Designs, Codes and Cryptography

, Volume 38, Issue 1, pp 41–53 | Cite as

Index Calculation Attacks on RSA Signature and Encryption

  • Jean-Sébastien CoronEmail author
  • David Naccache
  • Yvo Desmedt
  • Andrew Odlyzko
  • Julien P. Stern


At Crypto ’85, Desmedt and Odlyzko described a chosen-ciphertext attack against plain RSA encryption. The technique can also be applied to RSA signatures and enables an existential forgery under a chosen-message attack. The potential of this attack remained untapped until a twitch in the technique made it effective against two very popular RSA signature standards, namely iso/iec 9796-1 and iso/iec 9796-2. Following these attacks, iso/iec 9796-1 was withdrawn and ISO/IEC 9796-2 amended. In this paper, we explain in detail Desmedt and Odlyzko’s attack as well as its application to the cryptanalysis of iso/iec 9796-2.


RSA cryptanalsis signature forgery smoothness Index Calculation ISO 9796 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Canfield, E. R., Erdos, P., Pomerance, C. 1983On a Problem of Oppenheim Concerning ‘Factorisation Numerorum’J. Number Th.17128MathSciNetGoogle Scholar
  2. 2.
    D. Coppersmith, S. Halevi and C. Jutla, ISO 9796-1 and the new forgery strategy, Research contribution to P1363, (1999) available at
  3. 3.
    J. S. Coron, D. Naccache and J. P. Stern, On the security of RSA Padding, In Proceedings of Crypto ’99, LNCS Vol. 1666 (1999) Springer-Verlag, pp. 1–18.Google Scholar
  4. 4.
    Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, In Proceedings of Crypto ’85, LNCS Vol. 218, pp. 516–522.Google Scholar
  5. 5.
    Dickman, K. 1930On the frequency of numbers containing prime factors of a certain relative magnitudeArkiv för matematik, astronomi och fysik22A114Google Scholar
  6. 6.
    ISO/IEC 9796, Information technology – Security techniques – Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy (1999).Google Scholar
  7. 7.
    ISO/IEC 9796-2, Information technology – Security techniques – Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997).Google Scholar
  8. 8.
    Lanczos, C. 1950An iterative method for the solution of the eigenvalue problem of linear differential and integral operatorJ. Res. Nat. Bur. Standards45255282MathSciNetGoogle Scholar
  9. 9.
    Lenstra, A. K., Lenstra, H. W.,Jr. 1993The Development of the Number Field SieveSpringer-VerlagBerlinGoogle Scholar
  10. 10.
    Lenstra, H.,Jr. 1987Factoring integers with elliptic curvesAnn. of Math.126649673MathSciNetzbMATHGoogle Scholar
  11. 11.
    J.-F. Misarsky, How (not) to design RSA signature schemes, Public-key cryptography, Lectures Notes in Computer Science, Vol. 1431, Springer-Verlag, (1998) pp. 14–28.Google Scholar
  12. 12.
    C. Pomerance, The Quadratic Sieve Factoring Algorithm, In Advances in Cryptology, Proceedings of Eurocrypt ’84. Springer-Verlag (1985) pp. 169–182.Google Scholar
  13. 13.
    R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, CACM, Vol. 21 (1978).Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2006

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
    Email author
  • David Naccache
    • 1
  • Yvo Desmedt
    • 2
  • Andrew Odlyzko
    • 3
  • Julien P. Stern
    • 4
  1. 1.Gemplus Card InternationalFrance
  2. 2.Florida State UniversityUSA
  3. 3.University of MinnesotaUSA
  4. 4.Cryptolog InternationalFrance

Personalised recommendations