Abstract
This paper presents a new signature forgery strategy.
The attack is a sophisticated variant of Desmedt-Odlyzko’s method [11] where the attacker obtains the signatures of m 1, ..., m τ−1 and exhibits the signature of an m τ which was never submitted to the signer; we assume that all messages are padded by a redundancy function µ before being signed.
Before interacting with the signer, the attacker selects µ smooth1 µ(m i)-values and expresses µ(m τ) as amultiplicative combination of the padded strings µ(m 1), ..., µ(m τ−1). The signature of m τ is then forged using the homomorphic property of RSA.
For din ni-17.4, pkcs #1 v2.0 and ssl-3.02, the attack is only theoretical since it only applies to specific moduli and happens to be less efficient than factoring; therefore, the attack does not endanger any of these standards.
an integer is ℓ-smooth if it has no bigger factors than ℓ.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
L. Adleman, A subexponential algorithm for the discrete logarithm problem with applications to cryptography, Proceedings of the IEEE 20-th Annual symposium on the foundations of computer science, pp. 55–60, 1979.
ANSI X9.31, Digital signatures using reversible public-key cryptography for the financial services industry (rDSA), 1998.
E. Bach and R. Peralta, Asymptotic semismoothness probabilities, Mathematics of computation, vol. 65, no. 216, pp. 1701–1715, 1996.
O. Baudron and J. Stern, To pad or not to pad: does formatting degrade security?, 1999 RSA Data Security Conference proceeding book, 1999.
M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, Proceedings of the first annual conference on computer and communication security, acm, 1993.
M. Bellare and P. Rogaway, The exact security of digital signatures: how to sign with RSA and Rabin, Advances in cryptology eurocrypt’96, Springer-Verlag, Lectures notes in computer science 1070, pp. 399–416, 1996.
R. Brent, An improved Monte Carlo factorization algorithm, Nordisk Tidskrift for Informationsbehandling (bit) vol. 20, pp. 176–184, 1980.
N. de Bruijn, On the number of positive integers ≤ x and free of prime factors ≥ y, Indagationes Mathematicae, vol. 13, pp. 50–60, 1951. (cf. as well to part II, vol. 28, pp. 236-247, 1966.).
G. Davida, Chosen signature cryptanalysis of the RSA (MIT) public-key cryptosystem, TR-CS-82-2, Department of electrical engineering and computer science, University of Wisconsin, Milwaukee, 1982.
D. Denning, Digital signatures with RSA and other public-key cryptosystems, Communications of the ACM, vol. 27-4, pp. 388–392, 1984.
Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, Advances in cryptology crypto’85, Springer-Verlag, Lectures notes in computer science 218, pp. 516–522, 1986.
K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv for matematik, astronomi och fysik, vol. 22A, no. 10, pp. 1–14, 1930.
DIN NI-17.4, Specification of chipcard interface with digital signature application/function according to SigG and SigV, version 1.0, 1998.
J. Dixon, Asymptotically fast factorization of integers, Mathematics of computation, vol. 36, no. 153, pp. 255–260, 1981.
J. Evertse and E. van Heyst, Which new RSA-signatures can be computed from certain given RSA signatures?, Journal of cryptology vol. 5, no. 1, 41–52, 1992.
M. Girault, J.-F. Misarsky, Selective forgery of RSA signatures using redundancy, Advances in cryptology eurocrypt’97, Springer-Verlag, Lectures notes in computer science 1233, pp. 495–507, 1997.
J. Gordon, How to forge RSA key certificates, Electronic Letters, vol. 21, no. 9, April 25-th, 1985.
L. Guillou, J.-J. Quisquater, M. Walker, P. Landrock and C. Shaer, Precautions taken against various attacks in ISP/IEC DIS 9796, Advances in cryptology eurocrypt’90, Springer-Verlag, Lectures notes in computer science 473, pp. 465–473, 1991.
H. Halberstam, On integers whose prime factors are small, Proceedings of the London mathematical society, vol. 3, no. 21, pp. 102–107, 1970.
K. Hickman, The SSL Protocol, December 1995. Available electronically at: http://www.netscape.com/newsref/std/ssl.html
ISO/IEC 9796, Information technology-Security techniques-Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy, 1999.
ISO/IEC 9796-2, Information technology-Security techniques-Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function, 1997.
ISO/IEC 10118-2, Information technology-Security techniques-Hashfunctions; Part 2: Hash functions using an n-bit block-cipher algorithm, 1994.
W. de Jonge and D. Chaum. Attacks on some RSA signatures, Advances in cryptology crypto’85, Springer-Verlag, Lectures notes in computer science 218, pp. 18–27, 1986.
A. Lenstra, Generating RSA moduli with a predetermined portion, Advances in cryptology asiacrypt’98, Springer-Verlag, Lectures notes in computer science 1514, pp. 1–10, 1998.
A. Lenstra, de auditu, January 1999.
A. Menezes, P. van Oorschot and S. Vanstone, Handbook of applied cryptography, crc Press.
M. Michels, M. Stadler and H.-M. Sun, On the security of some variants of the RSA signature scheme, Computer securityesorics’98, Springer-Verlag, Lectures notes in computer science 1485, pp. 85–96, 1998.
J.-F. Misarsky, A multiplicative attack using LLL algorithm on RSA signatures with redundancy, Advances in cryptology crypto’97, Springer-Verlag, Lectures notes in computer science 1294, pp. 221–234, 1997.
J.-F. Misarsky, How (not) to design RSA signature schemes, Public-key cryptography, Springer-Verlag, Lectures notes in computer science 1431, pp. 14–28, 1998.
National Institute of Standards and Technology, Secure hash standard, FIPS publication 180-1, April 1994.
J. Pollard, Factoring with cubic integers, The development of the number field sieve, Springer-Verlag, Lectures notes in computer science 1554, pp. 4–10, 1993.
C. Pomerance, The quadratic sieve factoring algorithm, Advances in cryptology eurocrypt’84, Springer-Verlag, Lectures notes in computer science 209, pp. 169–182, 1985.
R. Rivest, RFC 1321: The MD5 message-digest algorithm, Internet activities board, April 1992.
R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, vol. 21-2, pp. 120–126, 1978.
RSA Laboratories, pkcs #1: RSA cryptography specifications, version 2.0, September 1998.
H. Williams, A modification of the RSA public key encryption procedure, IEEE TIT, vol. 26, pp. 726–729, 1980.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Coron, JS., Naccache, D., Stern, J.P. (1999). On the Security of RSA Padding. In: Wiener, M. (eds) Advances in Cryptology — CRYPTO’ 99. CRYPTO 1999. Lecture Notes in Computer Science, vol 1666. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48405-1_1
Download citation
DOI: https://doi.org/10.1007/3-540-48405-1_1
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-66347-8
Online ISBN: 978-3-540-48405-9
eBook Packages: Springer Book Archive