Selective Forgery of RSA Signatures with Fixed-Pattern Padding
نویسندگان
چکیده
We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures that was presented at Crypto 2001. For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9 64n bits. Thus, the security provided by short fixed-pattern padding is negligible compared to the security it is supposed to provide.
منابع مشابه
Cryptanalysis of RSA Signatures with Fixed-Pattern Padding
A fixed-pattern padding consists in concatenating to the message m a fixed pattern P . The RSA signature is then obtained by computing (P |m) mod N where d is the private exponent and N the modulus. In Eurocrypt ’97, Girault and Misarsky showed that the size of P must be at least half the size of N (in other words the parameter configurations |P | < |N |/2 are insecure) but the security of RSA ...
متن کاملAnother Look at Affine-Padding RSA Signatures
Affine-padding rsa signatures consist in signing ω · m + α instead of the message m for some fixed constants ω, α. A thread of publications progressively reduced the size of m for which affine signatures can be forged in polynomial time. The current bound is logm ∼ N 3 where N is the rsa modulus’ bit-size. Improving this bound to N 4 has been an elusive open problem for the past decade. In this...
متن کاملFrom Fixed-Length to Arbitrary-Length RSA Padding Schemes
A common practice for signing with RSA is to first apply a hash function or a redundancy function to the message, add some padding and exponentiate the resulting padded message using the decryption exponent. This is the basis of several existing standards. In this paper we show how to build a secure padding scheme for signing arbitrarily long messages with a secure padding scheme for fixed-size...
متن کاملOn the Security of RSA Padding
This paper presents a new signature forgery strategy. The attack is a sophisticated variant of Desmedt-Odlyzko’s method [11] where the attacker obtains the signatures of m1, . . . , mτ−1 and exhibits the signature of an mτ which was never submitted to the signer; we assume that all messages are padded by a redundancy function μ before being signed. Before interacting with the signer, the attack...
متن کاملAttacking the Diebold Signature Variant – RSA Signatures with Unverified High-order Padding
We examine a natural but improper implementation of RSA signature verification deployed on the widely used Diebold Touch Screen and Optical Scan voting machines. In the implemented scheme, the verifier fails to examine a large number of the high-order bits of signature padding and the public exponent is three. We present an very mathematically simple attack that enables an adversary to forge si...
متن کامل