Cryptanalysis of RSA Signatures with Fixed-Pattern Padding
نویسندگان
چکیده
A fixed-pattern padding consists in concatenating to the message m a fixed pattern P . The RSA signature is then obtained by computing (P |m) mod N where d is the private exponent and N the modulus. In Eurocrypt ’97, Girault and Misarsky showed that the size of P must be at least half the size of N (in other words the parameter configurations |P | < |N |/2 are insecure) but the security of RSA fixedpattern padding remained unknown for |P | > |N |/2. In this paper we show that the size of P must be at least two-thirds of the size of N , i.e. we show that |P | < 2|N |/3 is insecure.
منابع مشابه
Selective Forgery of RSA Signatures with Fixed-Pattern Padding
We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures that was presented at Crypto 2001. For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9 64n bit...
متن کاملFrom Fixed-Length to Arbitrary-Length RSA Padding Schemes
A common practice for signing with RSA is to first apply a hash function or a redundancy function to the message, add some padding and exponentiate the resulting padded message using the decryption exponent. This is the basis of several existing standards. In this paper we show how to build a secure padding scheme for signing arbitrarily long messages with a secure padding scheme for fixed-size...
متن کاملAttacking the Diebold Signature Variant – RSA Signatures with Unverified High-order Padding
We examine a natural but improper implementation of RSA signature verification deployed on the widely used Diebold Touch Screen and Optical Scan voting machines. In the implemented scheme, the verifier fails to examine a large number of the high-order bits of signature padding and the public exponent is three. We present an very mathematically simple attack that enables an adversary to forge si...
متن کاملAnother Look at Affine-Padding RSA Signatures
Affine-padding rsa signatures consist in signing ω · m + α instead of the message m for some fixed constants ω, α. A thread of publications progressively reduced the size of m for which affine signatures can be forged in polynomial time. The current bound is logm ∼ N 3 where N is the rsa modulus’ bit-size. Improving this bound to N 4 has been an elusive open problem for the past decade. In this...
متن کاملMaking RSA-PSS Provably Secure against Non-random Faults
RSA–CRT is the most widely used implementation for RSA signatures. However, deterministic and many probabilistic RSA signatures based on CRT are vulnerable to fault attacks. Nevertheless, Coron and Mandal (Asiacrypt 2009) show that the randomized PSS padding protects RSA signatures against random faults. In contrast, Fouque et al. (CHES 2012) show that PSS padding does not protect against certa...
متن کامل