From Fixed-Length to Arbitrary-Length RSA Padding Schemes
A common practice for signing with RSA is to first apply a hash function or a redundancy function to the message, add some padding and exponentiate the resulting padded message using the decryption exponent. This is the basis of several existing standards.
In this paper we show how to build a secure padding scheme for signing arbitrarily long messages with a secure padding scheme for fixed-size messages. This focuses more sharply the question of finding a secure encoding for RSA signatures, by showing that the difficulty is not in handling messages of arbitrary length, but rather in finding a secure redundancy function for short messages, which remains an open problem.
KeywordsSignature scheme provable security padding scheme
- 1.M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, proceedings of the First Annual Conference on Computer and Commmunications Security, ACM, 1993.Google Scholar
- 2.M. Bellare and P. Rogaway, The exact security of digital signatures-How to sign with RSA and Rabin, proceedings of Eurocrypt’96, LNCS vol. 1070, Springer-Verlag, 1996, pp. 399–416.Google Scholar
- 3.R. Canetti, O. Goldreich and S. Halevi, The Random Oracle Methodology,Re visited, STOC’ 98, ACM, 1998.Google Scholar
- 9.J.F. Misarsky, How (not) to design signature schemes, proceedings of PKC’98, Lecture Notes in Computer Science vol. 1431, Springer Verlag, 1998.Google Scholar
- 10.R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, CACM 21, 1978.Google Scholar