Abstract
We show the weakness of several RSA signature schemes using redundancy (i.e. completing the message to be signed with some additional bits which are fixed or message-dependent), by exhibiting chosen-message attacks based on the multiplicative property of RSA signature function. Our attacks, which largely extend those of De Jonge and Chaum [DJC], make extensive use of an affine variant of Euclid’s algorithm, due to Okamoto and Shiraishi [OS]. When the redundancy consists of appending any fixed bits to the message m to be signed (more generally when redundancy takes the form of an affine function of m), then our attack is valid if the redundancy is less than half the length of the public modulus. When the redundancy consists in appending to m the remainder of m modulo some fixed value (or, more generally, any function of this remainder), our attack is valid if the redundancy is less than half the length of the public modulus minus the length of the remainder. We successfully apply our attack to a scheme proposed for discussion inside ISO.
Chapter PDF
Similar content being viewed by others
References
M. Bellare, P. Rogaway, “The Exact Security of Digital Signatures — How to Sign with RSA and Rabin”, Eurocrypt’96 Proceedings, Lecture Notes In Computer Science, Vol.1070, U. Maurer ed., Springer-Verlag, 1996.
W. De Jonge, D. Chaum, “Attacks on some RSA Signatures”, Advances in Cryptology, Crypto’85 Proceedings, Lecture Notes In Computer Science, Vol.218, Springer-Verlag, Berlin, 1986, pp. 18–27.
L.C. Guillou, J.J. Quisquater, P. Landrock, C. Shaer, “Precautions taken against various potential attacks in ISO/IEC DIS 9796, Digital signature scheme giving message recovery”, Eurocrypt’90 Proceedings, Lecture Notes in Computer Science, Vol.473, Springer-Verlag, pp 465–473.
M. Girault, P. Toffin, B. Vallée, “Computation of approximation L-th roots modulo n and application to cryptography”, Proc. of Crypto’88, LNCS 403, Springer-Verlag, 1988, pp.100–117.
ISO/IEC JTC 1/SC 27, “Digital signature schemes giving message recovery; Part 2: Mechanisms using a hash function”, Working Draft, January 1996.
ISO/IEC 9796-1, “Digital signature schemes giving message recovery; Part 1: Mechanisms using redundancy”.
ISO/IEC 9796-2, “Digital signature schemes giving message recovery; Part 2: Mechanisms using a hash-function”.
ISO/IEC 9796-3, “Digital signature schemes giving message recovery; Part 3: Mechanisms using a check-function”.
T. Okamoto and A. Shiraishi, “A fast signature scheme based on quadratic inequalities”, Proc. of the 1985 Symposium on Security and Privacy, Apr. 1985, Oakland, CA.
R.L. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, CACM, Vol. 21, no2, Feb. 1978, pp. 120–126.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1997 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Girault, M., Misarsky, JF. (1997). Selective Forgery of RSA Signatures Using Redundancy. In: Fumy, W. (eds) Advances in Cryptology — EUROCRYPT ’97. EUROCRYPT 1997. Lecture Notes in Computer Science, vol 1233. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-69053-0_34
Download citation
DOI: https://doi.org/10.1007/3-540-69053-0_34
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-62975-7
Online ISBN: 978-3-540-69053-5
eBook Packages: Springer Book Archive