Attacks on Some RSA Signatures
Two simple redundancy schemes are shown to be inadequate in securing RSA signatures against attacks based on multiplicative properties. The schemes generalize the requirement that each valid message starts or ends with a fixed number of zero bits. Even though only messages with proper redundancy are signed, forgers are able to construct signatures on messages of their choice.
KeywordsBlind Signature False Signature Actual Message Multiplicative Property Redundancy Property
- (2).Davida, G.I., “Chosen Signature Cryptanalysis of the RSA (MIT) Public Key Cryptosystem,” Technical Report TR-CS-82-2, University of Wisconsin, Milwaukee WI, October 1982.Google Scholar
- (3).de Jonge, W., “Attacks on RSA Signatures and Countermeasures,” in Security and Privacy in Information Systems: some technical aspects, Ph.D. Thesis, June 1985.Google Scholar
- (4).DeMillo, R.A. and Merritt, M.J., “Chosen Signature Cryptanalysis of Public Key Cryptosystems,” Technical Memorandum, School of Information and Computer Science, Georgia Institute of Technology, Atlanta GA, October 25, 1982.Google Scholar
- (5).Denning, D.E., “The Many-Time Pad: Theme and Variations” Proceedings of the 1983 Symposium on Security and Privacy, April 25–27, 1983; the relevant part also appeared as “Digital Signatures with RSA and Other Public-Key Cryptosystems,” Communications of the ACM, Vol. 27, No. 4, April 1984, pp. 388–392.Google Scholar
- (6).Knuth, D.E., The art of computer programming, Volume 2, Seminumerical Algorithms, Addison-Wesley, 1969.Google Scholar