Which new RSA Signatures can be Computed from RSA Signatures, Obtained in a Specific Interactive Protocol?
We consider certain interactive protocols, based on RSA. In these protocols, a signature authority Z(which chooses the RSA-modulus N that is kept fixed) issues a fixed number of RSA-signatures to an individual A. These RSA-signatures consist of products of rational powers of residue classes modulo N; some of these residue classes are chosen by Z and the others can be chosen freely by A. Thus, A can influence the form of the signatures that he gets from Z. A wants to choose his residue classes in such a way that he can use the signatures he gets from Z to compute a signature of a type not issued by Z.
A cannot compute RSA-roots on randomly chosen residue classes modulo N.
In his computations, A uses only multiplications and divisions modulo N.
- [Dav82]George Davida, Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem, Tech. rept. TR-CS-82-2, Dept of Electrical Engineering and Computer Science, Univ. of Wisconsin, October 1982.Google Scholar
- [DO85]Yvo Desmedt and Andrew Odlyzko, “A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes”, Advances in Cryptology-CRYPTO 85, H.C. Williams ed., LNCS 218, Springer-Verlag, pp. 516–522.Google Scholar
- [EGS85]Shimon Even, Oded Goldreich and Adi Shamir, “On the security of ping-pong protocols when implemented using the RSA”, Advances in Cryptology-CRYPTO 85, H.C. Williams ed., LNCS 218, Springer-Verlag, pp. 58–72.Google Scholar