A chosen messages attack on the ISO/IEC 9796-1 signature scheme

Authors:
François Grieu
Affiliations:
Innovatron, Paris, France
Venue:
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Year:
2000

Citing 2
Cited 1

Precautions taken against various potential attacks in ISO/IEC DIS 9796: digital signature scheme giving message recovery

EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
Handbook of Applied Cryptography

Handbook of Applied Cryptography

Cryptanalysis of countermeasures proposed for repairing ISO 9796-1

EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques

Quantified Score

Hi-index	0.00

Visualization

Abstract

We introduce an attack against the ISO/IEC 9796-1 digital signature scheme using redundancy, taking advantage of the multiplicative property of the RSA and Rabin cryptosystems. The forged signature of 1 message is obtained from the signature of 3 others for any public exponent v. For even v, the modulus is factored from the signature of 4 messages, or just 2 for v = 2. The attacker must select the above messages from a particular message subset, which size grows exponentialy with the public modulus bit size. The attack is computationally inexpensive, and works for any modulus of 16z, 16z ± 1, or 16z ± 2 bits. This prompts the need to revise ISO/IEC 9796-1, or avoid its use in situations where an adversary could obtain the signature of even a few mostly chosen messages.