On the Security of RSA Screening

  • Jean -Sebastien Coron
  • David Naccache
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1560)


Since many applications require the verification of large sets of signatures, it is sometimes advantageous to perform a simultaneous verification instead of checking each signature individually. The simultaneous processing, called batching, must be provably equivalent to the sequential verification of all signatures.

In eurocrypt’98, Bellare et al. [1] presented a fast RSA batch verification scheme, called screening. Here we successfully attack this algorithm by forcing it to accept a false signature and repair it by implementing an additional test.


Hash Function Signature Scheme Random Oracle Security Proof Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Bellare, J. Garray and T. Rabin, Fast batch verification for modular exponentiation and digital signatures, Advances in Cryptology-eurocrypt’98 Proceedings, Lecture Notes in Computer Science vol. 1403, K. Nyberged., Springer-Verlag, 1998. Full on-line version via, 1998.Google Scholar
  2. 2.
    M. Bellare, P. Rogaway, The exact security of digital signatures: How to sign with RSA and Rabin, Advances in Cryptology-eurocrypt’96 Proceedings, Lecture Notes in Computer Science vol. 1070, U. Maurer ed., Springer-Verlag, 1996.Google Scholar
  3. 3.
    M. Bellare, P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, First ACM Conference on computer and communications security, ACM, 1994.Google Scholar
  4. 4.
    G. Davida, Chosen signature cryptanalysis of the RSA (MIT) public-key cryptosystem, Technical report TR-CS-82-2, Department of EECS, University of Wisconsin, 1982.Google Scholar
  5. 5.
    C. Lim & P. Lee, Security of interactive DSA batch verification, Electronic Letters, vol. 30, no. 19, pp. 1592–1593, 1994.CrossRefGoogle Scholar
  6. 6.
    D. Naccache, Unless modified Fiat-Shamir is insecure, Proceedings of the third symposium on state and progress of research in cryptography: SPRC’93, Fondazione Ugo Bordoni, W. Wolfowiczed., Roma, Italia, pp. 172–180, 1993.Google Scholar
  7. 7.
    D. Naccache, D. M’raïhi, S. Vaudenay & D. Raphaeli, Can DSA be improved? Complexity trade-offs with the digital signature standard, Advances in Cryptology-eurocrypt94 Proceedings, Lecture Notes in Computer Science vol. 950, A. de Santised., Springer-Verlag, pp. 77–85, 1995.CrossRefGoogle Scholar
  8. 8.
    R. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, vol. 21, pp. 120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Jean -Sebastien Coron
    • 1
    • 2
  • David Naccache
    • 2
  1. 1.Ecole Normale SuperieureParisFrance
  2. 2.Gemplus Card InternationalIssy-les-MoulineauxFrance

Personalised recommendations