Selective forgery of RSA signatures with fixed-pattern padding

We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures (Brier et al., 2001). For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9/64 n bits. Thus, the security provided by short fixed-pattern padding is negligible compared to the security it is supposed to provid

The padding scheme for RSA signatures

The RSA scheme is used to sign messages; however, in order to avoid forgeries, a message can be padded with a fixed string of data P. De Jonge and Chaum showed in 1985 that forgeries can be constructed if the size of P (measured in bytes) is less than the size of N/3, where N is the RSA modulus. Girault and Misarsky then showed in 1997 that forgeries can be constructed if the size of P is less than the size of N/2. In 2001, Brier, Clavier, Coron and Naccache showed that forgeries can still be constructed when the size of P is less than two thirds the size of N. In this paper, we demonstrate that this padding scheme is always insecure; however, the complexity of actually finding a forgery is O(N). We then focus specifically on the next unsettled case, where P is less than 3/4 the size of N and show that finding a forgery is equivalent to solving a set of diophantine equations. While we are not able to solve these equations, this work may lead to a break-through by means of algebraic number theory techniques

Divisibility, Smoothness and Cryptographic Applications

This paper deals with products of moderate-size primes, familiarly known as smooth numbers. Smooth numbers play a crucial role in information theory, signal processing and cryptography. We present various properties of smooth numbers relating to their enumeration, distribution and occurrence in various integer sequences. We then turn our attention to cryptographic applications in which smooth numbers play a pivotal role

On the Security of the PKCS#1 v1.5 Signature Scheme

The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the huge practical importance of RSA PKCS#1 v1.5 signatures, providing formal evidence for their security based on plausible cryptographic hardness assumptions has turned out to be very difficult. Therefore the most recent version of PKCS#1 (RFC 8017) even recommends a replacement the more complex and less efficient scheme RSA-PSS, as it is provably secure and therefore considered more robust. The main obstacle is that RSA PKCS#1 v1.5 signatures use a deterministic padding scheme, which makes standard proof techniques not applicable. We introduce a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures. We prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Furthermore, we give a tight proof under the Phi-Hiding assumption. These proofs are in the random oracle model and the parameters deviate slightly from the standard use, because we require a larger output length of the hash function. However, we also show how RSA-PKCS#1 v1.5 signatures can be instantiated in practice such that our security proofs apply. In order to draw a more complete picture of the precise security of RSA PKCS#1 v1.5 signatures, we also give security proofs in the standard model, but with respect to weaker attacker models (key-only attacks) and based on known complexity assumptions. The main conclusion of our work is that from a provable security perspective RSA PKCS#1 v1.5 can be safely used, if the output length of the hash function is chosen appropriately

A Novel Blind Signature Based Upon ECDLP

Encryption and decryption techniques protect the condentiality of information exchanged in a network whereas digital signature is electronic signing of data that provide senders authentication using its secret key and verication using its public key and other domain parameters. A combination of encipherment and digital signing of message immunes it from most of the active attacks such as modification of data, masquerading and repudiation Elliptic curve discrete logarithmic problem (ECDLP) is the problem of finding the scalar multiplier knowing the corresponding points on an elliptic curve. ECDLP is very complex and dicult to solve compared to any standard inverse operation of a one-way-trapdoor function such as Discrete Logarithm Problem or Factorization problem. Blind signature allows a user to obtain a signature from an authority on any document, in such a way that the authority learns nothing about the message that is being signed. The blindness is an important property which distinguishes the blind signature from other signature schemes. Blind signature is an important cryptographic primitive used in protocols such as electronic voting systems and cash payment systems. Since an ECDLP enjoys a large space and time complexity and blind signature ensures anonymity of clients message while obtaining a signature from a trusted party, we aim at designing a blind signature scheme based upon ECDLP which is supposed to have a low computation cost and low communication overhead. The signature should be such that it has a small size, it is highly secured and is resistant to elliptic curve cryptography based attacks such as forgery attack, MOV attack etc

Comparison of authentication schemes for wireless sensor networks as applied to secure data aggregation

Il processo di aggregazione è fondamentale nell'economia energetica di una rete di sensori wireless (WSN). Tale processo, però, pone delle nuove sfide sul piano della sicurezza, dettate dagli stringenti vincoli di complessità tipici di una WSN. In questa tesi, in particolare, si indaga l'applicabilità degli algoritmi di autenticazione al contesto dell'aggregazion

Combined schemes for signature and encryption: The public-key and the identity-based setting

Consider a scenario in which parties use a public-key encryption scheme and a signature scheme with a single public key/private key pair-so the private key sk is used for both signing and decrypting. Such a simultaneous use of a key is in general considered poor cryptographic practice, but from an efficiency point of view looks attractive. We offer security notions to analyze such violations of key separation. For both the identity-and the non-identity-based setting, we show that-although being insecure in general-for schemes of interest the resulting combined scheme can offer strong security guarantees.First and last author were supported by the Spanish Ministerio de Economía y Competitividad through the project grant MTM-2012-15167

Secure Blind Decryption

Abstract. In this work we construct public key encryption schemes that admit a protocol for blindly decrypting ciphertexts. In a blind decryp-tion protocol, a user with a ciphertext interacts with a secret keyholder such that the user obtains the decryption of the ciphertext and the key-holder learns nothing about what it decrypted. While we are not the first to consider this problem, previous works provided only weak secu-rity guarantees against malicious users. We provide, to our knowledge, the first practical blind decryption schemes that are secure under a strong CCA security definition. We prove our construction secure in the stan-dard model under simple, well-studied assumptions in bilinear groups. To motivate the usefulness of this primitive we discuss several applica-tions including privacy-preserving distributed file systems and Oblivious Transfer schemes that admit public contribution.