Attacks on Some RSA Signatures

  • Wiebren de Jonge
  • David Chaum
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 218)


Two simple redundancy schemes are shown to be inadequate in securing RSA signatures against attacks based on multiplicative properties. The schemes generalize the requirement that each valid message starts or ends with a fixed number of zero bits. Even though only messages with proper redundancy are signed, forgers are able to construct signatures on messages of their choice.


Blind Signature False Signature Actual Message Multiplicative Property Redundancy Property 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. (1).
    Chaum, D., “Security Without Identification: Transaction Systems to make Big Brother Obsolete,” Communications of the ACM, Vol. 22, No. 10, October 1985, pp. 1030–1044.CrossRefMathSciNetGoogle Scholar
  2. (2).
    Davida, G.I., “Chosen Signature Cryptanalysis of the RSA (MIT) Public Key Cryptosystem,” Technical Report TR-CS-82-2, University of Wisconsin, Milwaukee WI, October 1982.Google Scholar
  3. (3).
    de Jonge, W., “Attacks on RSA Signatures and Countermeasures,” in Security and Privacy in Information Systems: some technical aspects, Ph.D. Thesis, June 1985.Google Scholar
  4. (4).
    DeMillo, R.A. and Merritt, M.J., “Chosen Signature Cryptanalysis of Public Key Cryptosystems,” Technical Memorandum, School of Information and Computer Science, Georgia Institute of Technology, Atlanta GA, October 25, 1982.Google Scholar
  5. (5).
    Denning, D.E., “The Many-Time Pad: Theme and Variations” Proceedings of the 1983 Symposium on Security and Privacy, April 25–27, 1983; the relevant part also appeared as “Digital Signatures with RSA and Other Public-Key Cryptosystems,” Communications of the ACM, Vol. 27, No. 4, April 1984, pp. 388–392.Google Scholar
  6. (6).
    Knuth, D.E., The art of computer programming, Volume 2, Seminumerical Algorithms, Addison-Wesley, 1969.Google Scholar
  7. (7).
    Rivest, R.L., Shamir, A., and Adleman, L., “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, Vol. 21, No. 2, February 1978, pp. 120–126.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1986

Authors and Affiliations

  • Wiebren de Jonge
    • 1
  • David Chaum
    • 2
  1. 1.Department of Mathematics and Computer ScienceVrije UniversiteitAmsterdamThe Netherlands
  2. 2.Centre for Mathematics and Computer ScienceAmsterdamThe Netherlands

Personalised recommendations