Journal of Cryptology

, Volume 21, Issue 1, pp 27-51

First online:

Cryptanalysis of ISO/IEC 9796-1

  • D. CoppersmithAffiliated withIBM T.J. Watson Research Center
  • , J. S. CoronAffiliated withUniversity of Luxembourg Email author 
  • , F. GrieuAffiliated withSpirtech
  • , S. HaleviAffiliated withIBM T.J. Watson Research Center
  • , C. JutlaAffiliated withIBM T.J. Watson Research Center
  • , D. NaccacheAffiliated withEcole normale supérieure
  • , J. P. SternAffiliated withCryptolog International SAS

Rent the article at a discount

Rent now

* Final gross prices may vary according to local VAT.

Get Access


We describe two different attacks against the ISO/IEC 9796-1 signature standard for RSA and Rabin. Both attacks consist in an existential forgery under a chosen-message attack: the attacker asks for the signature of some messages of his choice, and is then able to produce the signature of a message that was never signed by the legitimate signer. The first attack is a variant of Desmedt and Odlyzko’s attack and requires a few hundreds of signatures. The second attack is more powerful and requires only three signatures.


Cryptanalysis ISO/IEC 9796-1 signature standard RSA signatures Rabin signatures Encoding scheme