From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

  • Julien Cathalo
  • Jean-Sébastien Coron
  • David Naccache
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3386)


To sign with RSA, one usually encodes the message m as μ(m) and then raises the result to the private exponent modulo N. In Asiacrypt 2000, Coron et al. showed how to build a secure RSA encoding scheme μ′(m) for signing arbitrarily long messages from a secure encoding scheme μ(m) capable of handling only fixed-size messages, without making any additional assumptions. However, their construction required that the input size of μ be larger than the modulus size. In this paper we present a construction for which the input size of μ does not have to be larger than N. Our construction shows that the difficulty in building a secure encoding for RSA signatures is not in handling messages of arbitrary length, but rather in finding a secure encoding function for short messages, which remains an open problem in the standard model.


Encode Scheme Signature Scheme Random Oracle Input Size Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Arboit, G., Robert, J.-M.: From fixed-length messages to arbitrary-length messages practical RSA signature padding schemes. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 44–51. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the First Annual Conference on Computer and Commmunications Security. ACM, New York (1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited. In: STOC 1998. ACM, New York (1998)Google Scholar
  5. 5.
    Coron, J.-S., Koeune, F., Naccache, D.: From fixed-length to arbitrary-length RSA padding schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 90. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    ISO/IEC 9796, Information technology - Security techniques - Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy (1999)Google Scholar
  8. 8.
    ISO/IEC 9796-2, Information technology - Security techniques - Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997)Google Scholar
  9. 9.
    Misarsky, J.-F.: How (Not) to design RSA signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, p. 14. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  10. 10.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21 (1978)Google Scholar
  11. 11.
    RSA Laboratories, pkcs #1: RSA cryptography specifications, version 2.0 (September 1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Julien Cathalo
    • 1
  • Jean-Sébastien Coron
    • 2
  • David Naccache
    • 2
    • 3
  1. 1.UCL Crypto GroupLouvain-la-NeuveBelgium
  2. 2.Gemplus Card InternationalIssy-les-MoulineauxFrance
  3. 3.Royal HollowayUniversity of London, Information Security GroupEgham, SurreyUK

Personalised recommendations