Attacks on some RSA signatures
Lecture notes in computer sciences; 218 on Advances in cryptology---CRYPTO 85
A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Computation of Approximate L-th Roots Modulo n and Application to Cryptography
CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
A Multiplicative Attack Using LLL Algorithm on RSA Signatures with Redundancy
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
How (not) to Design RSA Signature Schemes
PKC '98 Proceedings of the First International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Selective forgery of RSA signatures using redundancy
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Selective Forgery of RSA Signatures with Fixed-Pattern Padding
PKC '02 Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems: Public Key Cryptography
Mining your Ps and Qs: detection of widespread weak keys in network devices
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Another look at affine-padding RSA signatures
ICISC'12 Proceedings of the 15th international conference on Information Security and Cryptology
Hi-index | 0.00 |
A fixed-pattern padding consists in concatenating to the message m a fixed pattern P. The RSA signature is then obtained by computing (P\m)d mod N where d is the private exponent and N the modulus. In Eurocrypt '97, Girault and Misarsky showed that the size of P must be at least half the size of N (in other words the parameter configurations |P| N|/2 are insecure) but the security of RSA fixed-pattern padding remained unknown for |P| |N|/2. In this paper we show that the size of P must be at least two-thirds of the size of N, i.e. we show that |P| N|/3 is insecure.