How (not) to design RSA signature schemes

  • Jean -FranÇois Misarsky
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1431)


The concept of public-key cryptography was invented in 1976 by Diffie and Hellman [DH]. The following year, Rivest, Shamir and Adleman provided an implementation of this idea [RSA]. The RSA signature, like any other signature, is message-dependent and signer-dependent. Thus, the recipient cannot modify the message and the signer cannot deny the validity of his signature. However, several attacks have appeared since. These attacks do not challenge RSA in itself but only the way to design a signature scheme based on it.


Hash Function Signature Scheme Random Oracle Model Multiplicative Property Digital Signature Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BDL]
    E. Brickell and J. DeLaurentis, An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi, Proc. of Crypto '85, Lecture Notes in Computer Science, vol. 218, Springer-Verlag, pp. 28.32.Google Scholar
  2. [BR]
    M. Bellare, P. Rogaway, The Exact Security of Digital Signatures — How to Sign with RSA and Rabin, Advances in Cryptology, Eurocrypt '96, LNCS 1070, 1996.Google Scholar
  3. [Co]
    D. Coppersmith, Analysis of ISO/CCITT Document X.509 Annex D, memorandum, IBM T.J. Watson Research Center, Yorktown Heights, N.Y., 10598, U.S.A., 11th June 1989.Google Scholar
  4. [Da]
    G. Davida, Chosen Signature Cryptanalysis of the RSA (MIT) Public Key Cryptosystem, Technical Report TR-CS-82-2, Department of Electrical Engineering and Computer Science, University of Wisconsin, Milwaukee, USA, October 1982.Google Scholar
  5. [De]
    D.E. Denning, Digital Signatures with RSA and other Public-key cryptosystems, Communications of the ACM 27, 4, April 1984, 388–392.MathSciNetCrossRefGoogle Scholar
  6. [DH]
    W. Diffie, M. Hellman, New Directions in Cryptography, IEEE Trans. Inform. Theory IT-22, Nov. 1976, 644–654.MathSciNetCrossRefGoogle Scholar
  7. [DJC]
    W. de Jonge, D. Chaum, Attacks on Some RSA Signatures, Advances in Cryptology, Crypto '85 proceedings, Lectures Notes In Computer Science, Vol. 218, Springer-Verlag, Berlin, 1986, pp. 18–27.Google Scholar
  8. [DO]
    Y. Desmedt, A.M. Odlyzko, A Chosen Text Attack on RSA Cryptosystem and some Discrete Logarithm Schemes, Advances in Cryptology, Crypto '85 proceedings, Lectures Notes In Computer Science, Vol. 218, Springer-Verlag, Berlin, 1986, pp. 516–522.Google Scholar
  9. [Gi]
    M. Girault, How to Forge RSA Key Certificates (even when adding redundancy), unpublished, personal communication.Google Scholar
  10. [Go]
    J. A. Gordon, How to Forge RSA Key Certificates, Electronics Letters, 25th April 1985, Vol. 21 N. 9.Google Scholar
  11. [GM]
    M. Girault, J.F. Misarsky, Selective Forgery of RSA Signatures Using Redundancy, Advances in Cryptology — Eurocrypt '97, Lecture Notes in Computer Science, vol. 1233, Springer-Verlag, pp 495–507.Google Scholar
  12. [GQWLS]
    L.C. Guillou, J.J. Quisquater, M. Walker, P. Landrock, C. Shaer, Precautions taken against various potential attacks in ISO/IEC DIS 9796, Digital signature scheme giving message recovery, Eurocrypt '90 Proceedings, Lecture Notes in Computer Science, vol. 473, Springer-Verlag, pp 465–473.Google Scholar
  13. [ISO]
    ISO/IEC 9796, Digital Signature Scheme Giving Message Recovery, December 1991.Google Scholar
  14. [ISO1]
    ISO/IEC JTC 1/SC 27, Digital Signature Schemes Giving Message Recovery; Part 2: Mechanisms using a hash function, Working Draft, January 1996.Google Scholar
  15. [ISO2]
    ISO/IEC 9796-3, Digital Signature Schemes Giving Message Recovery; Part 3: Mechanisms using a check-function, Working Draft, December 1996.Google Scholar
  16. [LLL]
    A. K. Lenstra, H. W. Lenstra, L. Lovász, Factoring Polynomials with Rational Coefficients, Mathematische Annalen, vol. 261, n. 4, 1982, pp. 515–534.MathSciNetCrossRefGoogle Scholar
  17. [Mi]
    J. F. Misarsky, A Multiplicative Attack Using LLL Algorithm on RSA Signatures with Redundancy, Advances in Cryptology — Crypto '97, Lecture Notes in Computer Science, vol. 1294, Springer-Verlag, pp. 221–234.Google Scholar
  18. [OS]
    T. Okamoto, A. Shiraishi, A Fast Signature Scheme Based on Quadratic Inequalities, Proc. of the 1985 Symposium on Security and Privacy, April 1985, Oakland, CA.Google Scholar
  19. [P1]
    RSA Laboratories, PKCS #1: RSA Encryption Standard, Version 1.5, November 1993.Google Scholar
  20. [RSA]
    R.L. Rivest, A. Shamir, L. Adleman, A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, MIT Laboratory for Computer Science, Technical Memo LCS!TM82, Cambridge, Massachusetts, 4/4/77. Also Comm. ACM, Vol. 21, N. 2, Feb 1978.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Jean -FranÇois Misarsky
    • 1
  1. 1.Branche Développement Centre National d'Etudes des TélécommunicationsFrance TélécomCaen CedexFrance

Personalised recommendations