Abstract
We show that some RSA signature schemes using fixed or modular redundancy and dispersion of redundancy bits are insecure. Our attack is based on the multiplicative property of RSA signature function and extends old results of De Jonge and Chaum [DJC] as well as recent results of Girault and Misarsky [GM]. Our method uses the lattice basis reduction [LLL] and algorithms of László Babai [B]. Our attack is valid when the length of redundancy is roughly less than half the length of the public modulus. We successfully apply our attack to a scheme proposed for discussion inside ISO. Afterwards, we also describe possible adaptations of our method to attack schemes using mask or different modular redundancies. We explain limits of our attack and how to defeat it.
Chapter PDF
References
L. Babai, “On Lovász' lattice reduction and the nearest lattice point problem”, Combinatorica 6, pp. 1–14.
Don Coppersmith, “Finding a Small Root of Univariate Modular Equation”, Proceedings of Eurocrypt '96, Lecture Note in Computer Science, vol. 1070, pp. 155–165.
W. De Jonge, D. Chaum, “Attacks on some RSA Signatures”, Advances in Cryptology, Crypto'85 Proceedings, Lecture Notes In Computer Science, vol. 218, Springer-Verlag, Berlin, 1986, pp. 18–27.
L.C. Guillou, J.J. Quisquater, P. Landrock, C. Shaer, “Precautions taken against various potential attacks in ISO/IEC DIS 9796, Digital signature scheme giving message recovery”, Eurocrypt '90 Proceedings, Lecture Notes in Computer Science, vol.473, Springer-Verlag, pp 465–473.
M. Girault, J.F. Misarsky, “Selective Forgery of RSA Signatures Using Redundancy”, Advances in Cryptology — Eurocrypt '97, Lecture Notes in Computer Science, vol. 1233, Springer-Verlag, pp 495–507.
J. Hastad, “Solving simultaneous modular equations of low degree”, SIAM J. Comput. vol.17, No.2, April 1988.
ISO/IEC 9796, December 1991, “Digital signature scheme giving message recovery”.
ISO/IEC 9796-3, Working Draft, December 1996, “Digital signature schemes giving message recovery; Part 3: Mechanisms using a check-function”.
A. K. Lenstra, H. W. Lenstra, L. Lovász, “Factoring Polynomials with Rational Coefficients”, Mathematische Annalen, vol.261, n. 4, 1982, pp. 515–534.
T. Okamoto and A. Shiraishi, “A fast signature scheme based on quadratic inequalities”, Proc. of the 1985 Sympsium on Security and Privacy, Apr. 1985, Oakland, CA.
A.J. Menezes, P.C. Van Oorschot, S.A. Vanstone, “Handbook of Applied Cryptography”, CRC Press.
R.L. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems”, CACM, Vol. 21, nℴ2, Feb. 1978, pp. 120–126.
A. Shamir, “A polynomial-time algorithm for breaking the basic Merkle-Hellman cryptosystem”, Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, pp 145–152. IEEE, 1982.
B. Vallée, M. Girault, P. Toffin, “How to break Okamoto's cryptosystems by reducing lattice bases”, Proceedings of Eurocrypt'87, Lecture notes in Computer Science.
B. Vallée, M. Girault, P. Toffin, “How to guess L-th roots modulo n by reducing lattice bases”, Proc. of Conference of ISSAC-88 and AAECC-6, Jul. 88.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1997 Springer-Verlag
About this paper
Cite this paper
Misarsky, J.F. (1997). A multiplicative attack using LLL algorithm on RSA signatures with redundancy. In: Kaliski, B.S. (eds) Advances in Cryptology — CRYPTO '97. CRYPTO 1997. Lecture Notes in Computer Science, vol 1294. Springer, Berlin, Heidelberg. https://doi.org/10.1007/BFb0052238
Download citation
DOI: https://doi.org/10.1007/BFb0052238
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-63384-6
Online ISBN: 978-3-540-69528-8
eBook Packages: Springer Book Archive