We describe two different attacks against the ISO/IEC 9796-1 signature standard for RSA and Rabin. Both attacks consist in an existential forgery under a chosen-message attack: the attacker asks for the signature of some messages of his choice, and is then able to produce the signature of a message that was never signed by the legitimate signer. The first attack is a variant of Desmedt and Odlyzko’s attack and requires a few hundreds of signatures. The second attack is more powerful and requires only three signatures.
KeywordsCryptanalysis ISO/IEC 9796-1 signature standard RSA signatures Rabin signatures Encoding scheme
Unable to display preview. Download preview PDF.
- D. Coppersmith, S. Halevi, C. Jutla, ISO 9796-1 and the new forgery strategy, Research contribution to P1363, 1999. Available at http://grouper.ieee.org/groups/1363/contrib.html.
- J.S. Coron, D. Naccache, J.P. Stern, On the security of RSA padding, in Proceedings of Crypto ’99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 1–18. Google Scholar
- Y. Desmedt, A. Odlyzko, A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, in Proceedings of Crypto ’85. Lecture Notes in Computer Science, vol. 218 (Springer, Berlin, 1985), pp. 516–522. Google Scholar
- K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude. Ark. Mat. Astron. Fys. 22A(10), 1–14 (1930). Google Scholar
- L. Guillou, J.-J. Quisquater, M. Walker, P. Landrock, C. Shaer, Precautions taken against various attacks in ISO/IEC DIS 9796, in Proceedings of Eurocrypt’ 90. Lecture Notes in Computer Science, vol. 473 (Springer, Berlin, 1990), pp. 465–473. Google Scholar
- ISO/IEC 9796, Information Technology—Security Techniques—Digital Signature Scheme Giving Message Recovery, Part 1: Mechanisms Using Redundancy, 1991. Google Scholar
- A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996). Google Scholar
- V. Shoup, Number Theory C++ Library (NTL) version 5.3.1. Available at www.shoup.net.