From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
نویسندگان
چکیده
We show how to construct a practical secure signature padding scheme for arbitrarily long messages from a secure signature padding scheme for fixed-length messages. This new construction is based on a one-way compression function respecting the division intractability assumption. By practical, we mean that our scheme can be instantiated using dedicated compression functions and without chaining. This scheme also allows precomputations on partially received messages. Finally, we give an instantiation of our scheme using SHA-1 and PKCS #1 ver. 1.5.
منابع مشابه
From Fixed-Length to Arbitrary-Length RSA Padding Schemes
A common practice for signing with RSA is to first apply a hash function or a redundancy function to the message, add some padding and exponentiate the resulting padded message using the decryption exponent. This is the basis of several existing standards. In this paper we show how to build a secure padding scheme for signing arbitrarily long messages with a secure padding scheme for fixed-size...
متن کاملFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
To sign with RSA, one usually encodes the message m as μ(m) and then raises the result to the private exponent modulo N . In Asiacrypt 2000, Coron et al. showed how to build a secure RSA encoding scheme μ′(m) for signing arbitrarily long messages from a secure encoding scheme μ(m) capable of handling only fixed-size messages, without making any additional assumptions. However, their constructio...
متن کاملID-Based Sequential Aggregate Signatures
An aggregate signature provides a method for combining n signatures of n different messages from n different signers into one signature of unit length. The main benefit of such schemes is that they allow bandwidth and computational savings. There exist several trials for the construction of ID-based aggregate signature schemes so far. Unfortunately, the computational complexity and (or) signatu...
متن کاملSelective Forgery of RSA Signatures with Fixed-Pattern Padding
We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures that was presented at Crypto 2001. For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9 64n bit...
متن کاملAttacking the Diebold Signature Variant – RSA Signatures with Unverified High-order Padding
We examine a natural but improper implementation of RSA signature verification deployed on the widely used Diebold Touch Screen and Optical Scan voting machines. In the implemented scheme, the verifier fails to examine a large number of the high-order bits of signature padding and the public exponent is three. We present an very mathematically simple attack that enables an adversary to forge si...
متن کامل