1999 | OriginalPaper | Chapter
On the Security of RSA Padding
Authors : Jean-Sébastien Coron, David Naccache, Julien P. Stern
Published in: Advances in Cryptology — CRYPTO’ 99
Publisher: Springer Berlin Heidelberg
Included in: Professional Book Archive
Activate our intelligent search to find suitable subject content or patents.
Select sections of text to find matching patents with Artificial Intelligence. powered by
Select sections of text to find additional relevant content using AI-assisted search. powered by
This paper presents a new signature forgery strategy.The attack is a sophisticated variant of Desmedt-Odlyzko’s method [11] where the attacker obtains the signatures of m1, ..., mτ−1 and exhibits the signature of an mτ which was never submitted to the signer; we assume that all messages are padded by a redundancy function µ before being signed.Before interacting with the signer, the attacker selects µ smooth1µ(mi)-values and expresses µ(mτ) as amultiplicative combination of the padded strings µ(m1), ..., µ(mτ−1). The signature of mτ is then forged using the homomorphic property of RSA.For din ni-17.4, pkcs #1 v2.0 and ssl-3.02, the attack is only theoretical since it only applies to specific moduli and happens to be less efficient than factoring; therefore, the attack does not endanger any of these standards.