Skip to main content

Cryptanalysis of ISO/IEC 9796-1


We describe two different attacks against the ISO/IEC 9796-1 signature standard for RSA and Rabin. Both attacks consist in an existential forgery under a chosen-message attack: the attacker asks for the signature of some messages of his choice, and is then able to produce the signature of a message that was never signed by the legitimate signer. The first attack is a variant of Desmedt and Odlyzko’s attack and requires a few hundreds of signatures. The second attack is more powerful and requires only three signatures.


  1. D. Coppersmith, S. Halevi, C. Jutla, ISO 9796-1 and the new forgery strategy, Research contribution to P1363, 1999. Available at

  2. J.S. Coron, D. Naccache, J.P. Stern, On the security of RSA padding, in Proceedings of Crypto ’99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 1–18.

    Google Scholar 

  3. Y. Desmedt, A. Odlyzko, A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, in Proceedings of Crypto ’85. Lecture Notes in Computer Science, vol. 218 (Springer, Berlin, 1985), pp. 516–522.

    Google Scholar 

  4. K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude. Ark. Mat. Astron. Fys. 22A(10), 1–14 (1930).

    Google Scholar 

  5. S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988).

    MATH  Article  MathSciNet  Google Scholar 

  6. F. Grieu, A chosen message attack on the ISO/IEC 9796-1 signature scheme, in Advances in Cryptology—Eurocrypt 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 70–80.

    Chapter  Google Scholar 

  7. L. Guillou, J.-J. Quisquater, M. Walker, P. Landrock, C. Shaer, Precautions taken against various attacks in ISO/IEC DIS 9796, in Proceedings of Eurocrypt’ 90. Lecture Notes in Computer Science, vol. 473 (Springer, Berlin, 1990), pp. 465–473.

    Google Scholar 

  8. ISO/IEC 9796, Information Technology—Security Techniques—Digital Signature Scheme Giving Message Recovery, Part 1: Mechanisms Using Redundancy, 1991.

  9. C. Lanczos, An iterative method for the solution of the eigenvalue problem of linear differential and integral operator. J. Res. Nat. Bur. Standards 45, 255–282 (1950).

    MathSciNet  Google Scholar 

  10. H.W. Lenstra Jr., Factoring integers with elliptic curves. Ann. Math. 126(2), 649–673 (1987).

    MathSciNet  Article  Google Scholar 

  11. A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 1996).

    Google Scholar 

  12. J.-F. Misarsky, How (not) to design RSA signature schemes, in Public-Key Cryptography. Lecture Notes in Computer Science, vol. 1431 (Springer, Berlin, 1998), pp. 14–28.

    Chapter  Google Scholar 

  13. R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21, 120–126 (1978).

    MATH  Article  MathSciNet  Google Scholar 

  14. V. Shoup, Number Theory C++ Library (NTL) version 5.3.1. Available at

  15. D. Stinson, Cryptography: Theory and Practice (CRC Press, Boca Raton, 1995).

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to J. S. Coron.

Additional information

Communicated by Stefan Wolf

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Coppersmith, D., Coron, J.S., Grieu, F. et al. Cryptanalysis of ISO/IEC 9796-1. J Cryptol 21, 27–51 (2008).

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI:


  • Cryptanalysis
  • ISO/IEC 9796-1 signature standard
  • RSA signatures
  • Rabin signatures
  • Encoding scheme