Possible Attacks on RSA Signature

Cryptographic techniques, such as encipherment, digital signatures, key management and secret sharing schemes, are important building blocks in the implementation of all security services. In situations where there is not complete trust between sender and receiver, something more than authentication is needed. The most attrac- tive solution to this problem is the digital signature. The digital signature is analogous to the handwritten signature. A hash code of a message is created using SHA-1. This message digest is encrypted using DSS or RSA with the sender's private key and included with the message. In this paper we present a brief account on RSA signature and some possible attacks on it.


Integer Factorization
The problem of integer factorization is one of the oldest in number theory and the advents of computers have stimulated considerable progress in recent years. However, the security of many cryptographic techniques depends upon the intractability of the integer factorization problem. A partial list of such schemes includes the RSA public-key encryption scheme and the RSA signature scheme. This section focuses on the knowledge on algorithms for the integer factorization problem.
Definition: The integer factorization problem is the following: given a positive integer n, find its prime factorization; i.e., write n = p 1 e1 p 2 e2 … p k ek where the pi are pair wise distinct primes and each e i > 1.
This problem is believed to be hard for general n when n is large. Some ingenious methods have been devised in an attempt to factorize large composite numbers n. The three methods that are most effective on very large numbers are the quadratic sieve, the elliptic curve method and the number field sieve. Other well-known methods that were precursors include Pollard's rho-method and p -1 method, Williams's p + 1 method, the continued fraction algorithm, and of course, trial division.

The RSA problem
The intractability of the RSA problem forms the basis for the security of the RSA public-key encryption scheme and the RSA signature scheme.
Definition: The RSA problem is the following: given a positive integer n that is a product of two distinct odd primes p and q, a positive integer e such that gcd(e, (p -1)(q -1)) = 1, and an integer c, find an integer m such that m e ºC (mod n).
Clearly the RSA problem is no more difficult then factorization, since if p and q can be found then it is simple to find m.

RSA Publickey Cryptosystem
The RSA public-key cryptosystem was introduced in 1978, and may be used for both secrecy and digital signatures. The cryptosystem works in Z n , where n is the product of two large primes p and q, and its security is based on the difficulty of factoring n, that is, the integer factorization problem.
To use the RSA public-key cryptosystem, a user A first generates their public and secret keys by (i) Generating two large distinct primes p and q. (ii) (ii) Computing n = pq and f(n) = (p -1)(q -1), where f(n) is Euler Totient Function.
(iii) Choosing a random integer e such that 0 < e < f(n), and gcd(e, f(n)) = 1, (iv) Using the Euclidean Algorithm to compute the unique integer d, where 0 < d < f(n), such that e d º 1 (mod f(n)), and (v) Publishing the pair (n, e) as the public key, and keeping d as the private key.
RSA is an example of block cipher, that is, a message is encrypted by being broken down into blocks (or strings) of a fixed length, and each block is encrypted individually. The plaintext and the ciphertext space are P = C = Z n . To encrypt a message block m for user A, a user B (i) Obtains A's authentic public key (n, e), (ii) Represents the message m as an integer in the range 0, …, (n -1), (iii) Computes the ciphertext E K (m) = c = m e mod n, and (iv) transmits the ciphertext c to user A.
To decrypt the ciphertext c, user A computes D k (c) = c d = m mod n.
RSA has the property that for any two distinct messages m 1 and m 2 with ciphertexts c 1 and c 2 respectively, the ciphertext of m = m 1 . m 2 mod n is c ≡ m e ≡ (m 1 . m 2 ) e ≡ m 1 e m 2 e ≡ c 1 . c 2 (mod n).
This is often referred to as the homomorphic property of RSA.

RSA Signature
The RSA public-key cryptosystem can be used to provide digital signatures by reversing the roles of encryption and decryption as follows: A user A also generates their public and private keys exactly as in the RSA publickey cryptosystem. The set of users of signatures also need to agree on a hash function h. Then to generate a signature of a message m, user A

ReseaRch PaPeR
A. The RSA signature with message recovery A user A also generates their public and private keys exactly as in the RSA publickey cryptosystem. The set of users of signatures agree on a redundancy function R. Then to generate a signature of a message m, user A (i) Computes M = R(m), (ii) Computes s = M d mod n, and (iii) Outputs s as the signature of m.
To verify the signature, a user B (i) Obtains A's authentic public key (n, e), (ii) Computes M / = s e mod n, (iii) Verifies that M / has the required redundancy, and (iv) Recovers the message m = R -1 (M / ).
Note that due to the homomorphic property of RSA, for any two distinct message m 1 and m 2 with corresponding signatures s1 and s2 respectively, the signature of m = m 1 . m 2 mod n is s = (m 1 . m 2 ) d ≡ m 1 d . m 2 d ≡ s 1 . s 2 (mod n).
In particular, for any message m 1 with signature s 1 , the signature of m = -m 1 mod n is s = -s 1 mod n. It is important, therefore, that the redundancy function R is not multiplicative, that is, R(m 1 . m 2 ) ≠ R(m 1 ) . R(m 2 ).

Possible Attacks on RSA Signatures
The security of RSA signatures is based on the intractability of the integer factorization problem. RSA can be used as the basis of digital signatures with and without message recovery. Three possible attacks on the RSA signature scheme are as follows:

Factorization
If an adversary is able to factor the public modulus n of some entity A, then the adversary can compute f(n) and then, using the extended Euclidean algorithm, deduce the private key d from f(n) and public exponent e by solving e d ≡ 1 (mod f(n)). This constitutes a total break of the system. To guard against this, one must select p and q so that factoring n is a computationally infeasible task.
A lot of algorithm has been proposed regarding factorization, the Pollard rho algorithm [7], and the Pollard (p-1) algorithm [8], Brent's method [9], are probabilistic, and may not finish, even for small values of N, but Trial division algorithm and proposed method can finish all trivial and nontrivial values of N, shown in Table 1. This method is not probabilistic. To break RSA in to two prime numbers we should have the product of that prime numbers is equal to N. Factorization of N is very difficult to find that prime number. MFF can factors of N, which is P and Q, are its respective prime factors. Various steps involved in the method are as follows: 1. Let N = P*Q. 2. Compute X =ceil (sqrt (N)). 3. Compute Y =sqrt (X 2 -N). 4. If Y is integer 5. Compute P =X -Y and Q =X + Y. Stop. 6. Else X = X +1, X+ 2,…. , X + 2*X, .., X+N. 7. Continue step 3 to 6, till Y is integer.
Example 1: Let N=95 Decimal number = 2 Number of bits = 7 Let factors = P, Q Compute X n =10 Compute Y = 2.236 (is not integer number) Go to step six. X n =11 Y = 5.09 (is not integer number) Go to step six X = 12 Y = 7 (is an integer number) P = 5 Q = 19

Existential forgery
The basic idea behind RSA signatures is to compute s = M d (mod n) where M is (some function of) the message. This means that an adversary can choose an arbitrary s* and compute m* = (s*) e (mod n) and claim s* is a valid signature on m*. This is one reason why RSA signatures are always either of the form (a) s = (h(m)) d (mod n), where h is a one-way collision resistance hash function, giving a signature with appendix, or (b) s = (R(m)) d (mod n), where R is a redundancy-adding function, giving a signature with message recovery for a message m of limited length.

Multiplicative property of RSA
The RSA signature scheme (as well as the encryption scheme) has the following multiplicative property, sometimes referred to as the homomorphic property. If s 1 = m 1 d mod n and s 2 = m 2 d mod n are signatures on messages m 1 and m 2 , respectively (or, more properly, on messages with redundancy added), then s = s 1 s 2 mod n has the property that s = (m 1 m 2 ) d mod n. If m = m 1 m 2 has the proper redundancy, then s will be valid signature for it. Hence, it is important that the redundancy function R is not multiplicative, i.e., R(m 1 m 2 ) ≠ R(m 1 ) R(m 2 ). Alternatively this homomorphism weakness of RSA can be eliminated by applying some one-way hash-function h to m before signing m, as long as h is not multiplicative.

Conclusion
The security of RSA signatures is based on the intractability of the integer factorization problem. RSA can be used as the basis of digital signatures with and without message recovery. We have described general types of attack against RSA signature. For RSA signatures the homomorphism property could only be used by a forger to forge a signature.