From Fixed-Length to Arbitrary-Length RSA Padding Schemes
نویسندگان
چکیده
A common practice for signing with RSA is to first apply a hash function or a redundancy function to the message, add some padding and exponentiate the resulting padded message using the decryption exponent. This is the basis of several existing standards. In this paper we show how to build a secure padding scheme for signing arbitrarily long messages with a secure padding scheme for fixed-size messages. This focuses more sharply the question of finding a secure encoding for RSA signatures, by showing that the difficulty is not in handling messages of arbitrary length, but rather in finding a secure redundancy function for short messages, which remains an open problem.
منابع مشابه
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
We show how to construct a practical secure signature padding scheme for arbitrarily long messages from a secure signature padding scheme for fixed-length messages. This new construction is based on a one-way compression function respecting the division intractability assumption. By practical, we mean that our scheme can be instantiated using dedicated compression functions and without chaining...
متن کاملSelective Forgery of RSA Signatures with Fixed-Pattern Padding
We present a practical selective forgery attack against RSA signatures with fixed-pattern padding shorter than two thirds of the modulus length. Our result extends the practical existential forgery of such RSA signatures that was presented at Crypto 2001. For an n-bit modulus the heuristic asymptotic runtime of our forgery is comparable to the time required to factor a modulus of only 9 64n bit...
متن کاملFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
To sign with RSA, one usually encodes the message m as μ(m) and then raises the result to the private exponent modulo N . In Asiacrypt 2000, Coron et al. showed how to build a secure RSA encoding scheme μ′(m) for signing arbitrarily long messages from a secure encoding scheme μ(m) capable of handling only fixed-size messages, without making any additional assumptions. However, their constructio...
متن کاملOAEP 3-Round: A Generic and Secure Asymmetric Encryption Padding
The OAEP construction is already 10 years old and wellestablished in many practical applications. But after some doubts about its actual security level, four years ago, the first efficient and provably IND-CCA1 secure encryption padding was formally and fully proven to achieve the expected IND-CCA2 security level, when used with any trapdoor permutation. Even if it requires the partial-domain o...
متن کاملID-Based Sequential Aggregate Signatures
An aggregate signature provides a method for combining n signatures of n different messages from n different signers into one signature of unit length. The main benefit of such schemes is that they allow bandwidth and computational savings. There exist several trials for the construction of ID-based aggregate signature schemes so far. Unfortunately, the computational complexity and (or) signatu...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2000