2
$\begingroup$

Show that digital signatures under plain RSA are insecure (Plain RSA means that signing is done by calculating $m^d\bmod n$, with $0\le m<n$, and no padding or hashing of $m$).

Write an algorithm that, given someone’s public signature verification key ($e$, $n$), can easily generate a (message, signature) pair for some message that the private key holder never intended to sign. For full credit your algorithm should not require a signing oracle and your algorithm should generate “signed” messages where your message is different than its signature (Hints: The message need not have any meaning to count as a forgery. Think backwards).

Improve this question
$\endgroup$
3
  • 6
    $\begingroup$ We rather expect you to do your own homework. What have you tried? $\endgroup$ Commented Feb 18, 2014 at 3:43
  • 2
    $\begingroup$ This is, in fact, answered in another related question of the forum. You just need to work a little and look for it. Posting your homework without even explaining which are your doubts is not fair. $\endgroup$ Commented Feb 18, 2014 at 7:42
  • $\begingroup$ Here it is: crypto.stackexchange.com/questions/2474/… $\endgroup$ Commented Feb 18, 2014 at 8:19

1 Answer 1

Reset to default
2
$\begingroup$

I happened to see some similar question like this. The question mentioned about sending fake signature message. The method is like this:

  1. Find some random string R.
  2. Use the public key to encrypt the random string R, let the result be X.

(R,X) is your signature pair.(Think backwards) When someone verifies the signature, he'll compare {R} with X which are equal.

Improve this answer
$\endgroup$

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.