Which new RSA Signatures can be Computed from RSA Signatures, Obtained in a Specific Interactive Protocol?
Abstract
We consider certain interactive protocols, based on RSA. In these protocols, a signature authority Z(which chooses the RSAmodulus N that is kept fixed) issues a fixed number of RSAsignatures to an individual A. These RSAsignatures consist of products of rational powers of residue classes modulo N; some of these residue classes are chosen by Z and the others can be chosen freely by A. Thus, A can influence the form of the signatures that he gets from Z. A wants to choose his residue classes in such a way that he can use the signatures he gets from Z to compute a signature of a type not issued by Z.

A cannot compute RSAroots on randomly chosen residue classes modulo N.

In his computations, A uses only multiplications and divisions modulo N.
References
 [Dav82]George Davida, Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem, Tech. rept. TRCS822, Dept of Electrical Engineering and Computer Science, Univ. of Wisconsin, October 1982.Google Scholar
 [Denn84]Dorothy Denning, “Digital signatures with RSA and other publickey cryptosystems”, Comm. of the ACM, 27 (1984) pp. 388–392.CrossRefMathSciNetGoogle Scholar
 [DO85]Yvo Desmedt and Andrew Odlyzko, “A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes”, Advances in CryptologyCRYPTO 85, H.C. Williams ed., LNCS 218, SpringerVerlag, pp. 516–522.Google Scholar
 [EGS85]Shimon Even, Oded Goldreich and Adi Shamir, “On the security of pingpong protocols when implemented using the RSA”, Advances in CryptologyCRYPTO 85, H.C. Williams ed., LNCS 218, SpringerVerlag, pp. 58–72.Google Scholar
 [EvH92]JanHendrik Evertse, Eugène van Heyst, “Which new RSA signatures can be computed from certain given RSA signatures?”, Journal of Cryptology, 5 (1992), pp. 41–52.zbMATHCrossRefGoogle Scholar
 [KaBa79]R. Kannan and A. Bachem, “Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix”, SIAM Journal on Computing, 8 (1979) pp. 499–507.zbMATHCrossRefMathSciNetGoogle Scholar
 [RSA78]R.L. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Comm. of the ACM 21 (1978) pp. 120–126.zbMATHCrossRefMathSciNetGoogle Scholar