On Rabin-Type Signatures
This paper specializes the signature forgery by Coron, Naccache and Stern (1999) to Rabin-type systems. We present a variation in which the adversary may derive the private keys and thereby forge the signature on any chosen message. Further, we demonstrate that, contrary to the RSA, the use of larger (even) public exponents does not reduce the complexity of the forgery. Finally, we show that our technique is very general and applies to any Rabin-type system designed in a unique factorization domain, including the Williams’ M3 scheme (1986), the cubic schemes of Loxton et al. (1992) and of Scheidler (1998), and the cyclotomic schemes (1995).
KeywordsRabin-type systems digital signatures signature forgeries factorization
Unable to display preview. Download preview PDF.
- 1.FIPS 180-1. Secure Hash Standard. Federal Information Processing Standards Publication 180-1, U.S. Department of Commerce, April 1995.Google Scholar
- 2.IEEE Std 1363-2000. IEEE Standard Specifications for Public-Key Cryptography. IEEE Computer Society, August 29, 2000.Google Scholar
- 3.ISO/IEC 9796. Information technology-Security techniques-Digital signature scheme giving message recovery, 1991.Google Scholar
- 7.Henri Cohen. A Course in Computational Algebraic Number Theory, volume 138 of Graduate Texts in Mathematics. Springer-Verlag, 1993.Google Scholar
- 8.Jean-Sébastien Coron, David Naccache, and Julien P. Stern. On RSA padding. In M. Wiener, editor, Advances in Cryptology — CRYPTO’99, volume 1666 of Lecture Notes in Computer Science, pages 1–18. Springer-Verlag, 1999.Google Scholar
- 9.Wiebren de Jonge and David Chaum. Attacks on some RSA signatures. In H. C. Williams, editor, Advances in Cryptology — CRYPTO’85, volume 218 of Lecture Notes in Computer Science, pages 18–27, 1986.Google Scholar
- 10.Marc Girault, Philippe Toffin, and Brigitte Vallée. Computation of approximate L-th root modulo n and application to cryptography. In S. Goldwasser, editor, Advances in Cryptology — CRYPTO’88, volume 403 of Lecture Notes in Computer Science, pages 110–117, 1990.Google Scholar
- 11.Burton S. Kaliski Jr. A layman’s guide to a subset of ASN.1, BER, and DER. RSA Laboratories Technical Note, RSA Laboratories, November 1993. Available at http://www.rsasecurity.com/rsalabs/pkcs/.
- 12.Donald E. Knuth. The Art of Computer Programming, v. 2. Seminumerical Algorithms. Addison-Wesley, 2nd edition, 1981.Google Scholar
- 17.Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.Google Scholar
- 18.Peter L. Montgomery. A block Lanczos algorithm for finding dependencies over GF(2). In L. C. Guillou and J.-J. Quisquater, editors, Advances in Cryptology —EUROCRYPT’95, volume 921 of Lecture Notes in Computer Science, pages 106–120, 1995.Google Scholar
- 19.Michael O. Rabin. Digitized signatures and public-key functions as intractable as factorization. Technical Report LCS/TR-212, M.I.T. Lab. for Computer Science, January 1979.Google Scholar
- 22.Joseph H. Silverman. A Friendly Introduction to Number Theory. Prentice-Hall, 1997.Google Scholar
- 23.Robert D. Silverman and David Naccache. Recent results on signature forgery, April 1999. Available at http://www.rsasecurity.com/rsalabs/bulletins/sigforge.html.
- 27.____ An M 3 public key encryption scheme. In H. C. Williams, editor, Advances in Cryptology — CRYPTO’85, volume 218 of Lecture Notes in Computer Science, pages 358–368. Springer-Verlag, 1986.Google Scholar