Abstract
At Crypto ’85, Desmedt and Odlyzko described a chosen-ciphertext attack against plain RSA encryption. The technique can also be applied to RSA signatures and enables an existential forgery under a chosen-message attack. The potential of this attack remained untapped until a twitch in the technique made it effective against two very popular RSA signature standards, namely iso/iec 9796-1 and iso/iec 9796-2. Following these attacks, iso/iec 9796-1 was withdrawn and ISO/IEC 9796-2 amended. In this paper, we explain in detail Desmedt and Odlyzko’s attack as well as its application to the cryptanalysis of iso/iec 9796-2.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
E. R. Canfield P. Erdos C. Pomerance (1983) ArticleTitleOn a Problem of Oppenheim Concerning ‘Factorisation Numerorum’ J. Number Th. 17 1–28 Occurrence Handle85j:11012
D. Coppersmith, S. Halevi and C. Jutla, ISO 9796-1 and the new forgery strategy, Research contribution to P1363, (1999) available at http://grouper.ieee.org/groups/1363/contrib.html
J. S. Coron, D. Naccache and J. P. Stern, On the security of RSA Padding, In Proceedings of Crypto ’99, LNCS Vol. 1666 (1999) Springer-Verlag, pp. 1–18.
Y. Desmedt and A. Odlyzko. A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes, In Proceedings of Crypto ’85, LNCS Vol. 218, pp. 516–522.
K. Dickman (1930) ArticleTitleOn the frequency of numbers containing prime factors of a certain relative magnitude Arkiv för matematik, astronomi och fysik 22A IssueID10 1–14
ISO/IEC 9796, Information technology – Security techniques – Digital signature scheme giving message recovery, Part 1: Mechanisms using redundancy (1999).
ISO/IEC 9796-2, Information technology – Security techniques – Digital signature scheme giving message recovery, Part 2: Mechanisms using a hash-function (1997).
C. Lanczos (1950) ArticleTitleAn iterative method for the solution of the eigenvalue problem of linear differential and integral operator J. Res. Nat. Bur. Standards 45 255–282 Occurrence Handle13,163d
A. K. Lenstra H. W. Lenstra SuffixJr. (1993) The Development of the Number Field Sieve Springer-Verlag Berlin
H. Lenstra SuffixJr. (1987) ArticleTitleFactoring integers with elliptic curves Ann. of Math. 126 IssueID2 649–673 Occurrence Handle89g:11125 Occurrence Handle0629.10006
J.-F. Misarsky, How (not) to design RSA signature schemes, Public-key cryptography, Lectures Notes in Computer Science, Vol. 1431, Springer-Verlag, (1998) pp. 14–28.
C. Pomerance, The Quadratic Sieve Factoring Algorithm, In Advances in Cryptology, Proceedings of Eurocrypt ’84. Springer-Verlag (1985) pp. 169–182.
R. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public key cryptosystems, CACM, Vol. 21 (1978).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by: P. Wild
AMS Classification: 11T71, 14G50, 94A60
Rights and permissions
About this article
Cite this article
Coron, JS., Naccache, D., Desmedt, Y. et al. Index Calculation Attacks on RSA Signature and Encryption. Des Codes Crypt 38, 41–53 (2006). https://doi.org/10.1007/s10623-004-5660-y
Received:
Revised:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/s10623-004-5660-y