Journal of Cryptology

, Volume 29, Issue 3, pp 632–656 | Cite as

Practical Cryptanalysis of ISO 9796-2 and EMV Signatures

  • Jean-Sébastien CoronEmail author
  • David Naccache
  • Mehdi Tibouchi
  • Ralf-Philipp Weinmann


At Crypto 1999, Coron, Naccache and Stern described an existential signature forgery against two popular RSA signature standards, ISO 9796-1 and ISO 9796-2. Following this attack, ISO 9796-1 was withdrawn, and ISO 9796-2 was amended by increasing the message digest to at least 160 bits. In this paper, we describe an attack against the amended version of ISO 9796-2, for all modulus sizes. Our new attack is based on Bernstein’s algorithm for detecting smooth numbers, instead of trial division. In practice, we were able to compute a forgery in only 2 days on a network of 19 servers. Our attack can also be extended to EMV signatures, an ISO 9796-2-compliant format with extra redundancy. In response to this new attack, the ISO 9796-2 standard was amended again in late 2010.


Public-key cryptanalysis RSA signatures ISO 9796-2 EMV 


  1. 1.
    E. Bach and R. Peralta, Asymptotic semismoothness probabilities, Mathematics of Computation, vol. 65, number 216, 1996, pp. 1701–1715.MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, Proceedings of ccs 1993, acm, 1993, pp. 62–73Google Scholar
  3. 3.
    M. Bellare, P. Rogaway, Optimal asymmetric encryption: how to encrypt with RSA, Proceedings of Eurocrypt 1994, lncs, vol. 950 (Springer, Berlin, 1995), pp. 92–111Google Scholar
  4. 4.
    M. Bellare, P. Rogaway, The exact security of digital signatures: how to sign with RSA and Rabin, Proceedings of Eurocrypt 1996, lncs, vol. 1070 (Springer, Berlin, 1996), pp. 399–416Google Scholar
  5. 5.
    D.J. Bernstein, T. Lange (eds.), e bacs: ecrypt Benchmarking of cryptographic systems, Google Scholar
  6. 6.
    D.J. Bernstein, Fast Multiplications and its applications, Algorithmic Number Theory, vol. 44 (2008)Google Scholar
  7. 7.
    D.J. Bernstein, How to find smooth parts of integers, 2004/05/10, Google Scholar
  8. 8.
    D.J. Bernstein, Proving tight security for Rabin-Williams signatures. Proceedings of Eurocrypt 2008, lncs, vol. 4665 (Springer, Berlin, 2008), pp. 70–87Google Scholar
  9. 9.
    D.J. Bernstein, Scaled remainder trees, 2004/08/20, Google Scholar
  10. 10.
    D.J. Bernstein, T. Lange, C. Peters, Attacking and defending the McEliece cryptosystem, Proceedings of Post-Quantum Cryptography 2008, lncs, vol. 5299 (Springer, Berlin, 2008), pp. 31–46Google Scholar
  11. 11.
    D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard, Proceedings of Crypto 1998, lncs, vol. 1462 (Springer, Berlin, 1998), pp. 1–12Google Scholar
  12. 12.
    E.R. Canfield, P. Erdős and C. Pomerance, On a Problem of Oppenheim concerning ’Factorisation Numerorum’, Journal of Number Theory, vol. 17, 1983, pp. 1–28.MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    D. Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm, Mathematics of Computation, vol. 62, number 205, 1994, pp. 333–350.MathSciNetzbMATHGoogle Scholar
  14. 14.
    D. Coppersmith, J.-S. Coron, F. Grieu, S. Halevi, C.S. Jutla, D. Naccache and J.P. Stern, Cryptanalysis of ISO 9796–1, Journal of Cryptology, vol. 21, 2008, pp. 27–51.MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    D. Coppersmith, S. Halevi, C. Jutla, iso 9796-1 and the new, forgery strategy, Research contribution to P.1363, 1999, Google Scholar
  16. 16.
    J.-S. Coron, Security proofs for partial domain hash signature schemes, Proceedings of Crypto 2002, lncs, vol. 2442 (Springer, Berlin, 2002), pp. 613–626Google Scholar
  17. 17.
    J.-S. Coron, Y. Desmedt, D. Naccache, A. Odlyzko and J.P. Stern, Index calculation attacks on RSA signature and encryption Designs, Codes and Cryptography, vol. 38, number 1, 2006, pp. 41–53.MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    J.-S. Coron, D. Naccache, M. Joye, P. Paillier, New attacks on pkcs #1 v1.5 encryption, Proceedings of Eurocrypt 2000, lncs, vol. 1807 (Springer, Berlin, 2000), pp. 369–381Google Scholar
  19. 19.
    J.-S. Coron, D. Naccache, J.P. Stern, On the security of RSA padding, Proceedings of Crypto 1999, lncs, vol. 1666 (Springer, Berlin, 1999), pp. 1–18Google Scholar
  20. 20.
    R.E. Crandall, E.W. Mayer and J.S. Papadopoulos, The twenty-fourth Fermat number is composite, Mathematics of Computation, volume 72, number 243, July 2003, pp. 1555–1572.MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Y. Desmedt, A. Odlyzko, A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, Proceedings of Crypto 1985, lncs, vol. 218 (Springer, Berlin, 1986), pp. 516–522Google Scholar
  22. 22.
    K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv för matematik, astronomi och fysik, vol. 22A, no. 10, 1930, pp. 1–14.Google Scholar
  23. 23.
    EMV, Integrated Circuit Card Specifications for Payment Systems, Book 2. Security and Key Management. Version 4.2. June 2008.
  24. 24.
    P. Gaudry, A. Kruppa, P. Zimmermann, A gmp-based implementation of Schőnhage-Strassen’s large integer multiplication algorithm, in Proceedings of issac 2007, Waterloo, Ontario, Canada, acm Press, 2007, pp. 167–174Google Scholar
  25. 25.
    F. Grieu, A chosen messages attack on the iso/iec 9796-1 signature scheme, Proceedings of Eurocrypt 2000, lncs, vol. 1807 (Springer, Berlin, 2000), pp. 70–80Google Scholar
  26. 26.
    W.B. Hart et al., Multiple Precision Integers and Rationals.
  27. 27.
    W.B. Hart, D. Harvey et al., Fast Library for Number Theory.
  28. 28.
    iso/iec 9796, Information technology—Security techniques—Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy (1999)Google Scholar
  29. 29.
    ISO 9796-2, Information technology—Security techniques—Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997)Google Scholar
  30. 30.
    ISO 9796-2:2002, Information technology—Security techniques—Digital signature schemes giving message recovery, Part 2: Integer factorization based mechanisms (2002)Google Scholar
  31. 31.
    ISO 9796-2:2010, Information technology—Security techniques—Digital signature schemes giving message recovery, Part 2: Integer factorization based mechanisms (2010)Google Scholar
  32. 32.
    A. Joux, D. Naccache, E. Thomé, When e-th roots become easier than factoring, Proceedings of Asiacrypt 2007, lncs, vol. 4833 (Springer, Berlin, 2007), pp. 13–28Google Scholar
  33. 33.
    B. Kaliski, pkcs #1: RSA Encryption Standard, Version 1.5, RSA Laboratories, November 1993Google Scholar
  34. 34.
    E. Kaltofen and A. Lobo, Distributed matrix-free solution of large sparse linear systems over finite fields, Algorithmica, vol. 24, 1999, pp. 331–348.MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    C. Lanczos, An iterative method for the solution of the eigenvalue problem of linear differential and integral operator, Journal of Research of the National Bureau of Standards, vol. 45, 1950, pp. 255–282.MathSciNetCrossRefGoogle Scholar
  36. 36.
    A.K. Lenstra, H.W. Lenstra, Jr., and L. Lovász, Factoring polynomials with rational coefficients. Mathematische Annalen, vol. 261, 1982, pp. 513–534.MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    A.K. Lenstra and H.W. Lenstra, Jr., The Development of the number field sieve, Berlin: Springer-Verlag, 1993.CrossRefzbMATHGoogle Scholar
  38. 38.
    H. Lenstra, Jr., Factoring integers with elliptic curves, Annals of Mathematics, vol. 126, number 2, 1987, pp. 649–673.MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Y. Liu, T. Kasper, K. Lemke-Rust, C. Paar, E-passport: cracking basic access control keys, otm Conferences (2) (2007), pp. 1531–1547Google Scholar
  40. 40.
    A. Lobo, wlss 2: an implementation of the homogeneous block Wiedemann algorithm.
  41. 41.
    A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of applied cryptography, (crc Press, 1996)Google Scholar
  42. 42.
    M. Mezzarobba, de auditu, March 2009Google Scholar
  43. 43.
    J.-F. Misarsky, How (not) to design RSA signature schemes, Proceedings of Public Key Cryptography 1998, lncs, vol. 1431 (Springer, Berlin, 1998), pp. 14–28Google Scholar
  44. 44.
    P.L. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), Proceedings of Eurocrypt 1995, lncs, vol. 921 (Springer, Berlin, 1995), pp. 106–120Google Scholar
  45. 45.
    nvidia, cuda Zone—The resource for cuda developers.
  46. 46.
    D.A. Osvik, de auditu, March 2009Google Scholar
  47. 47.
    C. Paar, M. Schimmer, copacobana: A Codebreaker for des and other ciphers.
  48. 48.
    The PARI Group, PARI/GP, version 2.3.4, Bordeaux, 2008, Google Scholar
  49. 49.
    C. Pomerance, The quadratic sieve factoring algorithm, Proceedings of Eurocrypt 1984, lncs, vol. 209 (Springer, Berlin, 1985), pp. 169–182Google Scholar
  50. 50.
    R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the acm, vol. 21, 1978, pp. 120–126.MathSciNetCrossRefzbMATHGoogle Scholar
  51. 51.
    The sage development team, sage mathematics software (Version 3.3) (2009).
  52. 52.
    D. Stinson, Cryptography: Theory and Practice, 3rd edn. (crc Press, 2005)Google Scholar
  53. 53.
    M. Stevens, A. Sotirov, J. Appelbaum, A. Lenstra, D. Molnar, D.A. Osvik, B. de Weger: Short chosen-prefix collisions for md5 and the creation of a rogue ca certificate, Cryptology ePrint Archive, Report 2009/111, 2009Google Scholar
  54. 54.
    V. Shoup, Number Theory C++ Library ( ntl ) version 5.3.1.

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
    Email author
  • David Naccache
    • 2
  • Mehdi Tibouchi
    • 3
  • Ralf-Philipp Weinmann
    • 1
  1. 1.Université du LuxembourgLuxembourgLuxembourg
  2. 2.Département d’informatique, Groupe de CryptographieÉcole normale supérieureParis Cedex 05France
  3. 3.NTT Secure Platform LaboratoriesMusashino-shiJapan

Personalised recommendations