On the Security of RSA Screening
Since many applications require the verification of large sets of signatures, it is sometimes advantageous to perform a simultaneous verification instead of checking each signature individually. The simultaneous processing, called batching, must be provably equivalent to the sequential verification of all signatures.
In eurocrypt’98, Bellare et al.  presented a fast RSA batch verification scheme, called screening. Here we successfully attack this algorithm by forcing it to accept a false signature and repair it by implementing an additional test.
KeywordsHash Function Signature Scheme Random Oracle Security Proof Random Oracle Model
Unable to display preview. Download preview PDF.
- 1.M. Bellare, J. Garray and T. Rabin, Fast batch verification for modular exponentiation and digital signatures, Advances in Cryptology-eurocrypt’98 Proceedings, Lecture Notes in Computer Science vol. 1403, K. Nyberged., Springer-Verlag, 1998. Full on-line version via http://www-cse.ucsd.edu/users/mihir, 1998.Google Scholar
- 2.M. Bellare, P. Rogaway, The exact security of digital signatures: How to sign with RSA and Rabin, Advances in Cryptology-eurocrypt’96 Proceedings, Lecture Notes in Computer Science vol. 1070, U. Maurer ed., Springer-Verlag, 1996.Google Scholar
- 3.M. Bellare, P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, First ACM Conference on computer and communications security, ACM, 1994.Google Scholar
- 4.G. Davida, Chosen signature cryptanalysis of the RSA (MIT) public-key cryptosystem, Technical report TR-CS-82-2, Department of EECS, University of Wisconsin, 1982.Google Scholar
- 6.D. Naccache, Unless modified Fiat-Shamir is insecure, Proceedings of the third symposium on state and progress of research in cryptography: SPRC’93, Fondazione Ugo Bordoni, W. Wolfowiczed., Roma, Italia, pp. 172–180, 1993.Google Scholar