Attacks on some RSA signatures
Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Computation of Approximate L-th Roots Modulo n and Application to Cryptography
CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
The exact security of digital signatures-how to sign with RSA and Rabin
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Group Signatures and Their Relevance to Privacy-Protecting Off-Line Electronic Cash Systems
ACISP '99 Proceedings of the 4th Australasian Conference on Information Security and Privacy
On the Security of RSA Padding
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Separability and Efficiency for Generic Group Signature Schemes
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Cryptanalysis of RSA Signatures with Fixed-Pattern Padding
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
The State of Cryptographic Hash Functions
Lectures on Data Security, Modern Cryptology in Theory and Practice, Summer School, Aarhus, Denmark, July 1998
Cryptographic Primitives for Information Authentication - State of the Art
State of the Art in Applied Cryptography, Course on Computer Security and Industrial Cryptography - Revised Lectures
Selective Forgery of RSA Signatures with Fixed-Pattern Padding
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Cryptanalysis of countermeasures proposed for repairing ISO 9796-1
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
When e-th roots become easier than factoring
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
RSA moduli with a predetermined portion: techniques and applications
ISPEC'08 Proceedings of the 4th international conference on Information security practice and experience
Another look at affine-padding RSA signatures
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
| Hi-index | 0.00 |
We show the weakness of several RSA signature schemes using redundancy (i.e. completing the message to be signed with some additional bits which are fixed or message-dependent), by exhibiting chosen-message attacks based on the multiplicative property of RSA signature function. Our attacks, which largely extend those of DeJonge and Chaum [DJC], make extensive use of an affine variant of Euclid's algorithm, due to Okamoto and Shiraishi [OS]. When the redundancy consists of appending any fixed bits to the message m to be signed (more generally when redundancy takes the form of an affine function of m), then our attack is valid if the redundancy is less than half the length of the public modulus. When the redundancy consists in appending to m the remainder of m modulo some fixed value (or, more generally, any function of this remainder), our attack is valid if the redundancy is less than half the length of the public modulus minus the length of the remainder. We successfully apply our attack to a scheme proposed for discussion inside ISO.