Journal of Cryptology

, Volume 21, Issue 1, pp 27–51 | Cite as

Cryptanalysis of ISO/IEC 9796-1

  • D. Coppersmith
  • J. S. CoronEmail author
  • F. Grieu
  • S. Halevi
  • C. Jutla
  • D. Naccache
  • J. P. Stern


We describe two different attacks against the ISO/IEC 9796-1 signature standard for RSA and Rabin. Both attacks consist in an existential forgery under a chosen-message attack: the attacker asks for the signature of some messages of his choice, and is then able to produce the signature of a message that was never signed by the legitimate signer. The first attack is a variant of Desmedt and Odlyzko’s attack and requires a few hundreds of signatures. The second attack is more powerful and requires only three signatures.


Cryptanalysis ISO/IEC 9796-1 signature standard RSA signatures Rabin signatures Encoding scheme 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    D. Coppersmith, S. Halevi, C. Jutla, ISO 9796-1 and the new forgery strategy, Research contribution to P1363, 1999. Available at
  2. [2]
    J.S. Coron, D. Naccache, J.P. Stern, On the security of RSA padding, in Proceedings of Crypto ’99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 1–18. Google Scholar
  3. [3]
    Y. Desmedt, A. Odlyzko, A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, in Proceedings of Crypto ’85. Lecture Notes in Computer Science, vol. 218 (Springer, Berlin, 1985), pp. 516–522. Google Scholar
  4. [4]
    K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude. Ark. Mat. Astron. Fys. 22A(10), 1–14 (1930). Google Scholar
  5. [5]
    S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988). zbMATHCrossRefMathSciNetGoogle Scholar
  6. [6]
    F. Grieu, A chosen message attack on the ISO/IEC 9796-1 signature scheme, in Advances in Cryptology—Eurocrypt 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 70–80. CrossRefGoogle Scholar
  7. [7]
    L. Guillou, J.-J. Quisquater, M. Walker, P. Landrock, C. Shaer, Precautions taken against various attacks in ISO/IEC DIS 9796, in Proceedings of Eurocrypt’ 90. Lecture Notes in Computer Science, vol. 473 (Springer, Berlin, 1990), pp. 465–473. Google Scholar
  8. [8]
    ISO/IEC 9796, Information Technology—Security Techniques—Digital Signature Scheme Giving Message Recovery, Part 1: Mechanisms Using Redundancy, 1991. Google Scholar
  9. [9]
    C. Lanczos, An iterative method for the solution of the eigenvalue problem of linear differential and integral operator. J. Res. Nat. Bur. Standards 45, 255–282 (1950). MathSciNetGoogle Scholar
  10. [10]
    H.W. Lenstra Jr., Factoring integers with elliptic curves. Ann. Math. 126(2), 649–673 (1987). MathSciNetCrossRefGoogle Scholar
  11. [11]
    A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996). Google Scholar
  12. [12]
    J.-F. Misarsky, How (not) to design RSA signature schemes, in Public-Key Cryptography. Lecture Notes in Computer Science, vol. 1431 (Springer, Berlin, 1998), pp. 14–28. CrossRefGoogle Scholar
  13. [13]
    R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21, 120–126 (1978). zbMATHCrossRefMathSciNetGoogle Scholar
  14. [14]
    V. Shoup, Number Theory C++ Library (NTL) version 5.3.1. Available at
  15. [15]
    D. Stinson, Cryptography: Theory and Practice (CRC Press, Boca Raton, 1995). zbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2007

Authors and Affiliations

  • D. Coppersmith
    • 1
  • J. S. Coron
    • 2
    Email author
  • F. Grieu
    • 3
  • S. Halevi
    • 4
  • C. Jutla
    • 4
  • D. Naccache
    • 5
  • J. P. Stern
    • 6
  1. 1.IBM T.J. Watson Research CenterYorktown HeightsUSA
  2. 2.University of LuxembourgLuxembourgLuxembourg
  3. 3.SpirtechParisFrance
  4. 4.IBM T.J. Watson Research CenterHawthorneUSA
  5. 5.Ecole normale supérieureParisFrance
  6. 6.Cryptolog International SASParisFrance

Personalised recommendations