Another look at affine-padding RSA signatures

Quantified Score

Visualization

Abstract

Affine-padding rsa signatures consist in signing ω·m+α instead of the message m for some fixed constants ω,α. A thread of publications progressively reduced the size of m for which affine signatures can be forged in polynomial time. The current bound is $\log m \sim \frac{N}{3}$ where N is the rsa modulus' bit-size. Improving this bound to $\frac{N}{4}$ has been an elusive open problem for the past decade. In this invited talk we consider a slightly different problem: instead of minimizing m's size we try to minimize its entropy. We show that affine-padding signatures on $\frac{N}{4}$ entropy-bit messages can be forged in polynomial time. This problem has no direct cryptographic impact but allows to better understand how malleable the rsa function is. In addition, the techniques presented in this talk might constitute some progress towards a solution to the longstanding $\frac{N}{4}$ forgery open problem. We also exhibit a sub-exponential time technique (faster than factoring) for creating affine modular relations between strings containing three messages of size $\frac{N}{4}$ and a fourth message of size $\frac{3N}{8}$. Finally, we show than $\frac{N}{4}$-relations can be obtained in specific scenarios, e.g. when one can pad messages with two independent patterns or when the modulus' most significant bits can be chosen by the opponent.