Abstract
We consider certain interactive protocols, based on RSA. In these protocols, a signature authority Z(which chooses the RSA-modulus N that is kept fixed) issues a fixed number of RSA-signatures to an individual A. These RSA-signatures consist of products of rational powers of residue classes modulo N; some of these residue classes are chosen by Z and the others can be chosen freely by A. Thus, A can influence the form of the signatures that he gets from Z. A wants to choose his residue classes in such a way that he can use the signatures he gets from Z to compute a signature of a type not issued by Z.
In previous literature, some special cases of our protocols were considered, namely that only A chooses the residue classes ([Dav82],[Denn84],[DO85]) and that only Z chooses the residue classes [EvH92]. The results in our paper are used under the following assumptions:
-
A cannot compute RSA-roots on randomly chosen residue classes modulo N.
-
In his computations, A uses only multiplications and divisions modulo N.
Our main result gives a necessary and sufficient condition under which A is able to influence the signatures he gets from Z in such a way that he can use these RSA-signatures to compute a signature of a type not issued by Z. It turns out that this condition is equivalent to the solvability of a particular quadratic equation in integral matrices. We also study a particular case of this problem in more detail.
This research has been made possible by a fellowship of the Royal Netherlands Academy of Arts and Sciences (K.N.A.W.)
Chapter PDF
References
George Davida, Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem, Tech. rept. TR-CS-82-2, Dept of Electrical Engineering and Computer Science, Univ. of Wisconsin, October 1982.
Dorothy Denning, “Digital signatures with RSA and other public-key cryptosystems”, Comm. of the ACM, 27 (1984) pp. 388–392.
Yvo Desmedt and Andrew Odlyzko, “A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes”, Advances in Cryptology-CRYPTO 85, H.C. Williams ed., LNCS 218, Springer-Verlag, pp. 516–522.
Shimon Even, Oded Goldreich and Adi Shamir, “On the security of ping-pong protocols when implemented using the RSA”, Advances in Cryptology-CRYPTO 85, H.C. Williams ed., LNCS 218, Springer-Verlag, pp. 58–72.
Jan-Hendrik Evertse, Eugène van Heyst, “Which new RSA signatures can be computed from certain given RSA signatures?”, Journal of Cryptology, 5 (1992), pp. 41–52.
R. Kannan and A. Bachem, “Polynomial algorithms for computing the Smith and Hermite normal forms of an integer matrix”, SIAM Journal on Computing, 8 (1979) pp. 499–507.
R.L. Rivest, A. Shamir, and L. Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Comm. of the ACM 21 (1978) pp. 120–126.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1993 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Evertse, JH., van Heyst, E. (1993). Which new RSA Signatures can be Computed from RSA Signatures, Obtained in a Specific Interactive Protocol?. In: Rueppel, R.A. (eds) Advances in Cryptology — EUROCRYPT’ 92. EUROCRYPT 1992. Lecture Notes in Computer Science, vol 658. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-47555-9_31
Download citation
DOI: https://doi.org/10.1007/3-540-47555-9_31
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-56413-3
Online ISBN: 978-3-540-47555-2
eBook Packages: Springer Book Archive