On the Security of RSA Padding

This paper presents a new signature forgery strategy.The attack is a sophisticated variant of Desmedt-Odlyzko’s method [11] where the attacker obtains the signatures of m₁, ..., m_τ−1 and exhibits the signature of an m_τ which was never submitted to the signer; we assume that all messages are padded by a redundancy function µ before being signed.Before interacting with the signer, the attacker selects µ smooth1µ(m_i)-values and expresses µ(m_τ) as amultiplicative combination of the padded strings µ(m₁), ..., µ(m_τ−1). The signature of m_τ is then forged using the homomorphic property of RSA.For din ni-17.4, pkcs #1 v2.0 and ssl-3.02, the attack is only theoretical since it only applies to specific moduli and happens to be less efficient than factoring; therefore, the attack does not endanger any of these standards.