[Cryptography] A new digital signature scheme based on the RSA problem?
Sergio Lerner
sergiolerner at pentatek.com
Tue Dec 17 11:31:26 EST 2013
I think the Gennaro,Halevi,Rabin scheme is completely broken. I cannot
see how they prevent that an attacker forge a signature for H(y).
Suppose H(x)=k*H(y), k can generally be computed in Zn by inverting H(y)
using the Extented Ecleudian algorithm in Zn and computing
k=H(x)*h(y)^-1 (mod n). It's unimportant if H(x) divides H(y) in Z or
not. Inverting H(y) will not be possible if it has no inverse, but it
must be the case that gcd(h(y),n)=1, if not then H(y) could be used to
factor n, so we can assume h(y) is invertible.
Suppose w is the signature for x, then w^H(x) = s
We can forge a signature z for H(y) as z = (w^k).
This is because z^H(y) = w^k^H(y) = w^(k*H(y)) = w^H(x) = s
What's the scheme security? It seems to me that none.
What did I do wrong?
Best regards, Sergio.
16/12/2013 05:26 p.m., Jonathan Katz escribió:
> On Mon, 16 Dec 2013, Sergio Lerner wrote:
>
>> Hi!
>> This is my first message to the group, and I hope it doesn't bore you.
>>
>> Playing with RSA digital signatures I realized that the same system can
>> be used a bit differently and achieve the same security level (as far as
>> I see). I haven't read about this method before and it's near impossible
>> to google for a math formula. So this may be a very old broken digital
>> signature method, or it may be a brand new shinny candidate. If you find
>> any previous reference, let me know. The main idea is to use the hash of
>> the message as the public exponent, and everything else derives
>> naturally from that idea.
>>
>> *The RSAL Digital signature Scheme*
>
> <snip>
>
> Your scheme is similar to several schemes in the literature based on
> the so-called *strong RSA* assumption (as compared to the [regular]
> RSA assumption). See, for example:
> http://www.research.ibm.com/people/s/shaih/pubs/ghr99.ps.gz
> http://www.shoup.net/papers/sig.ps
> (But make sure to also check google scholar for the followup work.)
>
> Note further that there is no real reason to make your base 'v' depend
> on the message; you may as well have the signer fix it as part of
> their public key once and for all.
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
>
>
> -----
> Se certifico que el correo no contiene virus.
> Comprobada por AVG - www.avg.es
> Version: 2014.0.4259 / Base de datos de virus: 3658/6923 - Fecha de la
> version: 15/12/2013
>
>
More information about the cryptography
mailing list