Which new RSA signatures can be computed from RSA signatures, obtained in a specific interactive protocol?

  • Authors:

  • Jan-Hendrik Evertse;Eugène Van Heyst

  • Affiliations:

  • Department of Mathematics and Computer Science, University of Leiden, Leiden, The Netherlands;CWI Centre for Mathematics and Computer Science, Amsterdam, The Netherlands

  • Venue:
  • EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
  • Year:
  • 1992

Quantified Score

Hi-index 0.00

Visualization

Abstract

We consider cetain interactive protocols, based on RSA. In these protocols, a signature authority Z (which chooses the RSA-modulus N that is kept fixed) issues a fixed number of RSA-signatures to an individual A. These RSA-signatures consist of products of rational powers of residue classes modulo N some of these residue classes are chosen by Z and the others can be chosen freely by A Thus, A can influence the form of the signatures that be gets from Z. A wants to choose his residue classes in such a way that he can use the signatures he gets from Z to compute a signature of a type not issued by Z. In previous literature, some special cases of our protocols were considered. namely that only A chooses the residue classes ([Dav82), [Denn84], [DO85]) and that only Z chooses the residue classes [EvH92]. The results in our paper are used under the following assumptiom: • A cannot compute RSA-roots on randomly chosen residue classes modulo N. • In his computations, A uses only multiplications and divisions modulo N. Our main result gives a necessary and sufficient condition under which A is able to influence the signatures he gets from Z in such a way that he can use these RSA-signatures to compute a signature of a type not issued by Z. It turns out that this condition is equivalent to the solvability of a particular quadratic equation in integral matrices. We also study a particular case of this problem in more detail.