Abstract
Many cryptographic protocols and cryptosystems have been proposed to make use of prime order subgroups of Z *n where n is the product of two large distinct primes. In this paper we analyze a number of such schemes. While these schemes were proposed to utilize the difficulty of factoring large integers or that of finding related hidden information (e.g., the order of the group Z *n ), our analyzes reveal much easier problems as their real security bases. We itemize three classes of security failures and formulate a simple algorithm for factoring n with a disclosed non-trivial factor of “gf(n) where the disclosure is for making use of a prime order subgroup in Z *n . The time complexity of our algorithm is O(n/f) 1/4 where f is a disclosed subgroup order. To factor such n of length up to 800 bits with the subgroup having a secure size against computing discrete logarithm, the new algorithm will have a feasible running time on use of a trivial size of storage.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bao, F., R. Deng and W. Mao. Efficient and practical fair exchange protocols with off-line TTP. 1998 IEEE Symposium on Security and Privacy. Oakland, May 1998. pages 77–85. IEEE Compute Society.
Boyd, C. Digital signature and public key cryptosystem in a prime order sub-group of Z n *. First International Conference on Information and Communications Security, ICICS’97 (LNCS 1334), pages 346–355. Springer, 1997.
Boyd, C. Presentation in First International Conference on Information and Communications Security, ICICS’97 for fixing a flaw in the paper “Digital signature and public key cryptosystem in a prime order subgroup of Z n *„. Beijing, November 1997.
Boyd, C. Personal communications.
H. Cohen. A Course in Computational Algebraic Number Theory. Springer-Verlag Graduate Texts in Mathematics 138. 1993.
ElGamal, T. A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, IT-31(4):469–472, July 1985.
Fiat, A. and A. Shamir. How to prove yourself: Practical solution to identification and signature problems. Advances in Cryptology — Proceedings of CRYPTO’86 (LNCS 263), pages 186–194. Springer-Verlag, 1987.
Girault, M. An identity-based identification scheme based on discrete logarithms modulo a composite number. In Advances in Cryptology — Proceedings of EUROCRYPT’90 (LNCS 473), pages 481–486. Springer-Verlag, 1991.
Girault, M. and J.C. Paillés. An identity-based scheme providing zero-knowledge authentication and authenticated key-exchange. First European Symposium on Research in Computer Security-ESORICS’90, pages 173–184. 1990.
Guillou, L.C. and J.-J. Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In Advances in Cryptology — Proceedings of EUROCRYPT’88 (LNCS 330), pages 123–128. Springer-Verlag, 1988.
Kim, S. J., S. J. Park and D. H. Won. Convertible group signatures. Advances in Cryptology — Proceedings of ASIACRYPT’96 (LNCS 1163), pages 310–321. Springer, 1996.
Lim, C.H. and P.J. Lee. Sparse RSA secret keys and their generation. Proc. 3rd Workshop on Selected Areas of Cryptography, Aug.15–16, 1996, pp.117–131, Queen’s University, Ontario.
Park, S., S. Kim and D. Won. ID-based group signature. Electronics Letters. Vol.33, No.19, pages 1616–1617. September 1997.
Pollard, J.M. Monte Carlo method for index computation (mod p), Mth. Comp., Vol.32, No.143(1978), pages 918–924.
Rabin, M.O. Digital signatures and public-key functions as intractable as factorization. MIT Laboratory for Computer Science, Technical Report, MIT/LCS/TR-212. 1979.
Rivest, R.L., A. Shamir and L.M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM v.21, n.2, pages 120–126. 1978.
Van Oorschot, P.C. and M.J. Wiener, Parallel collision search with application to hash functions and discrete logarithms, Proc. 2nd ACM Conference on Computer and Communications Security, Nov.2–4 1994, Fairfax, Verginia, pp.210–218. (a revised version to appear in Journal of Cryptology).
Van Oorschot, P.C. and M.J. Wiener, On Diffie-Hellman key agreement with short exponents, Advances in Cryptology-EUROCRYPT’96 (LNCS 1070), pages 332–343, Springer-Verlag, 1996.
Zheng, Y., T. Matsumoto and H. Imai. Residuosity problem and its applications to cryptography. Trans. IEICE, Vol.E71, No.8, pages 759–767. 1988.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1998 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mao, W., Lim, C.H. (1998). Cryptanalysis in Prime Order Subgroups of Z *n . In: Ohta, K., Pei, D. (eds) Advances in Cryptology — ASIACRYPT’98. ASIACRYPT 1998. Lecture Notes in Computer Science, vol 1514. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-49649-1_18
Download citation
DOI: https://doi.org/10.1007/3-540-49649-1_18
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-65109-3
Online ISBN: 978-3-540-49649-6
eBook Packages: Springer Book Archive