYPTO '85, volume 218 of Lecture Notes in Computer Science, pages 417–426. Springer, 1986.Google Scholar
  17. 17.
    L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    C. P. Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms and solving subset sum problems. In L. Budach, editor, Proceedings of Fundamentals of Computation Theory (FCT '91), volume 529 of Lecture Notes in Computer Science, pages 68–85. Springer Verlag, Sept. 1991.Google Scholar
  19. 19.
    H. Shimizu. On the improvement of the Håstad bound. In 1996 IEICE Fall Conference, volume A-162, 1996. (In Japanese).Google Scholar
  20. 20.
    T. Takagi and S. Naito. The multi-variable modular polynomial and its applications to cryptography. In 7th International Symposium on Algorithm and Computation, ISAAC'96, volume 1178 of Lecture Notes in Computer Science, pages 386–396. Springer Verlag, 1996.Google Scholar

Copyright information

© Springer-Verlag 1997

Authors and Affiliations

  1. 1.Bell LaboratoriesMurray Hill

Personalised recommendations