Abstract
We describe two different attacks against the ISO/IEC 9796-1 signature standard for RSA and Rabin. Both attacks consist in an existential forgery under a chosen-message attack: the attacker asks for the signature of some messages of his choice, and is then able to produce the signature of a message that was never signed by the legitimate signer. The first attack is a variant of Desmedt and Odlyzko’s attack and requires a few hundreds of signatures. The second attack is more powerful and requires only three signatures.
Article PDF
Similar content being viewed by others
References
D. Coppersmith, S. Halevi, C. Jutla, ISO 9796-1 and the new forgery strategy, Research contribution to P1363, 1999. Available at http://grouper.ieee.org/groups/1363/contrib.html.
J.S. Coron, D. Naccache, J.P. Stern, On the security of RSA padding, in Proceedings of Crypto ’99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 1–18.
Y. Desmedt, A. Odlyzko, A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, in Proceedings of Crypto ’85. Lecture Notes in Computer Science, vol. 218 (Springer, Berlin, 1985), pp. 516–522.
K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude. Ark. Mat. Astron. Fys. 22A(10), 1–14 (1930).
S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988).
F. Grieu, A chosen message attack on the ISO/IEC 9796-1 signature scheme, in Advances in Cryptology—Eurocrypt 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 70–80.
L. Guillou, J.-J. Quisquater, M. Walker, P. Landrock, C. Shaer, Precautions taken against various attacks in ISO/IEC DIS 9796, in Proceedings of Eurocrypt’ 90. Lecture Notes in Computer Science, vol. 473 (Springer, Berlin, 1990), pp. 465–473.
ISO/IEC 9796, Information Technology—Security Techniques—Digital Signature Scheme Giving Message Recovery, Part 1: Mechanisms Using Redundancy, 1991.
C. Lanczos, An iterative method for the solution of the eigenvalue problem of linear differential and integral operator. J. Res. Nat. Bur. Standards 45, 255–282 (1950).
H.W. Lenstra Jr., Factoring integers with elliptic curves. Ann. Math. 126(2), 649–673 (1987).
A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996).
J.-F. Misarsky, How (not) to design RSA signature schemes, in Public-Key Cryptography. Lecture Notes in Computer Science, vol. 1431 (Springer, Berlin, 1998), pp. 14–28.
R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21, 120–126 (1978).
V. Shoup, Number Theory C++ Library (NTL) version 5.3.1. Available at www.shoup.net.
D. Stinson, Cryptography: Theory and Practice (CRC Press, Boca Raton, 1995).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Stefan Wolf
Rights and permissions
About this article
Cite this article
Coppersmith, D., Coron, J.S., Grieu, F. et al. Cryptanalysis of ISO/IEC 9796-1. J Cryptol 21, 27–51 (2008). https://doi.org/10.1007/s00145-007-9007-5
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-007-9007-5