research-article

On the Security of the PKCS#1 v1.5 Signature Scheme

Authors:
Tibor Jager

Paderborn Uninversity, Paderborn, Germany

Paderborn Uninversity, Paderborn, Germany
View Profile

,
Saqib A. Kakvi

Paderborn University, Paderborn, Germany

Paderborn University, Paderborn, Germany
View Profile

,
Alexander May

Ruhr-University Bochum, Bochum, Germany

Ruhr-University Bochum, Bochum, Germany
View Profile

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2018Pages 1195–1208https://doi.org/10.1145/3243734.3243798

Published:15 October 2018Publication History

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 1195–1208

ABSTRACT

The RSA PKCS#1 v1.5 signature algorithm is the most widely used digital signature scheme in practice. Its two main strengths are its extreme simplicity, which makes it very easy to implement, and that verification of signatures is significantly faster than for DSA or ECDSA. Despite the huge practical importance of RSA PKCS#1 v1.5 signatures, providing formal evidence for their security based on plausible cryptographic hardness assumptions has turned out to be very difficult. Therefore the most recent version of PKCS#1 (RFC 8017) even recommends a replacement the more complex and less efficient scheme RSA-PSS, as it is provably secure and therefore considered more robust. The main obstacle is that RSA PKCS#1 v1.5 signatures use a deterministic padding scheme, which makes standard proof techniques not applicable. We introduce a new technique that enables the first security proof for RSA-PKCS#1 v1.5 signatures. We prove full existential unforgeability against adaptive chosen-message attacks (EUF-CMA) under the standard RSA assumption. Furthermore, we give a tight proof under the Phi-Hiding assumption. These proofs are in the random oracle model and the parameters deviate slightly from the standard use, because we require a larger output length of the hash function. However, we also show how RSA-PKCS#1 v1.5 signatures can be instantiated in practice such that our security proofs apply. In order to draw a more complete picture of the precise security of RSA PKCS#1 v1.5 signatures, we also give security proofs in the standard model, but with respect to weaker attacker models (key-only attacks) and based on known complexity assumptions. The main conclusion of our work is that from a provable security perspective RSA PKCS#1 v1.5 can be safely used, if the output length of the hash function is chosen appropriately.

Supplemental Material

p1195-kakvi.mp4

mp4

301.1 MB

Download

References

Giuseppe Ateniese, Bernardo Magri, and Daniele Venturi. 2015. Subversion-Resilient Signature Schemes. In ACM CCS 15: 22nd Conference on Computer and Communications Security, Indrajit Ray, Ninghui Li, and Christopher Kruegel: (Eds.). ACM Press, Denver, CO, USA, 364--375. Google ScholarDigital Library
Christoph Bader, Tibor Jager, Yong Li, and Sven Sch"age. 2016. On the Impossibility of Tight Cryptographic Reductions. In Advances in Cryptology -- EUROCRYPT 2016, Part II (Lecture Notes in Computer Science), Marc Fischlin and Jean-Sé bastien Coron (Eds.), Vol. 9666. Springer, Heidelberg, Germany, Vienna, Austria, 273--304.Google ScholarCross Ref
Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, Graham Steel, and Joe-Kai Tsay. 2012. Efficient Padding Oracle Attacks on Cryptographic Hardware. In Advances in Cryptology -- CRYPTO 2012 (Lecture Notes in Computer Science),, Reihaneh Safavi-Naini and Ran Canetti (Eds.), Vol. 7417. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 608--625. Google ScholarDigital Library
Mihir Bellare and Phillip Rogaway. 1993. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In ACM CCS 93: 1st Conference on Computer and Communications Security,, V. Ashby (Ed.). ACM Press, Fairfax, Virginia, USA, 62--73. Google ScholarDigital Library
Mihir Bellare and Phillip Rogaway. 1995. Optimal Asymmetric Encryption. In Advances in Cryptology -- EUROCRYPT'94 (Lecture Notes in Computer Science),, Alfredo De Santis (Ed.), Vol. 950. Springer, Heidelberg, Germany, Perugia, Italy, 92--111.Google Scholar
Mihir Bellare and Phillip Rogaway. 1996. The Exact Security of Digital Signatures: How to Sign with RSA and Rabin. In Advances in Cryptology -- EUROCRYPT'96 (Lecture Notes in Computer Science), Ueli M. Maurer (Ed.), Vol. 1070. Springer, Heidelberg, Germany, Saragossa, Spain, 399--416. Google ScholarDigital Library
Mihir Bellare and Moti Yung. 1993. Certifying Cryptographic Tools: The Case of Trapdoor Permutations. In Advances in Cryptology -- CRYPTO'92 (Lecture Notes in Computer Science), Ernest F. Brickell (Ed.), Vol. 740. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 442--460. Google ScholarDigital Library
Mihir Bellare and Moti Yung. 1996. Certifying Permutations: Noninteractive Zero-Knowledge Based on Any Trapdoor Permutation. Journal of Cryptology, Vol. 9, 3 (1996), 149--166. Google ScholarDigital Library
Daniel J. Bernstein. 1998. Detecting Perfect Powers in Essentially Linear Time. Math. Comput., Vol. 67, 223 (July 1998), 1253--1283. Google ScholarDigital Library
G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche. 2011. The Keccak SHA-3 submission. Submission to NIST (Round 3). (2011). http://keccak.noekeon.org/Keccak-submission-3.pdfGoogle Scholar
Daniel Bleichenbacher. 1998. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In Advances in Cryptology -- CRYPTO'98 (Lecture Notes in Computer Science), Hugo Krawczyk (Ed.), Vol. 1462. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 1--12. Google ScholarDigital Library
Hanno Bö ck, Juraj Somorovsky, and Craig Young. 2017. Return Of Bleichenbacher's Oracle Threat (ROBOT). Cryptology ePrint Archive, Report 2017/1189. (2017). https://eprint.iacr.org/2017/1189.Google Scholar
Florian Böhl, Dennis Hofheinz, Tibor Jager, Jessica Koch, Jae Hong Seo, and Christoph Striecks. 2013. Practical Signatures from Standard Assumptions. In Advances in Cryptology -- EUROCRYPT 2013 (Lecture Notes in Computer Science),, Thomas Johansson and Phong Q. Nguyen (Eds.), Vol. 7881. Springer, Heidelberg, Germany, Athens, Greece, 461--485.Google Scholar
Ernest F. Brickell and John M. DeLaurentis. 1986. An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi. In Advances in Cryptology -- CRYPTO'85 (Lecture Notes in Computer Science), Hugh C. Williams (Ed.), Vol. 218. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 28--32. Google ScholarDigital Library
Ernest F Brickell and Andrew M Odlyzko. 1988. Cryptanalysis: A survey of recent results. Proc. IEEE, Vol. 76, 5 (1988), 578--593.Google ScholarCross Ref
Christian Cachin, Silvio Micali, and Markus Stadler. 1999. Computationally Private Information Retrieval with Polylogarithmic Communication. In Advances in Cryptology -- EUROCRYPT'99 (Lecture Notes in Computer Science), Jacques Stern (Ed.), Vol. 1592. Springer, Heidelberg, Germany, Prague, Czech Republic, 402--414. Google ScholarDigital Library
J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. 2007. OpenPGP Message Format. RFC 4880 (Proposed Standard). (Nov. 2007), 90 pages. Updated by RFC 5581.Google Scholar
Don Coppersmith. 1997. Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities. Journal of Cryptology, Vol. 10, 4 (1997), 233--260. Google ScholarDigital Library
Don Coppersmith, Matthew K. Franklin, Jacques Patarin, and Michael K. Reiter. 1996. Low-Exponent RSA with Related Messages. In Advances in Cryptology -- EUROCRYPT'96 (Lecture Notes in Computer Science),, Ueli M. Maurer (Ed.), Vol. 1070. Springer, Heidelberg, Germany, Saragossa, Spain, 1--9. Google ScholarDigital Library
Jean-Sébastien Coron. 2000. On the Exact Security of Full Domain Hash. In Advances in Cryptology -- CRYPTO 2000 (Lecture Notes in Computer Science),, Mihir Bellare (Ed.), Vol. 1880. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 229--235. Google ScholarDigital Library
Jean-Sébastien Coron. 2001. Optimal security proofs for PSS and other signature schemes. Cryptology ePrint Archive, Report 2001/062. (2001). http://eprint.iacr.org/2001/062.Google Scholar
Jean-Sébastien Coron. 2002. Optimal Security Proofs for PSS and Other Signature Schemes. In Advances in Cryptology -- EUROCRYPT 2002 (Lecture Notes in Computer Science), Lars R. Knudsen (Ed.), Vol. 2332. Springer, Heidelberg, Germany, Amsterdam, The Netherlands, 272--287. Google Scholar
Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier. 2000. New Attacks on PKCS#1 v1.5 Encryption. In Advances in Cryptology -- EUROCRYPT 2000 (Lecture Notes in Computer Science),, Bart Preneel (Ed.), Vol. 1807. Springer, Heidelberg, Germany, Bruges, Belgium, 369--381. Google ScholarDigital Library
Ronald Cramer and Victor Shoup. 1999. Signature Schemes Based on the Strong RSA Assumption. In ACM CCS 99: 6th Conference on Computer and Communications Security. ACM Press, Kent Ridge Digital Labs, Singapore, 46--51. Google ScholarDigital Library
Jean Paul Degabriele, Anja Lehmann, Kenneth G. Paterson, Nigel P. Smart, and Mario Strefler. 2012. On the Joint Security of Encryption and Signature in EMV. In Topics in Cryptology -- CT-RSA 2012 (Lecture Notes in Computer Science),, Orr Dunkelman (Ed.), Vol. 7178. Springer, Heidelberg, Germany, San Francisco, CA, USA, 116--135. Google ScholarDigital Library
T. Dierks and C. Allen. 1999. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard). (Jan. 1999), 80 pages. Obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176, 7465, 7507, 7919. Google ScholarDigital Library
T. Dierks and E. Rescorla. 2006. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard). (April 2006), 87 pages. Obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176, 7465, 7507, 7919.Google Scholar
T. Dierks and E. Rescorla. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). (Aug. 2008), 104 pages. Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919.Google Scholar
Marc Fischlin. 2003. The Cramer-Shoup Strong-RSA Signature Scheme Revisited. In PKC 2003: 6th International Workshop on Theory and Practice in Public Key Cryptography (Lecture Notes in Computer Science),, Yvo Desmedt (Ed.), Vol. 2567. Springer, Heidelberg, Germany, Miami, FL, USA, 116--129. Google ScholarDigital Library
David Mandell Freeman, Oded Goldreich, Eike Kiltz, Alon Rosen, and Gil Segev. 2013. More Constructions of Lossy and Correlation-Secure Trapdoor Functions. Journal of Cryptology, Vol. 26, 1 (Jan. 2013), 39--74. Google ScholarDigital Library
Rosario Gennaro, Shai Halevi, and Tal Rabin. 1999. Secure Hash-and-Sign Signatures Without the Random Oracle. In Advances in Cryptology -- EUROCRYPT'99 (Lecture Notes in Computer Science), Jacques Stern (Ed.), Vol. 1592. Springer, Heidelberg, Germany, Prague, Czech Republic, 123--139. Google ScholarDigital Library
Marc Girault, Philippe Toffin, and Brigitte Vallée. 1990. Computation of Approximate L-th Roots Modulo n and Application to Cryptography. In Advances in Cryptology -- CRYPTO'88 (Lecture Notes in Computer Science), Shafi Goldwasser (Ed.), Vol. 403. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 100--117. Google ScholarDigital Library
Dennis Hofheinz, Tibor Jager, and Eike Kiltz. 2011. Short Signatures from Weaker Assumptions. In Advances in Cryptology -- ASIACRYPT 2011 (Lecture Notes in Computer Science),, Dong Hoon Lee and Xiaoyun Wang (Eds.), Vol. 7073. Springer, Heidelberg, Germany, Seoul, South Korea, 647--666. Google ScholarDigital Library
Susan Hohenberger and Brent Waters. 2009. Realizing Hash-and-Sign Signatures under Standard Assumptions. In Advances in Cryptology -- EUROCRYPT 2009 (Lecture Notes in Computer Science), Antoine Joux (Ed.), Vol. 5479. Springer, Heidelberg, Germany, Cologne, Germany, 333--350.Google Scholar
R. Housley. 2002. Cryptographic Message Syntax (CMS) Algorithms. RFC 3370 (Proposed Standard). (Aug. 2002), 24 pages. Updated by RFC 5754. Google ScholarDigital Library
Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. 2015a. On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1. 5 Encryption. In ACM CCS 15: 22nd Conference on Computer and Communications Security,, Indrajit Ray, Ninghui Li, and Christopher Kruegel: (Eds.). ACM Press, Denver, CO, USA, 1185--1196. Google ScholarDigital Library
Tibor Jager, Jörg Schwenk, and Juraj Somorovsky. 2015b. Practical Invalid Curve Attacks on TLS-ECDH. In ESORICS 2015: 20th European Symposium on Research in Computer Security, Part I (Lecture Notes in Computer Science), Günther Pernul, Peter Y. A. Ryan, and Edgar R. Weippl (Eds.), Vol. 9326. Springer, Heidelberg, Germany, Vienna, Austria, 407--425. Google ScholarDigital Library
M. Jones, J. Bradley, and N. Sakimura. 2015. JSON Web Signature (JWS). RFC 7515 (Proposed Standard). (May 2015), 59 pages.Google Scholar
J. Jonsson and B. Kaliski. 2003. Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447 (Informational). (Feb. 2003), 72 pages. Obsoleted by citerfc8017. Google ScholarDigital Library
Saqib A. Kakvi and Eike Kiltz. 2012. Optimal Security Proofs for Full Domain Hash, Revisited. In Advances in Cryptology -- EUROCRYPT 2012 (Lecture Notes in Computer Science), David Pointcheval and Thomas Johansson (Eds.), Vol. 7237. Springer, Heidelberg, Germany, Cambridge, UK, 537--553. Google ScholarDigital Library
Saqib A. Kakvi and Eike Kiltz. 2018. Optimal Security Proofs for Full Domain Hash, Revisited. Journal of Cryptology, Vol. 31, 1 (Jan. 2018), 276--306. Google ScholarDigital Library
Saqib A. Kakvi, Eike Kiltz, and Alexander May. 2012. Certifying RSA. In Advances in Cryptology -- ASIACRYPT 2012 (Lecture Notes in Computer Science),, Xiaoyun Wang and Kazue Sako (Eds.), Vol. 7658. Springer, Heidelberg, Germany, Beijing, China, 404--414. Google ScholarDigital Library
B. Kaliski. 1998. PKCS #1: RSA Encryption Version 1.5. RFC 2313 (Informational). (March 1998), 19 pages. Obsoleted by citerfc2437. Google ScholarDigital Library
B. Kaliski and J. Staddon. 1998. PKCS #1: RSA Cryptography Specifications Version 2.0. RFC 2437 (Informational). (Oct. 1998), 39 pages. Obsoleted by citerfc3447. Google ScholarDigital Library
Eike Kiltz, Adam O'Neill, and Adam Smith. 2010. Instantiability of RSA-OAEP under Chosen-Plaintext Attack. In Advances in Cryptology -- CRYPTO 2010 (Lecture Notes in Computer Science), Tal Rabin (Ed.), Vol. 6223. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 295--313. Google ScholarDigital Library
Eike Kiltz and Krzysztof Pietrzak. 2009. On the Security of Padding-Based Encryption Schemes - or - Why We Cannot Prove OAEP Secure in the Standard Model. In Advances in Cryptology -- EUROCRYPT 2009 (Lecture Notes in Computer Science),, Antoine Joux (Ed.), Vol. 5479. Springer, Heidelberg, Germany, Cologne, Germany, 389--406.Google Scholar
Eike Kiltz, Krzysztof Pietrzak, and Mario Szegedy. 2013. Digital Signatures with Minimal Overhead from Indifferentiable Random Invertible Functions. In Advances in Cryptology -- CRYPTO 2013, Part I (Lecture Notes in Computer Science), Ran Canetti and Juan A. Garay (Eds.), Vol. 8042. Springer, Heidelberg, Germany, Santa Barbara, CA, USA, 571--588.Google ScholarCross Ref
Vlastimil Kl'ima, Ondrej Pokorný, and Tomás Rosa. 2003. Attacking RSA-Based Sessions in SSL/TLS. In Cryptographic Hardware and Embedded Systems -- CHES 2003 (Lecture Notes in Computer Science), Colin D. Walter, cCetin Kaya Kocc, and Christof Paar (Eds.), Vol. 2779. Springer, Heidelberg, Germany, Cologne, Germany, 426--440.Google Scholar
Mark Lewko, Adam O'Neill, and Adam Smith. 2013. Regularity of Lossy RSA on Subdomains and Its Applications. In Advances in Cryptology -- EUROCRYPT 2013 (Lecture Notes in Computer Science), Thomas Johansson and Phong Q. Nguyen (Eds.), Vol. 7881. Springer, Heidelberg, Germany, Athens, Greece, 55--75.Google Scholar
Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jö rg Schwenk, Sebastian Schinzel, and Erik Tews. 2014. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20--22, 2014.,, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 733--748. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer Google ScholarDigital Library
K. Moriarty (Ed.), B. Kaliski, J. Jonsson, and A. Rusch. 2016. PKCS #1: RSA Cryptography Specifications Version 2.2. RFC 8017 (Informational). (Nov. 2016), 78 pages.Google Scholar
Tatsuski Okamoto and Akira Shibaishi. 1985. A fast signature scheme based on quadratic inequalities. In Security and Privacy, 1985 IEEE Symposium on. IEEE, 123--123.Google ScholarCross Ref
Tatsuaki Okamoto and Jacques Stern. 2003. Almost Uniform Density of Power Residues and the Provable Security of ESIGN. In Advances in Cryptology -- ASIACRYPT 2003 (Lecture Notes in Computer Science), Chi-Sung Laih (Ed.), Vol. 2894. Springer, Heidelberg, Germany, Taipei, Taiwan, 287--301.Google Scholar
Chris Peikert and Brent Waters. 2008. Lossy trapdoor functions and their applications. In 40th Annual ACM Symposium on Theory of Computing, Richard E. Ladner and Cynthia Dwork (Eds.). ACM Press, Victoria, British Columbia, Canada, 187--196. Google ScholarDigital Library
J. Schaad, B. Kaliski, and R. Housley. 2005. Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 4055 (Proposed Standard). (June 2005), 25 pages. Updated by RFC 5756.Google Scholar
Sven Sch"age. 2011. Tight Proofs for Signature Schemes without Random Oracles. In Advances in Cryptology -- EUROCRYPT 2011 (Lecture Notes in Computer Science), Kenneth G. Paterson (Ed.), Vol. 6632. Springer, Heidelberg, Germany, Tallinn, Estonia, 189--206. Google ScholarDigital Library
Yannick Seurin. 2014. On the Lossiness of the Rabin Trapdoor Function. In PKC 2014: 17th International Conference on Theory and Practice of Public Key Cryptography (Lecture Notes in Computer Science), Hugo Krawczyk (Ed.), Vol. 8383. Springer, Heidelberg, Germany, Buenos Aires, Argentina, 380--398. Google ScholarDigital Library
Victor Shoup. 2002. OAEP Reconsidered. Journal of Cryptology, Vol. 15, 4 (2002), 223--249. Google ScholarDigital Library
Adam Smith and Ye Zhang. 2015. On the Regularity of Lossy RSA - Improved Bounds and Applications to Padding-Based Encryption. In TCC 2015: 12th Theory of Cryptography Conference, Part I (Lecture Notes in Computer Science),, Yevgeniy Dodis and Jesper Buus Nielsen (Eds.), Vol. 9014. Springer, Heidelberg, Germany, Warsaw, Poland, 609--628.Google Scholar
Ron Steinfeld, Josef Pieprzyk, and Huaxiong Wang. 2007. How to Strengthen Any Weakly Unforgeable Signature into a Strongly Unforgeable Signature. In Topics in Cryptology -- CT-RSA 2007 (Lecture Notes in Computer Science), Masayuki Abe (Ed.), Vol. 4377. Springer, Heidelberg, Germany, San Francisco, CA, USA, 357--371. Google ScholarDigital Library
B. Weis. 2006. The Use of RSA/SHA-1 Signatures within Encapsulating Security Payload (ESP) and Authentication Header (AH). RFC 4359 (Proposed Standard). (Jan. 2006), 12 pages.Google Scholar
Yinqian Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2014. Cross-Tenant Side-Channel Attacks in PaaS Clouds. In ACM CCS 14: 21st Conference on Computer and Communications Security, Gail-Joon Ahn, Moti Yung, and Ninghui Li (Eds.). ACM Press, Scottsdale, AZ, USA, 990--1003. Google ScholarDigital Library

Index Terms

On the Security of the PKCS#1 v1.5 Signature Scheme
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Digital signatures

Recommendations

On the Security of RSA-PSS in the Wild
SSR'19: Proceedings of the 5th ACM Workshop on Security Standardisation Research Workshop

The RSA Probabilistic Signature Scheme (RSA-PSS) due to Bellare and Rogaway (EUROCRYPT 1996) is a widely deployed signature scheme. In particular it is a suggested replacement for the deterministic RSA Full Domain Hash (RSA-FDH) by Bellare and Rogaway (...
Read More
Optimal Security Proofs for Full Domain Hash, Revisited

RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure against chosen message attacks in the random oracle model. The best known security reduction from the RSA assumption is non-tight, i.e., it loses a factor of $$q_s$$qs, where $$q_s$$qs ...
Read More
SoK: Comparison of the Security of Real World RSA Hash-and-Sign Signatures
Security Standardisation Research
Abstract
In this modern day and age, where the majority of our communication occurs online, digital signatures are more important than ever before. Of the utmost importance are the standardised signatures that are deployed not only across the Internet, but ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
October 2018
2359 pages
ISBN:9781450356930
DOI:10.1145/3243734
General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 October 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
PKCS
RSA
digital signatures
lossiness
security reduction
standards
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '18 Paper Acceptance Rate134of809submissions,17%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 12
  Total Citations
  View Citations
- 469
  Total Downloads
- Downloads (Last 12 months)56
- Downloads (Last 6 weeks)8
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

On the Security of the PKCS#1 v1.5 Signature Scheme

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

Supplemental Material

References

Cited By

Index Terms

Recommendations

On the Security of RSA-PSS in the Wild

Optimal Security Proofs for Full Domain Hash, Revisited

SoK: Comparison of the Security of Real World RSA Hash-and-Sign Signatures