Showing papers on "Optimal asymmetric encryption padding published in 1996"

The exact security of digital signatures-how to sign with RSA and Rabin

Abstract: We describe an RSA-based signing scheme which combines essentially optimal efficiency with attractive security properties. Signing takes one RSA decryption plus some hashing, verification takes one RSA encryption plus some hashing, and the size of the signature is the size of the modulus. Assuming the underlying hash functions are ideal, our schemes are not only provably secure, but are so in a tight way-- an ability to forge signatures with a certain amount of computational resources implies the ability to invert RSA (on the same size modulus) with about the same computational effort. Furthermore, we provide a second scheme which maintains all of the above features and in addition provides message recovery. These ideas extend to provide schemes for Rabin signatures with analogous properties; in particular their security can be tightly related to the hardness of factoring.

Finding a small root of a univariate modular equation

Abstract: We show how to solve a polynomial equation (mod N) of degree k in a single variable x, as long as there is a solution smaller than N1/k. We give two applications to RSA encryption with exponent 3. First, knowledge of all the ciphertext and 2/3 of the plaintext bits for a single message reveals that message. Second, if messages are padded with truly random padding and then encrypted with an exponent 3, then two encryptions of the same message (with different padding) will reveal the message, as long as the padding is less than 1/9 of the length of N. With several encryptions, another technique can (heuristically) tolerate padding up to about 1/6 of the length of N.