Cryptanalysis of ISO/IEC 9796-1
- First Online:
- Cite this article as:
- Coppersmith, D., Coron, J.S., Grieu, F. et al. J Cryptol (2008) 21: 27. doi:10.1007/s00145-007-9007-5
We describe two different attacks against the ISO/IEC 9796-1 signature standard for RSA and Rabin. Both attacks consist in an existential forgery under a chosen-message attack: the attacker asks for the signature of some messages of his choice, and is then able to produce the signature of a message that was never signed by the legitimate signer. The first attack is a variant of Desmedt and Odlyzko’s attack and requires a few hundreds of signatures. The second attack is more powerful and requires only three signatures.