Another Look at Affine-Padding RSA Signatures

  • Jean-Sébastien Coron
  • David Naccache
  • Mehdi Tibouchi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7839)


Affine-padding rsa signatures consist in signing ω·m + α instead of the message m for some fixed constants ω,α. A thread of publications progressively reduced the size of m for which affine signatures can be forged in polynomial time. The current bound is \(\log m \sim \frac{N}{3}\) where N is the rsa modulus’ bit-size. Improving this bound to \(\frac{N}{4}\) has been an elusive open problem for the past decade.

In this invited talk we consider a slightly different problem: instead of minimizing m’s size we try to minimize its entropy. We show that affine-padding signatures on \(\frac{N}{4}\) entropy-bit messages can be forged in polynomial time. This problem has no direct cryptographic impact but allows to better understand how malleable the rsa function is. In addition, the techniques presented in this talk might constitute some progress towards a solution to the longstanding \(\frac{N}{4}\) forgery open problem.

We also exhibit a sub-exponential time technique (faster than factoring) for creating affine modular relations between strings containing three messages of size \(\frac{N}{4}\) and a fourth message of size \(\frac{3N}{8}\).

Finally, we show than \(\frac{N}{4}\)-relations can be obtained in specific scenarios, e.g. when one can pad messages with two independent patterns or when the modulus’ most significant bits can be chosen by the opponent.


Polynomial Time Failure Probability Respective Size Modular Relation Random Tape 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brier, E., Clavier, C., Coron, J.S., Naccache, D.: Cryptanalysis of RSA signatures with fixed-pattern padding. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 433–439. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    De Jonge, W., Chaum, D.: Attacks on some RSA signatures. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 18–27. Springer, Heidelberg (1986)Google Scholar
  3. 3.
    Girault, M., Misarsky, J.-F.: Selective forgery of RSA signatures using redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 495–507. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  4. 4.
    Joux, A., Naccache, D., Thomé, E.: When e-th Roots Become Easier Than Factoring. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 13–28. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Lenstra, A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 1–10. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21(2), 120–126 (1978)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Shamir, A.: RSA for paranoids. CryptoBytes (The Technical Newsletter of RSA Laboratories) 1(3) (1995)Google Scholar
  8. 8.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jean-Sébastien Coron
    • 1
  • David Naccache
    • 2
  • Mehdi Tibouchi
    • 3
  1. 1.Université du LuxembourgLuxembourgLuxembourg
  2. 2.Département d’informatiqueÉcole normale supérieureParis Cedex 05France
  3. 3.NTT Secure Platform LaboratoriesOkamoto Research LaboratoryMusashino-shiJapan

Personalised recommendations