[cryptography] RSA signatures without padding

Jonathan Katz jkatz at cs.umd.edu
Fri Jul 10 18:59:24 EDT 2015


On Fri, Jul 10, 2015 at 4:15 PM, Filip Paun <paunfilip at gmail.com> wrote:
> Suppose I have a message M for which I generate an RSA-2048 digital
> signature as follows:
>
>   H = SHA-256(M)
>   S = H^d mod N
>
> Assume N = p*q is properly generated and d is the RSA private key.
>
>
> And I verify the signature as follows:
>
>   S^e mod N == H'
>
> where H' is the SHA-256 of the message to be authenticated. Assume e is the
> RSA public key.
>
> Since I've not used any padding then are there any flaws with the above
> approach? What if e = 3? What if e = 2^16+1?
>
> Your guidance is much appreciated.
>
> Thank you,
> Filip

This is a bad idea.

Note that the Full-Domain Hash (FDH) signature scheme would use a hash
mapping the message to all of Z*_N, where here you have a hash mapping
to the (much smaller) space of 256-bit strings.

The problem is that this makes attacks based on factoring H(m) (in
your case a 256-bit number rather than a 2048-bit number) and then
using multiplicative properties of RSA much easier. The size of e is
irrelevant.


More information about the cryptography mailing list