Which new RSA Signatures can be Computed from RSA Signatures, Obtained in a Specific Interactive Protocol?

  • Jan-Hendrik Evertse
  • Eugène van Heyst
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 658)


We consider certain interactive protocols, based on RSA. In these protocols, a signature authority Z(which chooses the RSA-modulus N that is kept fixed) issues a fixed number of RSA-signatures to an individual A. These RSA-signatures consist of products of rational powers of residue classes modulo N; some of these residue classes are chosen by Z and the others can be chosen freely by A. Thus, A can influence the form of the signatures that he gets from Z. A wants to choose his residue classes in such a way that he can use the signatures he gets from Z to compute a signature of a type not issued by Z.

In previous literature, some special cases of our protocols were considered, namely that only A chooses the residue classes ([Dav82],[Denn84],[DO85]) and that only Z chooses the residue classes [EvH92]. The results in our paper are used under the following assumptions:
  • A cannot compute RSA-roots on randomly chosen residue classes modulo N.

  • In his computations, A uses only multiplications and divisions modulo N.

Our main result gives a necessary and sufficient condition under which A is able to influence the signatures he gets from Z in such a way that he can use these RSA-signatures to compute a signature of a type not issued by Z. It turns out that this condition is equivalent to the solvability of a particular quadratic equation in integral matrices. We also study a particular case of this problem in more detail.


  1. [Dav82]
    George Davida, Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem, Tech. rept. TR-CS-82-2, Dept of Electrical Engineering and Computer Science, Univ. of Wisconsin, October 1982.Google Scholar
  2. [Denn84]
    Dorothy Denning, “Digital signatures with RSA and other public-key cryptosystems”, Comm. of the ACM, 27 (1984) pp. 388–392.CrossRefMathSciNetGoogle Scholar
  3. [DO85]
    Yvo Desmedt and Andrew Odlyzko, “A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes”, Advances in Cryptology-CRYPTO 85, H.C. Williams ed., LNCS 218, Springer-Verlag, pp. 516–522.Google Scholar
  4. [EGS85]
    Shimon Even, Oded Goldreich and Adi Shamir, “On the security of ping-pong protocols when implemented using the RSA”, Advances in Cryptology-CRYPTO 85, H.C. Williams ed., LNCS 218, Springer-Verlag, pp. 58–72.Google Scholar
  5. [EvH92]
    Jan-Hendrik Evertse, Eugène van Heyst, “Which new RSA signatures can be computed from certain given RSA signatures?”, Journal of Cryptology, 5 (1992), pp. 41–52.zbMATHCrossRefGoogle Scholar
  6. [KaBa79]
    R. Kannan and A. Bachem, “Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix”, SIAM Journal on Computing, 8 (1979) pp. 499–507.zbMATHCrossRefMathSciNetGoogle Scholar
  7. [RSA78]
    R.L. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Comm. of the ACM 21 (1978) pp. 120–126.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1993

Authors and Affiliations

  • Jan-Hendrik Evertse
    • 1
  • Eugène van Heyst
    • 2
  1. 1.Department of Mathematics and Computer ScienceUniversity of LeidenLeidenThe Netherlands
  2. 2.CWI Centre for Mathematics and Computer ScienceAmsterdamThe Netherlands

Personalised recommendations