[17515] in cryptography@c2.net mail archive
Re: RSA signatures without padding
daemon@ATHENA.MIT.EDU (Taral)
Mon Jun 20 21:47:49 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 20 Jun 2005 20:18:47 -0500
From: Taral <taralx@gmail.com>
Reply-To: Taral <taralx@gmail.com>
To: James Muir <jamuir@math.uwaterloo.ca>, cryptography@metzdowd.com
In-Reply-To: <Pine.GSO.4.58.0506201641570.12674@cpu101.math.uwaterloo.ca>
On 6/20/05, James Muir <jamuir@math.uwaterloo.ca> wrote:
> The attack I am trying to recall is a chosen-message attack and its
> efficiency is related to the probability that a random 128-bit integer ca=
n
> be factorized over a small set of primes (ie. the prob that a uniformily
> selected 128-bit integer is "B-smooth" for a small integer B). Basically=
,
> you pick a message for which you'd like to forge a signature, find a vari=
ant
> of the message that hashes to a B-smooth 128-bit integer, and then you
> construct the forgery after solving a linear system modulo e (the linear
> system incorporates the signatures on the chosen messages).
I think you're referring to the Desmedt-Odlyzko selective forgery attack.
See http://www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1014_Menezes.sigs.p=
df
--=20
Taral <taralx@gmail.com>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
