Abstract
Affine-padding rsa signatures consist in signing ω·m + α instead of the message m for some fixed constants ω,α. A thread of publications progressively reduced the size of m for which affine signatures can be forged in polynomial time. The current bound is \(\log m \sim \frac{N}{3}\) where N is the rsa modulus’ bit-size. Improving this bound to \(\frac{N}{4}\) has been an elusive open problem for the past decade.
In this invited talk we consider a slightly different problem: instead of minimizing m’s size we try to minimize its entropy. We show that affine-padding signatures on \(\frac{N}{4}\) entropy-bit messages can be forged in polynomial time. This problem has no direct cryptographic impact but allows to better understand how malleable the rsa function is. In addition, the techniques presented in this talk might constitute some progress towards a solution to the longstanding \(\frac{N}{4}\) forgery open problem.
We also exhibit a sub-exponential time technique (faster than factoring) for creating affine modular relations between strings containing three messages of size \(\frac{N}{4}\) and a fourth message of size \(\frac{3N}{8}\).
Finally, we show than \(\frac{N}{4}\)-relations can be obtained in specific scenarios, e.g. when one can pad messages with two independent patterns or when the modulus’ most significant bits can be chosen by the opponent.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Brier, E., Clavier, C., Coron, J.S., Naccache, D.: Cryptanalysis of RSA signatures with fixed-pattern padding. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 433–439. Springer, Heidelberg (2001)
De Jonge, W., Chaum, D.: Attacks on some RSA signatures. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 18–27. Springer, Heidelberg (1986)
Girault, M., Misarsky, J.-F.: Selective forgery of RSA signatures using redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 495–507. Springer, Heidelberg (1997)
Joux, A., Naccache, D., Thomé, E.: When e-th Roots Become Easier Than Factoring. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 13–28. Springer, Heidelberg (2007)
Lenstra, A.K.: Generating RSA moduli with a predetermined portion. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 1–10. Springer, Heidelberg (1998)
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. CACM 21(2), 120–126 (1978)
Shamir, A.: RSA for paranoids. CryptoBytes (The Technical Newsletter of RSA Laboratories) 1(3) (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Coron, JS., Naccache, D., Tibouchi, M. (2013). Another Look at Affine-Padding RSA Signatures. In: Kwon, T., Lee, MK., Kwon, D. (eds) Information Security and Cryptology – ICISC 2012. ICISC 2012. Lecture Notes in Computer Science, vol 7839. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37682-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-37682-5_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37681-8
Online ISBN: 978-3-642-37682-5
eBook Packages: Computer ScienceComputer Science (R0)