Skip to main content
SpringerLink
Log in

SoK: Comparison of the Security of Real World RSA Hash-and-Sign Signatures

  • Conference paper
  • First Online:
Security Standardisation Research (SSR 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12529))

Included in the following conference series:

  • 513 Accesses

Abstract

In this modern day and age, where the majority of our communication occurs online, digital signatures are more important than ever before. Of the utmost importance are the standardised signatures that are deployed not only across the Internet, but also in everyday devices, such as debit and credit cards. The development of these signatures began in the 1990s and is still an ongoing process to this day. We will focus on RSA-based hash-and-sign signatures, specifically deterministic hash-and-sign signatures. We will give a survey of all standardised deterministic RSA hash-and-signatures, where we explore the history of each one, from inception, to attacks and finally proofs of security. As the security proofs have also appeared over the span of two decades, their statements are not always compatible with one another. To ensure this, we will consider only deterministic standardised signature schemes included in PKCS, ISO, and ANSI standards, as well as the non-standardised Full-Domain Hash, to provide a complete picture.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The proof is presented with 3 prime factors, but it works for any number co-prime to the modulus where one can compute \(e^{\text {th}}\) roots, but requires an additional assumption similar to the .

  2. 2.

    cf. https://www.ietf.org/mail-archive/web/tls/current/msg19360.html.

  3. 3.

    cf. https://www.emvco.com/about/deployment-statistics.

References

  1. ANSI: Digital signatures using reversible public key cryptography for the financial services industry (rDSA). Technical report X9.31, American National Standards Institute, New York, New York, USA (1998)

    Google Scholar 

  2. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press (1993). https://doi.org/10.1145/168588.168596

  3. Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34

    Chapter  Google Scholar 

  4. Bellare, M., Rogaway, P.: PSS: provably secure encoding method for digital signatures. Submission to IEEE P1363 Working Group (1998)

    Google Scholar 

  5. Bellare, M., Yung, M.: Certifying cryptographic tools: the case of trapdoor permutations. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 442–460. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_31

    Chapter  Google Scholar 

  6. Bellare, M., Yung, M.: Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptol. 9(3), 149–166 (1996). https://doi.org/10.1007/BF00208000

    Article  MathSciNet  MATH  Google Scholar 

  7. Bleichenbacher, D.: Generating EIGamal signatures without knowing the secret key. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 10–18. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_2

    Chapter  Google Scholar 

  8. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055716

    Chapter  Google Scholar 

  9. Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_28

    Chapter  Google Scholar 

  10. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997). https://doi.org/10.1007/s001459900030

    Article  MathSciNet  MATH  Google Scholar 

  11. Coppersmith, D., Halevi, S., Jutla, C.: ISO 9796–1 and the new forgery strategy (working draft). Submission to IEEE P1363 Working Group (1999)

    Google Scholar 

  12. Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_14

    Chapter  Google Scholar 

  13. Coron, J.S.: Optimal security proofs for PSS and other signature schemes. Cryptology ePrint Archive, Report 2001/062 (2001). http://eprint.iacr.org/2001/062

  14. Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_18

    Chapter  Google Scholar 

  15. Coron, J.-S.: Security proof for partial-domain hash signature schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 613–626. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_39

    Chapter  Google Scholar 

  16. Coron, J.-S., Naccache, D., Stern, J.P.: On the security of RSA padding. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 1–18. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_1

    Chapter  Google Scholar 

  17. Coron, J.S., Naccache, D., Tibouchi, M., Weinmann, R.P.: Practical cryptanalysis of ISO 9796–2 and EMV signatures. J. Cryptol. 29(3), 632–656 (2016). https://doi.org/10.1007/s00145-015-9205-5

    Article  MathSciNet  MATH  Google Scholar 

  18. Davida, G.I.: Chosen signature cryptanalysis of the RSA (MIT) public key cryptosystem. University of Wisconsin, Milwaukee, Technical report (1982)

    Google Scholar 

  19. de Jonge, W., Chaum, D.: Attacks on some RSA signatures. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 18–27. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_3

    Chapter  Google Scholar 

  20. Degabriele, J.P., Lehmann, A., Paterson, K.G., Smart, N.P., Strefler, M.: On the joint security of encryption and signature in EMV. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 116–135. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_8

    Chapter  MATH  Google Scholar 

  21. Denning, D.E.: Digital signatures with RSA and other public-key cryptosystems. Commun. ACM 27(4), 388–392 (1984). https://doi.org/10.1145/358027.358052

    Article  MathSciNet  Google Scholar 

  22. Desmedt, Y., Odlyzko, A.M.: A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 516–522. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_40

    Chapter  Google Scholar 

  23. Girault, M., Misarsky, J.-F.: Selective forgery of RSA signatures using redundancy. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 495–507. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_34

    Chapter  Google Scholar 

  24. Girault, M., Misarsky, J.-F.: Cryptanalysis of countermeasures proposed for repairing ISO 9796-1. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 81–90. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_6

    Chapter  Google Scholar 

  25. Goldberg, S., Reyzin, L., Sagga, O., Baldimtsi, F.: Efficient noninteractive certification of RSA moduli and beyond. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 700–727. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_24

    Chapter  Google Scholar 

  26. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    Article  MathSciNet  Google Scholar 

  27. Gordon, J.A.: How to forge RSA key certificates. Electron. Lett. 21(9), 377–379 (1985). https://doi.org/10.1049/el:19850269

    Article  Google Scholar 

  28. Guillou, L.C., Quisquater, J.-J., Walker, M., Landrock, P., Shaer, C.: Precautions taken against various potential attacks. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 465–473. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46877-3_42

    Chapter  Google Scholar 

  29. ISO: Information technology - security techniques - digital signature schemes giving message recovery - part 2: Mechanisms using a hash-function. ISO 9796–2:1997, International Organization for Standardization, Geneva, Switzerland (1997). https://www.iso.org/standard/28232.html (WITHDRAWN)

  30. ISO: Information technology - security techniques - digital signature schemes giving message recovery - part 2: Integer factorization based mechanisms. ISO 9796–2:2002, International Organization for Standardization, Geneva, Switzerland (2002). https://www.iso.org/standard/35455.html (WITHDRAWN)

  31. ISO: Information technology - security techniques - digital signatures with appendix - part 2: Integer factorization based mechanisms. ISO 14888–2:2008, International Organization for Standardization, Geneva, Switzerland (2008). https://www.iso.org/standard/44227.html

  32. ISO: Information technology - security techniques - digital signature schemes giving message recovery - part 2: Integer factorization based mechanisms. ISO 9796–2:2010, International Organization for Standardization, Geneva, Switzerland (2010). https://www.iso.org/standard/54788.html

  33. Jager, T., Kakvi, S.A., May, A.: On the security of the PKCS#1 v1.5 signature scheme. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1195–1208. ACM Press (2018). https://doi.org/10.1145/3243734.3243798

  34. Jonsson, J., Kaliski, B.: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447 (Informational), February 2003. Obsoleted by RFC 8017. https://doi.org/10.17487/RFC3447, https://www.rfc-editor.org/rfc/rfc3447.txt

  35. Jonsson, J.: Security proofs for the RSA-PSS signature scheme and its variants. Cryptology ePrint Archive, Report 2001/053 (2001). http://eprint.iacr.org/2001/053

  36. Kakvi, S.A.: On the security of RSA-PSS in the wild. In: Mehrnezhad, M., van der Merwe, T., Hao, F. (eds.) Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop, London, UK, 11 November 2019, pp. 23–34. ACM (2019). https://doi.org/10.1145/3338500.3360333

  37. Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_32

    Chapter  Google Scholar 

  38. Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. J. Cryptol. 31(1), 276–306 (2018). https://doi.org/10.1007/s00145-017-9257-9

    Article  MathSciNet  MATH  Google Scholar 

  39. Kakvi, S.A., Kiltz, E., May, A.: Certifying RSA. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 404–414. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_25

    Chapter  Google Scholar 

  40. Kaliski, B.: PKCS #1: RSA Encryption Version 1.5. RFC 2313 (Informational), March 1998. 10.17487/RFC2313, obsoleted by RFC 2437. https://www.rfc-editor.org/rfc/rfc2313.txt

  41. Kaliski, B., Staddon, J.: PKCS #1: RSA Cryptography Specifications Version 2.0. RFC 2437 (Informational), October 1998. 10.17487/RFC2437, obsoleted by RFC 3447. https://www.rfc-editor.org/rfc/rfc2437.txt

  42. Kaliski, B.: From PKC to PKI: Reflections on standardizing the RSA algorithm (2019). https://youtu.be/sqsDKjPaJVg

  43. Kaliski, B. (ed.): IEEE standard specifications for public-key cryptography. IEEE Std 1363–2000, pp. 1–228, August 2000. https://doi.org/10.1109/IEEESTD.2000.92292, https://ieeexplore.ieee.org/servlet/opac?punumber=7168

  44. Lenstra, A.K.: Unbelievable security matching AES security using public key systems. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 67–86. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_5

    Chapter  Google Scholar 

  45. Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 5150–534 (1982). https://doi.org/10.1007/BF01457454

    Article  MathSciNet  MATH  Google Scholar 

  46. May, A.: Using LLL-reduction for solving RSA and factorization problems. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 315–348. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1_10

    Chapter  MATH  Google Scholar 

  47. Menezes, A.: Evaluation of security level of cryptography: RSA signature schemes (2002). http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.612.1271&rep=rep1&type=pdf

  48. Misarsky, J.-F.Ç.: A multiplicative attack using LLL algorithm on RSA signatures with redundancy. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 221–234. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052238

    Chapter  Google Scholar 

  49. Moriarty, K. (ed.), Kaliski, B., Jonsson, J., Rusch, A.: PKCS #1: RSA Cryptography Specifications Version 2.2. RFC 8017 (Informational), November 2016. 10.17487/RFC8017, https://www.rfc-editor.org/rfc/rfc8017.txt

  50. Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press (2008). https://doi.org/10.1145/1374376.1374406

  51. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120–126 (1978)

    MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

The authors would like to thanks the anonymous reviewers of SSR 2020 for their insightful comments. We would also like to thank Cathy Meadows and Ruqayya Shaheed for their editorial comments.

Author information

Authors and Affiliations

  1. Bergische Universität Wuppertal, Wuppertal, Germany

    Saqib A. Kakvi

Authors
  1. Saqib A. Kakvi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Saqib A. Kakvi .

Editor information

Editors and Affiliations

  1. Mozilla, London, UK

    Thyla van der Merwe

  2. Information Security Department, Royal Holloway, University of London, Egham, UK

    Chris Mitchell

  3. School of Computing, Newcastle University, Newcastle upon Tyne, UK

    Maryam Mehrnezhad

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kakvi, S.A. (2020). SoK: Comparison of the Security of Real World RSA Hash-and-Sign Signatures. In: van der Merwe, T., Mitchell, C., Mehrnezhad, M. (eds) Security Standardisation Research. SSR 2020. Lecture Notes in Computer Science(), vol 12529. Springer, Cham. https://doi.org/10.1007/978-3-030-64357-7_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64357-7_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64356-0

  • Online ISBN: 978-3-030-64357-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation