RSA-PADDING SIGNATURES WITH ATTACK STUDIES
George Stephanides
Department of Applied Informatics, University of Macedonia
156 Egnatia Street, 540 06 Thessaloniki, GREECE
Nicolae Constantinescu, Mirel Cosulschi, Mihai Gabroveanu
Department of Informatics, University of Craiova
13 A.I. Cuza Street, 200585 Craiova, ROMANIA
Keywords:
RSA cryptosystem, digital signature, fixed pattern padding.
Abstract:
A fixed-pattern padding consists in concatenating to the message m a fixed pattern P. An RSA signature for the
padding P and message m is obtained by raising the message m and the padding P to the private decryption
exponent d. In this paper we prove that the security of RSA fixed-pattern padding is insecure for messages at
least two-thirds of the size of n, the RSA public modulus.
1 INTRODUCTION
RSA is a cryptosystem invented in 1977 by Rivest,
Shamir and Adleman (Rivest et al., 1978). It is now
the most widely used cryptosystem because its sim-
ple underlying mathematics, based on number theory
which was known back at least 150 years ago. Com-
mon uses of RSA are: privacy, data protection, digi-
tal signatures, authenticity and security of data trans-
ferred between web servers.
RSA uses an encryption exponent denoted by e,a
decryption exponent denoted by d, and the modulus
denoted by n. To sign a message m using RSA a
user must first compute its hash value using a hash
function and this is due to the slowness in computa-
tion when signing the entire message. This is rather a
standard procedure recommended by PKCS #1 v. 2.0,
RSA Laboratories (Network Working Group, 1998).
So, a signature of RSA would be obtained as
s =(H(m))
d
(mod n)
Observe the use of d; this exponent is also called
the private exponent, which means it is the private
key of a user in an RSA cryptosystem. By applying
the power d to the hash of the message we obtain a
fixed length signature which can be verified by any-
one, computing
s
e
= H
(m)
d·e
= H
(m)(mod n)
This way the verifier obtains the hash value con-
tained in the signature, by computing the hash for the
message m and comparing H
with H obtained from
m he can be certain that the message was truly signed
by the right person.
This paper considers RSA signatures without the
use of hash functions but with fixed pattern padding.
This means that if someone wishes to sign a message
m, he adds a padding P to the message and then ob-
tains a signature by computing
s =(P | m)
d
(mod n)
The more general case is where RSA signatures in
which a simple affine redundancy is used. To sign a
message m, the signer first computes
R(m)=ω · m + a (1)
where
ω is the multiplicative redundancy
a is the additive redundancy
(2)
Considering the above representation a message m
would be signed as
s = R(m)
d
(mod n)
97
Stephanides G., Constantinescu N., Cosulschi M. and Gabroveanu M. (2006).
RSA-PADDING SIGNATURES WITH ATTACK STUDIES.
In Proceedings of WEBIST 2006 - Second International Conference on Web Information Systems and Technologies - Internet Technology / Web
Interface and Applications, pages 97-100
DOI: 10.5220/0001249100970100
Copyright
c
SciTePress
A left-padded redundancy scheme P | m is ob-
tained by taking ω =1and a = P · 2
l
, whereas a
right-padding redundancy scheme m | P is obtained
by taking ω =2
l
and a = P .
Previous attacks by De Jonge and Chaum (Jonge
and Chaum, 1986), and Girault and Misarksy (Gi-
rault and Misarksy, 1997) were multiplicative attacks
against RSA signatures with affine redundancy (see
(Misarsky, 1998) for a complete report) and their at-
tacks were based on the extended Euclidean algo-
rithm. De Jonge and Chaum (Jonge and Chaum,
1986) presented a multiplicative attack for which ω =
1, and the size of the message m was at least two
thirds of the RSA modulus n
| m |
2
3
| n |
The first attack was extended by Girault and Mis-
arksy (Girault and Misarksy, 1997); they succeeded in
reducing the size of the message at
1
2
of the modulus
n, and their attack applies to any value ω and a,so
| m |
1
2
| n |
Girault and Misarsky also extended the multiplica-
tive attacks to RSA signatures with modular redun-
dancy
R(m)
d
= ω
1
· m + ω
2
· (m mod b)+a (3)
where ω
1
2
are the multiplicative redundancies, a is
the additive redundancy and b is the modular redun-
dancy.
In this paper we extend Girault and Misarsky’s at-
tack against RSA signatures with affine redundancy
to messages of size as small as one third of the size of
the modulus, thus
| m |
1
3
| n |
2 THE PROPOSED ATTACK
This section concentrates on extending the attack of
Girault and Misarsky’s multiplicative attack on RSA
signatures with affine redundancy to a level where we
have the size of the message equal to one third of the
RSA modulus n. A multiplicative attack is an attack
in which the redundancy function of a message can
be expressed as a multiplicative combination of the
redundancy functions of other messages. With respect
to this we search for four messages, m
1
,m
2
,m
3
,m
4
,
which are at least one third of the size of the modulus
n, and verify the following equation
R(m
1
) · R(m
2
)=
R(m
3
) · R(m
4
)(mod n) (4)
Message m
1
, is the message whose signature will
be forged, this can be done by computing
R(m
1
)
d
=
R(m
3
)
d
· R(m
4
)
d
R(m
2
)
d
(mod n)
From (4) we obtain:
(ω · m
1
+ a).(ω · m
2
+ a)=
(ω · m
3
+ a).(ω · m
4
+ a)(mod n)
Denoting P = a/ω (mod n), we obtain:
(P + m
1
).(P + m
2
)=
(P + m
3
).(P + m
4
)(mod n)
For the following substitutions
t = m
3
y = m
2
m
3
x = m
1
m
3
z = m
4
m
1
m
2
+ m
3
(5)
the following equation holds
((P + t)+x) · ((P + t)+y)=
(P + t) · ((P + t)+x + y + z)(mod n)
which simplifies into
x · y =(P + t) · z (mod n) (6)
Next we need to determine the values x, y, z and t
with respect to (6). First, we obtain two integers z and
u such that
P · z = u (mod n)
with
n
1
2
<z<n
1
3
0 <u<2 · n
2
3
WEBIST 2006 - INTERNET TECHNOLOGY
98
One solution is suggested by Girault, Toffin and
Vallee (Girault et al., 1988). Finding a good approx-
imation to the fraction
P
n
can be done efficiently by
developing it in continued fractions. This implies us-
ing the extended Euclidean algorithm to P and n.A
solution is found such that | z |<Zand 0 <u<U
if Z · U>n, which is the case here with Z = n
1
3
and
U =2· n
2
3
.
We then select an integer y such that
n
1
3
y 2 · n
1
3
and gcd(y, z)=1. We find the non-negative integer
t<ysuch that:
t · z = u (mod y)
which is possible since gcd(y,z)=1. Then we take
x =
u + t · z
y
4n
1
3
and obtain:
P · z = u = x · y t · z (mod n)
which gives equation (6), with x, y, z and t being all
smaller than 4 · n
1
3
. From x, y, z, t we derive, using
(5), four messages m
1
,m
2
,m
3
and m
4
, each of size
one third the size of n:
m
1
= x + t
m
2
= y + t
m
3
= t
m
4
= x + y + z + t
(7)
Since n
1/3
<z<n
1/3
and y n
1/3
,wehave
y + z>0, which gives using u 0
x + t =
u + t · (y + z)
y
0
which shows that the four integers m
1
, m
2
, m
3
and
m
4
are non-negative, and we have
R(m
1
).R(m
2
)=
R(m
3
).R(m
4
)(mod n)
The complexity of our attack is polynomial in the
size of n.
3 EXISTENCE OF SELECTIVE
FORGERY
The attack discussed in the previous section is exis-
tential, which means that the attacker needs to find
the four messages required for forgery. This section
deals with the possibility of a selective forgery attack,
but in this case the attack no longer runs in polyno-
mial time. Let m
3
be the message whose signature
must be forged. Letting x, y, z and t as in Lenstra A.,
Lenstra H. and Lovasz L. (Lenstra et al., 1982), we
compute two integers z and u such that
(P + t) · z = u (mod n)
with
n
1
2
<z<n
1
3
0 <u<2 · n
2
3
We then factor u, and try to write u as the prod-
uct x · y of two integers of roughly the same size, so
that eventually we have four integers x, y, z, t of size
roughly one third of the size of the modulus, with:
x · y =(P + t) · z (mod n)
which gives again
R(m
1
).R(m
2
)=R(m
3
).R(m
4
)(mod n)
The signature of m
3
can now be forged using the
signatures of m
1
,m
2
and m
4
. For a 512-bit modulus
the selective forgery attack is truly practical. For a
1024-bit modulus the attack is more demanding but
was still implemented with success.
4 CONCLUSIONS
We have extended Girault and Misarsky’s attack on
RSA signatures with affine redundancy: we described
a chosen message attack against RSA signatures with
affine redundancy for messages as small as one third
of the size of the modulus. Consequently, when us-
ing a fixed padding P | m or m | P , the size of P
must be at least two-thirds of the size of n. Our at-
tack is polynomial in the length of the modulus. It
remains an open problem to extend this attack to even
smaller messages (or, equivalently, to bigger fixed-
pattern constants): we do not know if there exists a
polynomial time attack against RSA signatures with
affine redundancy for messages shorter than one third
of the size of the modulus. However, we think that
exploring to what extent affine padding is malleable
RSA-PADDING SIGNATURES WITH ATTACK STUDIES
99
increases our understanding of RSAs properties and
limitations.
REFERENCES
Girault, M. and Misarksy, J. (1997). Selective forgery of
rsa signatures using redundancy. In Springer-Verlag,
editor, Proceedings of Eurocrypt ’97, volume 1233 of
LNCS, pages 495–507.
Girault, M., Toffin, P., and Vallee, B. (1988). Computation
of approximation l-th roots modulo n and application
to cryptography. In Springer-Verlag, editor, Proceed-
ings of Crypto ’88, volume 403 of LNCS, pages 100–
117.
Jonge, W. D. and Chaum, D. (1986). Attacks on some rsa
signatures. In Springer-Verlag, editor, Proceedings of
Crypto ’85, volume 218 of LNCS, pages 18–27.
Lenstra, A., Lenstra, H., and Lovasz, L. (1982). Factoring
polynomials with rational coefficients. In Mathema-
tische Annalen, volume 261, no. 4, pages 515–534.
Misarsky, J.-F. (1998). How (not) to design rsa signature
schemes. In Springer-Verlag, editor, Public-key cryp-
tography (PKC), volume 1431 of LNCS, pages 14–28.
Rivest, R., Shamir, A., and Adleman, L. (1978). A method
for obtaining digital signatures and public key cryp-
tosystems. In Communications of the ACM, volume
21, no. 2, pages 120–126.
Network Working Group (1998). Rsa cryptography speci-
fications, version 2.0. In RSA Laboratories, PKCS #
1.
WEBIST 2006 - INTERNET TECHNOLOGY
100