{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,5,5]],"date-time":"2022-05-05T07:41:11Z","timestamp":1651736471136},"reference-count":54,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2015,4,17]],"date-time":"2015-04-17T00:00:00Z","timestamp":1429228800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2016,7]]},"DOI":"10.1007\/s00145-015-9205-5","type":"journal-article","created":{"date-parts":[[2015,4,16]],"date-time":"2015-04-16T19:53:19Z","timestamp":1429213999000},"page":"632-656","update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Practical Cryptanalysis of ISO 9796-2 and EMV Signatures"],"prefix":"10.1007","volume":"29","author":[{"given":"Jean-S\u00e9bastien","family":"Coron","sequence":"first","affiliation":[]},{"given":"David","family":"Naccache","sequence":"additional","affiliation":[]},{"given":"Mehdi","family":"Tibouchi","sequence":"additional","affiliation":[]},{"given":"Ralf-Philipp","family":"Weinmann","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2015,4,17]]},"reference":[{"issue":"216","key":"9205_CR1","doi-asserted-by":"publisher","first-page":"1701","DOI":"10.1090\/S0025-5718-96-00775-2","volume":"65","author":"E Bach","year":"1996","unstructured":"E. Bach and R. Peralta, Asymptotic semismoothness probabilities, Mathematics of Computation, vol. 65, number 216, 1996, pp. 1701\u20131715.","journal-title":"Math. Comput."},{"key":"9205_CR2","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, Proceedings of ccs 1993, acm, 1993, pp. 62\u201373","DOI":"10.1145\/168588.168596"},{"key":"9205_CR3","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, Optimal asymmetric encryption: how to encrypt with RSA, Proceedings of Eurocrypt 1994, lncs, vol. 950 (Springer, Berlin, 1995), pp. 92\u2013111","DOI":"10.1007\/BFb0053428"},{"key":"9205_CR4","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, The exact security of digital signatures: how to sign with RSA and Rabin, Proceedings of Eurocrypt 1996, lncs, vol. 1070 (Springer, Berlin, 1996), pp. 399\u2013416","DOI":"10.1007\/3-540-68339-9_34"},{"key":"9205_CR5","unstructured":"D.J. Bernstein, T. Lange (eds.), e bacs: ecrypt Benchmarking of cryptographic systems, bench.cr.yp.to"},{"key":"9205_CR6","unstructured":"D.J. Bernstein, Fast Multiplications and its applications, Algorithmic Number Theory, vol. 44 (2008)"},{"key":"9205_CR7","unstructured":"D.J. Bernstein, How to find smooth parts of integers, 2004\/05\/10, cr.yp.to\/papers.html#smoothparts"},{"key":"9205_CR8","doi-asserted-by":"crossref","unstructured":"D.J. Bernstein, Proving tight security for Rabin-Williams signatures. Proceedings of Eurocrypt 2008, lncs, vol. 4665 (Springer, Berlin, 2008), pp. 70\u201387","DOI":"10.1007\/978-3-540-78967-3_5"},{"key":"9205_CR9","unstructured":"D.J. Bernstein, Scaled remainder trees, 2004\/08\/20, cr.yp.to\/papers.html#scaledmod"},{"key":"9205_CR10","doi-asserted-by":"crossref","unstructured":"D.J. Bernstein, T. Lange, C. Peters, Attacking and defending the McEliece cryptosystem, Proceedings of Post-Quantum Cryptography 2008, lncs, vol. 5299 (Springer, Berlin, 2008), pp. 31\u201346","DOI":"10.1007\/978-3-540-88403-3_3"},{"key":"9205_CR11","doi-asserted-by":"crossref","unstructured":"D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard, Proceedings of Crypto 1998, lncs, vol. 1462 (Springer, Berlin, 1998), pp. 1\u201312","DOI":"10.1007\/BFb0055716"},{"key":"9205_CR12","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/0022-314X(83)90002-1","volume":"17","author":"ER Canfield","year":"1983","unstructured":"E.R. Canfield, P. Erd\u0151s and C. Pomerance, On a Problem of Oppenheim concerning \u2019Factorisation Numerorum\u2019, Journal of Number Theory, vol. 17, 1983, pp. 1\u201328.","journal-title":"J. Number Theory"},{"issue":"205","key":"9205_CR13","first-page":"333","volume":"62","author":"D Coppersmith","year":"1994","unstructured":"D. Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm, Mathematics of Computation, vol. 62, number 205, 1994, pp. 333\u2013350.","journal-title":"Math. Comput."},{"key":"9205_CR14","doi-asserted-by":"publisher","first-page":"27","DOI":"10.1007\/s00145-007-9007-5","volume":"21","author":"D Coppersmith","year":"2008","unstructured":"D. Coppersmith, J.-S. Coron, F. Grieu, S. Halevi, C.S. Jutla, D. Naccache and J.P. Stern, Cryptanalysis of ISO 9796\u20131, Journal of Cryptology, vol. 21, 2008, pp. 27\u201351.","journal-title":"J. Cryptol."},{"key":"9205_CR15","unstructured":"D. Coppersmith, S. Halevi, C. Jutla, iso 9796-1 and the new, forgery strategy, Research contribution to P.1363, 1999, grouper.ieee.org\/groups\/1363\/Research"},{"key":"9205_CR16","doi-asserted-by":"crossref","unstructured":"J.-S. Coron, Security proofs for partial domain hash signature schemes, Proceedings of Crypto 2002, lncs, vol. 2442 (Springer, Berlin, 2002), pp. 613\u2013626","DOI":"10.1007\/3-540-45708-9_39"},{"issue":"1","key":"9205_CR17","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1007\/s10623-004-5660-y","volume":"38","author":"J-S Coron","year":"2006","unstructured":"J.-S. Coron, Y. Desmedt, D. Naccache, A. Odlyzko and J.P. Stern, Index calculation attacks on RSA signature and encryption Designs, Codes and Cryptography, vol. 38, number 1, 2006, pp. 41\u201353.","journal-title":"Des. Codes Cryptogr."},{"key":"9205_CR18","doi-asserted-by":"crossref","unstructured":"J.-S. Coron, D. Naccache, M. Joye, P. Paillier, New attacks on pkcs #1 v1.5 encryption, Proceedings of Eurocrypt 2000, lncs, vol. 1807 (Springer, Berlin, 2000), pp. 369\u2013381","DOI":"10.1007\/3-540-45539-6_25"},{"key":"9205_CR19","doi-asserted-by":"crossref","unstructured":"J.-S. Coron, D. Naccache, J.P. Stern, On the security of RSA padding, Proceedings of Crypto 1999, lncs, vol. 1666 (Springer, Berlin, 1999), pp. 1\u201318","DOI":"10.1007\/3-540-48405-1_1"},{"issue":"243","key":"9205_CR20","doi-asserted-by":"publisher","first-page":"1555","DOI":"10.1090\/S0025-5718-02-01479-5","volume":"72","author":"RE Crandall","year":"2003","unstructured":"R.E. Crandall, E.W. Mayer and J.S. Papadopoulos, The twenty-fourth Fermat number is composite, Mathematics of Computation, volume 72, number 243, July 2003, pp. 1555\u20131572.","journal-title":"Math. Comput."},{"key":"9205_CR21","doi-asserted-by":"crossref","unstructured":"Y. Desmedt, A. Odlyzko, A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, Proceedings of Crypto 1985, lncs, vol. 218 (Springer, Berlin, 1986), pp. 516\u2013522","DOI":"10.1007\/3-540-39799-X_40"},{"issue":"10","key":"9205_CR22","first-page":"1","volume":"22A","author":"K Dickman","year":"1930","unstructured":"K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv f\u00f6r matematik, astronomi och fysik, vol. 22A, no. 10, 1930, pp. 1\u201314.","journal-title":"Arkiv f\u00f6r matematik, astronomi och fysik"},{"key":"9205_CR23","unstructured":"EMV, Integrated Circuit Card Specifications for Payment Systems, Book 2. Security and Key Management. Version 4.2. June 2008. www.emvco.com"},{"key":"9205_CR24","doi-asserted-by":"crossref","unstructured":"P. Gaudry, A. Kruppa, P. Zimmermann, A gmp-based implementation of Sch\u0151nhage-Strassen\u2019s large integer multiplication algorithm, in Proceedings of issac 2007, Waterloo, Ontario, Canada, acm Press, 2007, pp. 167\u2013174","DOI":"10.1145\/1277548.1277572"},{"key":"9205_CR25","doi-asserted-by":"crossref","unstructured":"F. Grieu, A chosen messages attack on the iso\/iec 9796-1 signature scheme, Proceedings of Eurocrypt 2000, lncs, vol. 1807 (Springer, Berlin, 2000), pp. 70\u201380","DOI":"10.1007\/3-540-45539-6_5"},{"key":"9205_CR26","unstructured":"W.B. Hart et al., Multiple Precision Integers and Rationals. www.mpir.org"},{"key":"9205_CR27","unstructured":"W.B. Hart, D. Harvey et al., Fast Library for Number Theory. www.flintlib.org"},{"key":"9205_CR28","unstructured":"iso\/iec 9796, Information technology\u2014Security techniques\u2014Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy (1999)"},{"key":"9205_CR29","unstructured":"ISO 9796-2, Information technology\u2014Security techniques\u2014Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997)"},{"key":"9205_CR30","unstructured":"ISO 9796-2:2002, Information technology\u2014Security techniques\u2014Digital signature schemes giving message recovery, Part 2: Integer factorization based mechanisms (2002)"},{"key":"9205_CR31","unstructured":"ISO 9796-2:2010, Information technology\u2014Security techniques\u2014Digital signature schemes giving message recovery, Part 2: Integer factorization based mechanisms (2010)"},{"key":"9205_CR32","doi-asserted-by":"crossref","unstructured":"A. Joux, D. Naccache, E. Thom\u00e9, When e-th roots become easier than factoring, Proceedings of Asiacrypt 2007, lncs, vol. 4833 (Springer, Berlin, 2007), pp. 13\u201328","DOI":"10.1007\/978-3-540-76900-2_2"},{"key":"9205_CR33","unstructured":"B. Kaliski, pkcs #1: RSA Encryption Standard, Version 1.5, RSA Laboratories, November 1993"},{"key":"9205_CR34","doi-asserted-by":"publisher","first-page":"331","DOI":"10.1007\/PL00008266","volume":"24","author":"E Kaltofen","year":"1999","unstructured":"E. Kaltofen and A. Lobo, Distributed matrix-free solution of large sparse linear systems over finite fields, Algorithmica, vol. 24, 1999, pp. 331\u2013348.","journal-title":"Algorithmica"},{"key":"9205_CR35","doi-asserted-by":"publisher","first-page":"255","DOI":"10.6028\/jres.045.026","volume":"45","author":"C Lanczos","year":"1950","unstructured":"C. Lanczos, An iterative method for the solution of the eigenvalue problem of linear differential and integral operator, Journal of Research of the National Bureau of Standards, vol. 45, 1950, pp. 255\u2013282.","journal-title":"J. Res. Natl. Bur. Stand."},{"key":"9205_CR36","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1007\/BF01457454","volume":"261","author":"AK Lenstra","year":"1982","unstructured":"A.K. Lenstra, H.W. Lenstra, Jr., and L. Lov\u00e1sz, Factoring polynomials with rational coefficients. Mathematische Annalen, vol. 261, 1982, pp. 513\u2013534.","journal-title":"Math. Ann."},{"key":"9205_CR37","doi-asserted-by":"publisher","DOI":"10.1007\/BFb0091534","volume-title":"The Development of the Number Field Sieve","author":"AK Lenstra","year":"1993","unstructured":"A.K. Lenstra and H.W. Lenstra, Jr., The Development of the number field sieve, Berlin: Springer-Verlag, 1993."},{"issue":"2","key":"9205_CR38","doi-asserted-by":"publisher","first-page":"649","DOI":"10.2307\/1971363","volume":"126","author":"H Lenstra Jr","year":"1987","unstructured":"H. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics, vol. 126, number 2, 1987, pp. 649\u2013673.","journal-title":"Ann. Math."},{"key":"9205_CR39","unstructured":"Y. Liu, T. Kasper, K. Lemke-Rust, C. Paar, E-passport: cracking basic access control keys, otm Conferences (2) (2007), pp. 1531\u20131547"},{"key":"9205_CR40","unstructured":"A. Lobo, wlss 2: an implementation of the homogeneous block Wiedemann algorithm. www4.ncsu.edu\/~kaltofen\/software\/wiliss"},{"key":"9205_CR41","unstructured":"A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of applied cryptography, (crc Press, 1996)"},{"key":"9205_CR42","unstructured":"M. Mezzarobba, de auditu, March 2009"},{"key":"9205_CR43","doi-asserted-by":"crossref","unstructured":"J.-F. Misarsky, How (not) to design RSA signature schemes, Proceedings of Public Key Cryptography 1998, lncs, vol. 1431 (Springer, Berlin, 1998), pp. 14\u201328","DOI":"10.1007\/BFb0054011"},{"key":"9205_CR44","doi-asserted-by":"crossref","unstructured":"P.L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Proceedings of Eurocrypt 1995, lncs, vol. 921 (Springer, Berlin, 1995), pp. 106\u2013120","DOI":"10.1007\/3-540-49264-X_9"},{"key":"9205_CR45","unstructured":"nvidia, cuda Zone\u2014The resource for cuda developers. www.nvidia.com\/cuda"},{"key":"9205_CR46","unstructured":"D.A. Osvik, de auditu, March 2009"},{"key":"9205_CR47","unstructured":"C. Paar, M. Schimmer, copacobana: A Codebreaker for des and other ciphers. www.copacobana.org"},{"key":"9205_CR48","unstructured":"The PARI Group, PARI\/GP, version 2.3.4, Bordeaux, 2008, pari.math.u-bordeaux.fr"},{"key":"9205_CR49","doi-asserted-by":"crossref","unstructured":"C. Pomerance, The quadratic sieve factoring algorithm, Proceedings of Eurocrypt 1984, lncs, vol. 209 (Springer, Berlin, 1985), pp. 169\u2013182","DOI":"10.1007\/3-540-39757-4_17"},{"key":"9205_CR50","doi-asserted-by":"publisher","first-page":"120","DOI":"10.1145\/359340.359342","volume":"21","author":"R Rivest","year":"1978","unstructured":"R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the acm, vol. 21, 1978, pp. 120\u2013126.","journal-title":"Commun. ACM"},{"key":"9205_CR51","unstructured":"The sage development team, sage mathematics software (Version 3.3) (2009). www.sagemath.org"},{"key":"9205_CR52","doi-asserted-by":"crossref","unstructured":"D. Stinson, Cryptography: Theory and Practice, 3rd edn. (crc Press, 2005)","DOI":"10.1201\/9781420057133"},{"key":"9205_CR53","doi-asserted-by":"crossref","unstructured":"M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D.A. Osvik, B. de Weger: Short chosen-prefix collisions for md5 and the creation of a rogue ca certificate, Cryptology ePrint Archive, Report 2009\/111, 2009","DOI":"10.1007\/978-3-642-03356-8_4"},{"key":"9205_CR54","unstructured":"V. Shoup, Number Theory C++ Library ( ntl ) version 5.3.1. www.shoup.net\/ntl"}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-015-9205-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00145-015-9205-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-015-9205-5","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-015-9205-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,5]],"date-time":"2022-05-05T07:20:19Z","timestamp":1651735219000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00145-015-9205-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,4,17]]},"references-count":54,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2016,7]]}},"alternative-id":["9205"],"URL":"https:\/\/doi.org\/10.1007\/s00145-015-9205-5","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,4,17]]},"assertion":[{"value":"25 June 2009","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 April 2015","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}