From fixed-length to arbitrary-length RSA encoding schemes revisited

Authors:
Julien Cathalo;Jean-Sébastien Coron;David Naccache
Affiliations:
UCL Crypto Group, Louvain-la-Neuve, Belgium;Gemplus Card International, Issy-les-Moulineaux, France;Gemplus Card International, Issy-les-Moulineaux, France
Venue:
PKC'05 Proceedings of the 8th international conference on Theory and Practice in Public Key Cryptography
Year:
2005

Citing 8
Cited 1

A digital signature scheme secure against adaptive chosen-message attacks

SIAM Journal on Computing - Special issue on cryptography
Random oracles are practical: a paradigm for designing efficient protocols

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The random oracle methodology, revisited (preliminary version)

STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
A method for obtaining digital signatures and public-key cryptosystems

Communications of the ACM
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
From Fixed-Length to Arbitrary-Length RSA Padding Schemes

ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
How (not) to Design RSA Signature Schemes

PKC '98 Proceedings of the First International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
The exact security of digital signatures-how to sign with RSA and Rabin

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques

Comparing with RSA

Cryptography and Coding '09 Proceedings of the 12th IMA International Conference on Cryptography and Coding

Quantified Score

Hi-index	0.00

Visualization

Abstract

To sign with RSA, one usually encodes the message m as μ(m) and then raises the result to the private exponent modulo N. In Asiacrypt 2000, Coron et al. showed how to build a secure RSA encoding scheme μ′(m) for signing arbitrarily long messages from a secure encoding scheme μ(m) capable of handling only fixed-size messages, without making any additional assumptions. However, their construction required that the input size of μ be larger than the modulus size. In this paper we present a construction for which the input size of μ does not have to be larger than N. Our construction shows that the difficulty in building a secure encoding for RSA signatures is not in handling messages of arbitrary length, but rather in finding a secure encoding function for short messages, which remains an open problem in the standard model.