On the Security of RSA Padding
نویسندگان
چکیده
This paper presents a new signature forgery strategy. The attack is a sophisticated variant of Desmedt-Odlyzko’s method [11] where the attacker obtains the signatures of m1, . . . , mτ−1 and exhibits the signature of an mτ which was never submitted to the signer; we assume that all messages are padded by a redundancy function μ before being signed. Before interacting with the signer, the attacker selects τ smooth μ(mi)values and expresses μ(mτ ) as a multiplicative combination of the padded strings μ(m1), . . . , μ(mτ−1). The signature of mτ is then forged using the homomorphic property of RSA. A padding format that differs from iso 9796-1 by one single bit was broken experimentally (we emphasize that we could not extend our attack to iso 9796-1); for iso 9796-2 the attack is more demanding but still much more efficient than collision-search or factoring. For din ni-17.4, pkcs #1 v2.0 and ssl-3.02, the attack is only theoretical since it only applies to specific moduli and happens to be less efficient than factoring; therefore, the attack does not endanger any of these standards.
منابع مشابه
Simplified OAEP for the RSA and Rabin Functions
Optimal Asymmetric Encryption Padding (OAEP) is a technique for converting the RSA trapdoor permutation into a chosen ciphertext secure system in the random oracle model. OAEP padding can be viewed as two rounds of a Feistel network. We show that for the Rabin and RSA trapdoor functions a much simpler padding scheme is sufficient for chosen ciphertext security in the random oracle model. We sho...
متن کاملSelective Forgery of RSA Signatures with Fixed-Pattern Padding
We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures that was presented at Crypto 2001. For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9 64n bit...
متن کاملCryptanalysis of RSA Signatures with Fixed-Pattern Padding
A fixed-pattern padding consists in concatenating to the message m a fixed pattern P . The RSA signature is then obtained by computing (P |m) mod N where d is the private exponent and N the modulus. In Eurocrypt ’97, Girault and Misarsky showed that the size of P must be at least half the size of N (in other words the parameter configurations |P | < |N |/2 are insecure) but the security of RSA ...
متن کاملUniversal Padding Schemes for RSA
A common practice to encrypt with RSA is to first apply a padding scheme to the message and then to exponentiate the result with the public exponent; an example of this is OAEP. Similarly, the usual way of signing with RSA is to apply some padding scheme and then to exponentiate the result with the private exponent, as for example in PSS. Usually, the RSA modulus used for encrypting is differen...
متن کاملStatistical Properties of Short RSA Distribution and Their Cryptographic Applications
In this paper, we study some computational security assumptions involve in two cryptographic applications related to the RSA cryptosystem. To this end, we use exponential sums to bound the statistical distances between these distributions and the uniform distribution. We are interesting studying the k least (or most) significant bits of x mod N , where N is a RSA modulus when x is restricted to...
متن کاملMaking RSA-PSS Provably Secure against Non-random Faults
RSA–CRT is the most widely used implementation for RSA signatures. However, deterministic and many probabilistic RSA signatures based on CRT are vulnerable to fault attacks. Nevertheless, Coron and Mandal (Asiacrypt 2009) show that the randomized PSS padding protects RSA signatures against random faults. In contrast, Fouque et al. (CHES 2012) show that PSS padding does not protect against certa...
متن کامل