Which new RSA signatures can be computed from some given RSA signatures?

extended abstract
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 473)


We consider protocols in which a signature authority issues RSA-signatures to an individual. These signatures are in general products of rational powers of residue classes modulo the composite number of the underlying RSA-system. These residue classes are chosen at random by the signature authority. Assuming that it is infeasible for the individual to compute RSA-roots on randomly chosen residue classes by himself, we give, as a consequence of our main theorem, necessary and sufficient conditions describing whether it is feasible for the individual to compute RSA-signatures of a prescribed type from signatures of other types that he received before from the authority.

Key words

RSA scheme RSA signature cryptographic protocol 


  1. [CBHMS89]
    David Chaum, Bert den Boer, Eugène van Heyst, Stig Mjølsnes and Adri Steenbeek, “Efficient Offline Electronic Checks”, to appear in Advances in Cryptology-EUROCRYPT’ 89, Lecture Notes in Computer Science, Springer-Verlag.Google Scholar
  2. [CE86]
    David Chaum and Jan-Hendrik Evertse, “A secure and privacy-protecting protocol for transmitting personal information between organizations”, Advances in Cryptology-CRYPTO’ 86, A.M. Odlyzko ed., Lecture Notes in Computer Science 263, Springer-Verlag,. pp 118–167.CrossRefGoogle Scholar
  3. [Gill77]
    John Gill, “Computational Complexity of Probabilistic Turing Machines”, SIAM L. Comp. 6 (1977) pp. 675–695.zbMATHCrossRefGoogle Scholar
  4. [Has85]
    Johan Hastad, “On using RSA with low exponent in a public key network”, Advances in Cryptology-CRYPTO’ 85, H.C. Williams ed., Lecture Notes in Computer Science 218, Springer-Verlag,.pp403–408.Google Scholar
  5. [Heg1858]
    I. Heger, “Über die Auflösung eines Systemes von mehreren unbestimmten Gleichungen des ersten Grades in ganzen Zahlen”, Denkschriften der Königlichen Akademie der Wissenschaften (Wien), Mathematischnaturwissenschaftliche Klasse 14 (2. Abth.) (1858) pp1–122.Google Scholar
  6. [KaBa79]
    R. Kannan and A. Bachem, “Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix”, SIAM Journal on Computing, 8 (1979) pp 499–507.MathSciNetzbMATHCrossRefGoogle Scholar
  7. [OO89]
    Tatsuaki Okamoto and Kazuo Ohta, “Disposable Zero-Knowledge Authentications and Their Applications to Untraceable Electronic Cash”, to appear in Advances in Cryptology-CRYPTO’ 89, Lecture Notes in Computer Science, Springer-Verlag.Google Scholar
  8. [RSA78]
    R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public Key Cryptosystems”, Comm. of the ACM 21 (1978) pp 120–126.MathSciNetzbMATHCrossRefGoogle Scholar
  9. [Schr86]
    Alexander Schrijver, Theory of Linear and Integer Programming, John Wiley & Sons, 1986.Google Scholar
  10. [Sh83]
    Adi Shamir, “On the Generation of Cryptographically Strong Pseudorandom Sequences”, ACM Trans. on Computer Systems, 1 (1983) pp 38–44.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1991

Authors and Affiliations

  1. 1.Department of Mathematics and Computer ScienceUniversity of LeidenLeidenThe Netherlands
  2. 2.CWI Centre for Mathematics and Computer ScienceAmsterdamThe Netherlands

Personalised recommendations