Selective Forgery of RSA Signatures with Fixed-Pattern Padding

  • Arjen K. Lenstra
  • Igor E. Shparlinski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2274)


We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures that was presented at Crypto 2001. For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9/64n bits. Thus, the security provided by short fixed-pattern padding is negligible compared to the security it is supposed to provide.


Elliptic Curve Continue Fraction Expansion Forgery Attack Choose Message Attack Deterministic Polynomial Time 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    D. Boneh, R.J. Lipton, ‘Algorithms for black-box fields and their application to cryptography’ Proc. Crypto’96, Santa Barbara, Lect. Notes in Comp. Sci., vol 1109, Springer-Verlag, Berlin, 1996, 283–297.Google Scholar
  2. 2.
    E. Brier, C. Clavier, J.-S. Coron and D. Naccache, ‘Cryptanalysis of RSA signatures with fixed-pattern padding’, Proc. Crypto’01, Santa Barbara, Lect. Notes in Comp. Sci., vol. 2139, Springer-Verlag, Berlin, 2001, 433–439.Google Scholar
  3. 3.
    S.D. Chowla and J. Todd, ‘The density of reducible integers’, Canad. J. Math., 1 (1949) 297–299.zbMATHMathSciNetGoogle Scholar
  4. 4.
    D. Coppersmith, ‘Fast evaluation of logarithms in fields of characteristic two’, IEEE Trans. Inform. Theory 30 (1984) 587–594.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    M. Girault and J.-F. Misarsky, ‘Selective forgery of RSA signatures using redundancy’, Proc. Eurocrypt’97, Konstanz, Lect. Notes in Comp. Sci., vol. 1233, Springer-Verlag, Berlin, 1997, 495–507.Google Scholar
  6. 6.
    M. Girault and J.-F. Misarsky, ‘Cryptoanalysis of countermeasures proposed for repairing ISO 9796’, Proc. Eurocrypt’00, Bruges, Lect. Notes in Comp. Sci., vol. 1807, Springer-Verlag, Berlin, 2000, 81–90.Google Scholar
  7. 7.
    R.R. Hall and G. Tenenbaum, Divisors, Cambridge Univ. Press, 1988.Google Scholar
  8. 8.
    A. Hildebrand and G. Tenenbaum, ‘Integers without large prime factors’, J. de Théorie des Nombres de Bordeaux, 5 (1993) 411–484.zbMATHMathSciNetGoogle Scholar
  9. 9.
    A.K. Lenstra and H.W. Lenstra, Jr., (Editors), The developments of the number field sieve, Lect. Notes in Mathematics, vol. 1554, Springer-Verlag, Berlin, 1993.Google Scholar
  10. 10.
    J.-F. Misarsky, ‘A multiplicative attack using LLL algorithm on RSA signatures with redundancy,’, Proc. Crypto’97, Santa Barbara, Lect. Notes in Comp. Sci., vol. 1294, Springer-Verlag, Berlin, 1997, 221–234.Google Scholar
  11. 11.
    H.W. Lenstra, Jr., ‘Factoring integers with elliptic curves’, Ann. of Math., 126 (1987) 649–673.CrossRefMathSciNetGoogle Scholar
  12. 12.
    H. Niederreiter, Random number generation and Quasi-Monte Carlo methods, SIAM Press, 1992.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Arjen K. Lenstra
    • 1
  • Igor E. Shparlinski
    • 2
  1. 1.Citibank, N.A. and Technical University EindhovenUSA
  2. 2.Department of ComputingMacquarie UniversitySydneyAustralia

Personalised recommendations