Abstract
To sign with RSA, one usually encodes the message m as μ(m) and then raises the result to the private exponent modulo N. In Asiacrypt 2000, Coron et al. showed how to build a secure RSA encoding scheme μ′(m) for signing arbitrarily long messages from a secure encoding scheme μ(m) capable of handling only fixed-size messages, without making any additional assumptions. However, their construction required that the input size of μ be larger than the modulus size. In this paper we present a construction for which the input size of μ does not have to be larger than N. Our construction shows that the difficulty in building a secure encoding for RSA signatures is not in handling messages of arbitrary length, but rather in finding a secure encoding function for short messages, which remains an open problem in the standard model.
Chapter PDF
References
Arboit, G., Robert, J.-M.: From fixed-length messages to arbitrary-length messages practical RSA signature padding schemes. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 44–51. Springer, Heidelberg (2001)
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the First Annual Conference on Computer and Commmunications Security. ACM, New York (1993)
Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)
Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited. In: STOC 1998. ACM, New York (1998)
Coron, J.-S., Koeune, F., Naccache, D.: From fixed-length to arbitrary-length RSA padding schemes. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 90. Springer, Heidelberg (2000)
Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of computing 17(2), 281–308 (1988)
ISO/IEC 9796, Information technology - Security techniques - Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy (1999)
ISO/IEC 9796-2, Information technology - Security techniques - Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997)
Misarsky, J.-F.: How (Not) to design RSA signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, p. 14. Springer, Heidelberg (1998)
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21 (1978)
RSA Laboratories, pkcs #1: RSA cryptography specifications, version 2.0 (September 1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cathalo, J., Coron, JS., Naccache, D. (2005). From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited. In: Vaudenay, S. (eds) Public Key Cryptography - PKC 2005. PKC 2005. Lecture Notes in Computer Science, vol 3386. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30580-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-30580-4_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24454-7
Online ISBN: 978-3-540-30580-4
eBook Packages: Computer ScienceComputer Science (R0)