Cryptanalysis of RSA Signatures with Fixed-Pattern Padding

  • Eric Brier
  • Christophe Clavier
  • Jean-Sébastien Coron
  • David Naccache
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2139)


A fixed-pattern padding consists in concatenating to the message m a fixed pattern P. The RSA signature is then obtained by computing P|m d mod N where d is the private exponent and N the modulus. In Eurocrypt ’97, Girault and Misarsky showed that the size of P must be at least half the size of N (in other words the parameter configurations |P| < |N|/2 are insecure) but the security of RSA fixed-pattern padding remained unknown for |P| > |N|/2. In this paper we show that the size of P must be at least two-thirds of the size of N, i.e. we show that |P| < 2|N|/3 is insecure.


RSA signatures fixed-pattern padding affine redundancy 


  1. 1.
    W. De Jonge and D. Chaum, Attacks on some RSA signatures. Proceedings of Crypto’ 85, LNCS vol. 218, Springer-Verlag, 1986, pp. 18–27.Google Scholar
  2. 2.
    M. Girault and J.-F. Misarksy, Selective forgery of RSA signatures using redundancy, Proceedings of Eurocrypt’ 97, LNCS vol. 1233, Springer-Verlag, 1997, pp. 495–507.Google Scholar
  3. 3.
    M. Girault, P. Toffin and B. Vallée, Computation of approximation L-th roots modulo n and application to cryptography, Proceedings of Crypto’ 88, LNCS vol. 403, Springer-Verlag, 1988, pp. 100–117.Google Scholar
  4. 4.
    A. K. Lenstra, H.W. Lenstra and L. Lovász, Factoring polynomials with rational coefficients, Mathematische Annalen, vol. 261, n. 4, 1982, pp. 515–534.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    J.-F. Misarsky, A multiplicative attack using LLL algorithm on RSA signatures with redundancy, Proceedings of Crypto’ 97, LNCS vol. 1294, Springer-Verlag, pp. 221–234.Google Scholar
  6. 6.
    J.-F. Misarsky, How (not) to design RSA signature schemes, Public-key cryptography (PKC), Springer-Verlag, Lectures notes in computer science 1431, pp. 14–28, 1998.Google Scholar
  7. 7.
    T. Okamoto and A. Shiraishi, A fast signature scheme based on quadratic inequalities, Proc. of the 1985 Symposium on Security and Privacy, April 1985, Oakland, CA.Google Scholar
  8. 8.
    R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, CACM 21, 1978.Google Scholar
  9. 9.
    RSA Laboratories, PKCS #1: RSA cryptography specifications, version 2.0, September 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Eric Brier
    • 1
  • Christophe Clavier
    • 2
  • Jean-Sébastien Coron
    • 2
  • David Naccache
    • 2
  1. 1.Gemplus Card InternationalGémenos CedexFrance
  2. 2.Gemplus Card InternationalIssy-les-MoulineauxFrance

Personalised recommendations