Feng Bao

Public Key Cryptography – PKC 2004

We present an extension of Wiener’s attack on small RSA secret decryption exponents [10]. Wiener showed that every RSA public key tuple (N, e) with e ∈ Zφ(N) that satisfies ed − 1 = 0 mod φ(N) for some d < 1 3 N 1 4 yields the factorization of N = pq. Our new method finds p and q in polynomial time for every (N, e) satisfying ex + y = 0 mod φ(N) with

A Signcryption Scheme with Signature Directly Verifiable by Public Key

Signcryption, first proposed by Zheng [4, 5], is a cryptographic primitive which combines both the functions of digital signature and public key encryption in a logical single step, and with a computational cost siginficantly lower than that needed by the traditional signature-then-encryption approach. In Zhengs scheme, the signature verification can be done either by the recipient directly (using his private key) or by engaging a zero-knowledge interative protocol with a third party, without disclosing recipients private key. In this note, we modify Zhengs scheme so that the recipients private key is no longer needed in signature verification. The computational cost of the modified scheme is higher than that of Zhengs scheme but lower than that of the signature-then-encryption approach.

Breaking Public Key Cryptosystems on Tamper Resistant Devices in the Presence of Transient Faults

In this paper we present a method of attacking public-key cryptosystems (PKCs) on tamper resistant devices. The attack makes use of transient faults and seems applicable to many types of PKCs. In particular, we show how to attack the RSA, the EIGamal signature scheme, the Schnorr signature scheme, and the DSA. We also present some possible methods to counter the attack.

Reliable broadcasting in product networks

Abstract We investigate the reliability of broadcasting in product networks containing faulty nodes and/or links. Faults considered in this paper are mainly of the Byzantine type, i.e., a faulty node or a faulty link may not only stop sending a message but also arbitrarily change a message passing through the faulty place or even fabricate a false message. We assume that no nodes have a priori information about faults in a network. Hence, the key problem of reliable broadcasting in our model is how to control the message transmission so that any corrupted message cannot affect the result of the broadcasting too much. We propose the concept of an n-channel graph which has n-independent spanning trees rooted at each node. The fault tolerance can be achieved by sending n copies of the message along the n-independent spanning trees rooted at the source node. In this paper we show how to construct n-independent spanning trees of a product network from spanning trees of n-component graphs. Furthermore, we can design an efficient and reliable broadcasting scheme based on independent spanning trees for a product network from simple broadcasting schemes for component networks. The degrees of fault tolerance against crash faults and Byzantine faults of nodes and/or links are, respectively, n − 1 and ⌊(n − 1)/2⌋ in the worst case. We can successfully broadcast with a probability higher than 1 − k −⌈ n 2 ⌉ in any product network of order N consisting of n-component graphs of order b or less, if at most N/4b3nk faulty nodes are randomly distributed in the network. We can also successfully broadcast with a probability higher than 1 − k −⌈ n 2 ⌉ in any product network of size L, of n component graphs of size b or less, if at most L l2b 2 k faulty links are randomly distributed in the network.

Reliable broadcasting and secure distributing in channel networks

Let T/sub 1/, /spl middot//spl middot//spl middot/, T/sub n/ be n spanning trees rooted at node r of graph G. If for any node /spl nu/ of G, among the n paths from r to /spl nu/, each path in each spanning tree of T/sub 1/, /spl middot//spl middot//spl middot/, T/sub n/, there are k (k/spl les/n) internally disjoint paths, then T/sub 1/, /spl middot//spl middot//spl middot/, T/sub n/, are said to be (k, n)-independent spanning trees rooted at r. A graph is called an (k, n)-channel graph if G has (k, n)-independent spanning trees rooted at each node of G. We study two fault-tolerant communication tasks in (k, n)-channel graphs. The first task is reliable broadcasting. We analyze the relation between the reliability and the efficiency of broadcasting. The second task is secure message distributing. It is required that each message should be received by its destination node and that we should keep the message secret from the nodes called adversaries. We give two message distribution schemes. The first scheme uses secret sharing, and it can tolerate t+k-n listening adversaries for any t<n if G is an (k, n)-channel graph. The second one uses unverifiable secret sharing, and it can tolerate t+k-n disrupting adversaries for any t<n/3 if G is an (k, n)-channel graph.

RSA-type Signatures in the Presence of Transient Faults

In this paper, we show that the presence of transient faults can leak some secret information. We prove that only one faulty RSA-signature is needed to recover one bit of the secret key. Thereafter, we extend this result to Lucas-based and elliptic curve systems.

Broadcasting in Hypercubes with Randomly Distributed Byzantine Faults

We study all-to-all broadcasting in hypercubes with randomly distributed Byzantine faults. We construct an efficient broadcasting scheme BC1-n-cube running on the n-dimensional hypercube (n-cube for short) in 2n rounds, where for communication by each node of the n-cube, only one of its links is used in each round. The scheme BC1-n-cube can tolerate ⌊(n −1)/2⌋ Byzantine node and/or link faults in the worst case. If there are at most f Byzantine faulty nodes randomly distributed in the n-cube, BC1-n-cube succeeds with a probability higher than 1-(64nf/2 n )⌈n/2⌉. In other words, if 1/(64nk) of all the nodes (i.e., 2n/(64nk) nodes) fail in Byzantine manner randomly in the n-cube, then the scheme succeeds with a probability higher than 1 −k−⌈ n/2 ⌉. We also consider the case where all nodes are faultless but links may fail randomly in the n-cube. Scheme BC1-n-cube succeeds with a probability higher than 1 −k−⌈ n/2 ⌉ provided that not more than l/(64(n + 1)k) of all the links in the n-cube fail in Byzantine manner randomly. For the case where only links may fail, we give another broadcasting scheme BC2-n-cube which runs in 2n2 rounds. Broadcasting by BC2-n-cube is successful with a high probability if the number of Byzantine faulty links randomly distributed in the n-cube is not more than a constant fraction of the total number of links. That is, it succeeds with a probability higher than 1−n·k−⌈ n/2 ⌉ if l/(48k) of all the links in the n-cube fail in Byzantine manner randomly.

Break Finite Automata Public Key Cryptosystem

In this paper we break a 10-years standing public key cryptosystem, Finite Automata Public Key Cryptosystem(FAPKC for short). The security of FAPKC was mainly based on the difficulty of finding a special common left factor of two given matrix polynomials. We prove a simple but previously unknown property of the input-memory finite automata. By this property, we reduce the basis of the FAPKCs security to the same problem in module matrix polynomial rings. The problem turns out to be easily solved. Hence, we can break FAPKC by constructing decryption automata from the encryption automaton (public key). We describe a modification of FAPKC which can resist above attack.

Independent Spanning Trees of Product Graphs

A graph G is called an n-channel graph at vertex r if there are n independent spanning trees rooted at r. A graph G is called an n-channel graph if for every vertex u, G is an n-channel graph at u. Independent spanning trees of a graph play an important role in faulttolerant broadcasting in the graph. In this paper we show that if G1 is an n1-channel graph and G2 is an n2-channel graph, then G1×G2 is an (n1+n2)-channel graph. We prove this fact by a construction of n1+n2 independent spanning trees of G1 × G2 from n1 independent spanning trees of G1 and n2 independent spanning trees of G2.

Optimal Time Broadcasting in Faulty Star Networks

This paper investigates fault-tolerant broadcasting in star networks. We propose a non-adaptive single-port broadcasting scheme in the n-star network such that it tolerates n — 2 faults in the worst case and completes the broadcasting in O(n log n) time. The existence of such a broadcasting scheme was not known before. A new technique, called diffusing- and -disseminating, is introduced to design our broadcasting scheme. This technique is useful to improve the efficiency of broadcasting in star networks. We analyze the reliability of the broadcasting scheme in the case where faults are randomly distributed in the n-star network. The broadcasting scheme in the n-star network can tolerate (n!)* random faults with a high probability, where α is any constant less than 1.