Attacks on some RSA signatures
Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Cryptanalysis of RSA Signatures with Fixed-Pattern Padding
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Generating RSA Moduli with a Predetermined Portion
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
Selective forgery of RSA signatures using redundancy
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
When e-th roots become easier than factoring
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
Hi-index | 0.00 |
Affine-padding rsa signatures consist in signing ω·m+α instead of the message m for some fixed constants ω,α. A thread of publications progressively reduced the size of m for which affine signatures can be forged in polynomial time. The current bound is $\log m \sim \frac{N}{3}$ where N is the rsa modulus' bit-size. Improving this bound to $\frac{N}{4}$ has been an elusive open problem for the past decade. In this invited talk we consider a slightly different problem: instead of minimizing m's size we try to minimize its entropy. We show that affine-padding signatures on $\frac{N}{4}$ entropy-bit messages can be forged in polynomial time. This problem has no direct cryptographic impact but allows to better understand how malleable the rsa function is. In addition, the techniques presented in this talk might constitute some progress towards a solution to the longstanding $\frac{N}{4}$ forgery open problem. We also exhibit a sub-exponential time technique (faster than factoring) for creating affine modular relations between strings containing three messages of size $\frac{N}{4}$ and a fourth message of size $\frac{3N}{8}$. Finally, we show than $\frac{N}{4}$-relations can be obtained in specific scenarios, e.g. when one can pad messages with two independent patterns or when the modulus' most significant bits can be chosen by the opponent.