On the Security of RSA Padding

  • Jean-Sébastien Coron
  • David Naccache
  • Julien P. Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1666)


This paper presents a new signature forgery strategy.

The attack is a sophisticated variant of Desmedt-Odlyzko’s method [11] where the attacker obtains the signatures of m 1, ..., m τ−1 and exhibits the signature of an m τ which was never submitted to the signer; we assume that all messages are padded by a redundancy function µ before being signed.

Before interacting with the signer, the attacker selects µ smooth1 µ(m i)-values and expresses µ(m τ) as amultiplicative combination of the padded strings µ(m 1), ..., µ(m τ−1). The signature of m τ is then forged using the homomorphic property of RSA.

For din ni-17.4, pkcs #1 v2.0 and ssl-3.02, the attack is only theoretical since it only applies to specific moduli and happens to be less efficient than factoring; therefore, the attack does not endanger any of these standards.


Random Oracle Gaussian Elimination Discrete Logarithm Message Recovery Multiplicative Combination 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    L. Adleman, A subexponential algorithm for the discrete logarithm problem with applications to cryptography, Proceedings of the IEEE 20-th Annual symposium on the foundations of computer science, pp. 55–60, 1979.Google Scholar
  2. 2.
    ANSI X9.31, Digital signatures using reversible public-key cryptography for the financial services industry (rDSA), 1998.Google Scholar
  3. 3.
    E. Bach and R. Peralta, Asymptotic semismoothness probabilities, Mathematics of computation, vol. 65, no. 216, pp. 1701–1715, 1996.zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    O. Baudron and J. Stern, To pad or not to pad: does formatting degrade security?, 1999 RSA Data Security Conference proceeding book, 1999.Google Scholar
  5. 5.
    M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, Proceedings of the first annual conference on computer and communication security, acm, 1993.Google Scholar
  6. 6.
    M. Bellare and P. Rogaway, The exact security of digital signatures: how to sign with RSA and Rabin, Advances in cryptology eurocrypt’96, Springer-Verlag, Lectures notes in computer science 1070, pp. 399–416, 1996.Google Scholar
  7. 7.
    R. Brent, An improved Monte Carlo factorization algorithm, Nordisk Tidskrift for Informationsbehandling (bit) vol. 20, pp. 176–184, 1980.zbMATHMathSciNetGoogle Scholar
  8. 8.
    N. de Bruijn, On the number of positive integers ≤ x and free of prime factors ≥ y, Indagationes Mathematicae, vol. 13, pp. 50–60, 1951. (cf. as well to part II, vol. 28, pp. 236-247, 1966.).Google Scholar
  9. 9.
    G. Davida, Chosen signature cryptanalysis of the RSA (MIT) public-key cryptosystem, TR-CS-82-2, Department of electrical engineering and computer science, University of Wisconsin, Milwaukee, 1982.Google Scholar
  10. 10.
    D. Denning, Digital signatures with RSA and other public-key cryptosystems, Communications of the ACM, vol. 27-4, pp. 388–392, 1984.CrossRefMathSciNetGoogle Scholar
  11. 11.
    Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, Advances in cryptology crypto’85, Springer-Verlag, Lectures notes in computer science 218, pp. 516–522, 1986.Google Scholar
  12. 12.
    K. Dickman, On the frequency of numbers containing prime factors of a certain relative magnitude, Arkiv for matematik, astronomi och fysik, vol. 22A, no. 10, pp. 1–14, 1930.Google Scholar
  13. 13.
    DIN NI-17.4, Specification of chipcard interface with digital signature application/function according to SigG and SigV, version 1.0, 1998.Google Scholar
  14. 14.
    J. Dixon, Asymptotically fast factorization of integers, Mathematics of computation, vol. 36, no. 153, pp. 255–260, 1981.zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    J. Evertse and E. van Heyst, Which new RSA-signatures can be computed from certain given RSA signatures?, Journal of cryptology vol. 5, no. 1, 41–52, 1992.zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    M. Girault, J.-F. Misarsky, Selective forgery of RSA signatures using redundancy, Advances in cryptology eurocrypt’97, Springer-Verlag, Lectures notes in computer science 1233, pp. 495–507, 1997.Google Scholar
  17. 17.
    J. Gordon, How to forge RSA key certificates, Electronic Letters, vol. 21, no. 9, April 25-th, 1985.Google Scholar
  18. 18.
    L. Guillou, J.-J. Quisquater, M. Walker, P. Landrock and C. Shaer, Precautions taken against various attacks in ISP/IEC DIS 9796, Advances in cryptology eurocrypt’90, Springer-Verlag, Lectures notes in computer science 473, pp. 465–473, 1991.Google Scholar
  19. 19.
    H. Halberstam, On integers whose prime factors are small, Proceedings of the London mathematical society, vol. 3, no. 21, pp. 102–107, 1970.CrossRefMathSciNetGoogle Scholar
  20. 20.
    K. Hickman, The SSL Protocol, December 1995. Available electronically at:
  21. 21.
    ISO/IEC 9796, Information technology-Security techniques-Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy, 1999.Google Scholar
  22. 22.
    ISO/IEC 9796-2, Information technology-Security techniques-Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function, 1997.Google Scholar
  23. 23.
    ISO/IEC 10118-2, Information technology-Security techniques-Hashfunctions; Part 2: Hash functions using an n-bit block-cipher algorithm, 1994.Google Scholar
  24. 24.
    W. de Jonge and D. Chaum. Attacks on some RSA signatures, Advances in cryptology crypto’85, Springer-Verlag, Lectures notes in computer science 218, pp. 18–27, 1986.Google Scholar
  25. 25.
    A. Lenstra, Generating RSA moduli with a predetermined portion, Advances in cryptology asiacrypt’98, Springer-Verlag, Lectures notes in computer science 1514, pp. 1–10, 1998.Google Scholar
  26. 26.
    A. Lenstra, de auditu, January 1999.Google Scholar
  27. 27.
    A. Menezes, P. van Oorschot and S. Vanstone, Handbook of applied cryptography, crc Press.Google Scholar
  28. 28.
    M. Michels, M. Stadler and H.-M. Sun, On the security of some variants of the RSA signature scheme, Computer securityesorics’98, Springer-Verlag, Lectures notes in computer science 1485, pp. 85–96, 1998.Google Scholar
  29. 29.
    J.-F. Misarsky, A multiplicative attack using LLL algorithm on RSA signatures with redundancy, Advances in cryptology crypto’97, Springer-Verlag, Lectures notes in computer science 1294, pp. 221–234, 1997.Google Scholar
  30. 30.
    J.-F. Misarsky, How (not) to design RSA signature schemes, Public-key cryptography, Springer-Verlag, Lectures notes in computer science 1431, pp. 14–28, 1998.Google Scholar
  31. 31.
    National Institute of Standards and Technology, Secure hash standard, FIPS publication 180-1, April 1994.Google Scholar
  32. 32.
    J. Pollard, Factoring with cubic integers, The development of the number field sieve, Springer-Verlag, Lectures notes in computer science 1554, pp. 4–10, 1993.Google Scholar
  33. 33.
    C. Pomerance, The quadratic sieve factoring algorithm, Advances in cryptology eurocrypt’84, Springer-Verlag, Lectures notes in computer science 209, pp. 169–182, 1985.Google Scholar
  34. 34.
    R. Rivest, RFC 1321: The MD5 message-digest algorithm, Internet activities board, April 1992.Google Scholar
  35. 35.
    R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, vol. 21-2, pp. 120–126, 1978.CrossRefMathSciNetGoogle Scholar
  36. 36.
    RSA Laboratories, pkcs #1: RSA cryptography specifications, version 2.0, September 1998.Google Scholar
  37. 37.
    H. Williams, A modification of the RSA public key encryption procedure, IEEE TIT, vol. 26, pp. 726–729, 1980.zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
    • 2
  • David Naccache
    • 2
  • Julien P. Stern
    • 3
    • 4
  1. 1.École Normale SupérieureParisFrance
  2. 2.Gemplus Card InternationalIssy-les-MoulineauxFrance
  3. 3.UCL Cryptography GroupBâtiment MaxwellLouvain-la-NeuveBelgium
  4. 4.Laboratoire de Recherche en InformatiqueUniversité de Paris-SudOrsayFrance

Personalised recommendations