RSA signatures without padding
James Muir
jamuir at math.uwaterloo.ca
Mon Jun 20 22:17:28 EDT 2005
Taral wrote:
> On 6/20/05, James Muir <jamuir at math.uwaterloo.ca> wrote:
>
>>The attack I am trying to recall is a chosen-message attack and its
>>efficiency is related to the probability that a random 128-bit integer can
>>be factorized over a small set of primes (ie. the prob that a uniformily
>>selected 128-bit integer is "B-smooth" for a small integer B). Basically,
>>you pick a message for which you'd like to forge a signature, find a variant
>>of the message that hashes to a B-smooth 128-bit integer, and then you
>>construct the forgery after solving a linear system modulo e (the linear
>>system incorporates the signatures on the chosen messages).
>
>
> I think you're referring to the Desmedt-Odlyzko selective forgery attack.
>
> See http://www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1014_Menezes.sigs.pdf
Yes, that's it. Thanks for the URL.
-James
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list