More on Correcting Errors in RSA Private Keys: Breaking CRT-RSA with Low Weight Decryption Exponents

Several schemes have been proposed towards the fast encryption and decryption in RSA and its variants. One popular idea is to use integers having low Hamming weight in the preparation of the decryption exponents. This is to reduce the multiplication effort in the square and multiply method in the exponentiation routine, both in encryption and decryption. In this paper we show that such schemes are insecure in CRT-RSA when the encryption exponent is small (e.g., $e = 2^{16}+1$). In particular, we show that the CRT-RSA schemes presented in SAC 1996 and ACISP 2005 with low weight decryption exponents can be broken in a few minutes in certain cases. Further, the scheme of CT-RSA 2010, where the decryption exponents are not of low weight but they have large low weight factors, can also be cryptanalysed. To mount the attack, we exploit the heuristic proposed by Henecka et al (Crypto 2010) that is capable of correcting errors in the secret parameters when the encryption exponent is small. In the process, we identify a few modifications of the error correction strategy that provides significantly improved experimental outcome and also beats the theoretical bounds given in the work of Henecka et al

On the security of digital signature schemes based on error-correcting codes

We discuss the security of digital signature schemes based on error-correcting codes. Several attacks to the Xinmei scheme are surveyed, and some reasons given to explain why the Xinmei scheme failed, such as the linearity of the signature and the redundancy of public keys. Another weakness is found in the Alabbadi-Wicker scheme, which results in a universal forgery attack against it. This attack shows that the Alabbadi-Wicker scheme fails to implement the necessary property of a digital signature scheme: it is infeasible to find a false signature algorithm D from the public verification algorithm E such that E(D*(m)) = m for all messages m. Further analysis shows that this new weakness also applies to the Xinmei scheme

Using LDGM Codes and Sparse Syndromes to Achieve Digital Signatures

In this paper, we address the problem of achieving efficient code-based digital signatures with small public keys. The solution we propose exploits sparse syndromes and randomly designed low-density generator matrix codes. Based on our evaluations, the proposed scheme is able to outperform existing solutions, permitting to achieve considerable security levels with very small public keys.Comment: 16 pages. The final publication is available at springerlink.co

Improving the efficiency of the LDPC code-based McEliece cryptosystem through irregular codes

We consider the framework of the McEliece cryptosystem based on LDPC codes, which is a promising post-quantum alternative to classical public key cryptosystems. The use of LDPC codes in this context allows to achieve good security levels with very compact keys, which is an important advantage over the classical McEliece cryptosystem based on Goppa codes. However, only regular LDPC codes have been considered up to now, while some further improvement can be achieved by using irregular LDPC codes, which are known to achieve better error correction performance than regular LDPC codes. This is shown in this paper, for the first time at our knowledge. The possible use of irregular transformation matrices is also investigated, which further increases the efficiency of the system, especially in regard to the public key size.Comment: 6 pages, 3 figures, presented at ISCC 201