3

Bleichenbacher’s ’06 RSA signature forgery targets incorrect PKCS1 v1.5 implementations where padding checks are omitted and RSA keys with e = 3 are used.

As per the answer to a related question, the attack has the following additional assumption

… with the assumption that the lsbit of the hash is a 1 (or more generally, that the number of 0’s at the end of the hash is a multiple of 3); this assumption is necessary, because if it is not true, no perfect cube will exist. It turns out if this assumption is true, then a cube will always exist.

Say I modified the EMSA-PKCS1-v1_5-ENCODE signature encoding to fix the least significant byte to 0x02. The full format would be

EM = 0x00 || 0x01 || PS' || 0x00 || T || 0x02

Where PS’ consists of emLen - tLen - 4 bytes with hexadecimal value 0xff. T is structured as in the original encoding format, hence it includes the hash to be signed.

This format violates the assumption detailed above.

Are there practical forgery attacks against signature verification routines based on the format above that do not check the padding PS', but verify that (a) the signature starts with 00 01, (b) the signature ends with 0x02, and the length of EM is correct (assuming e = 3)?

I’m only interested in attacks where the attacker gets to choose the message (hash) to be signed.

0xdead10cc
  • 131
  • 1

1 Answers1

1

In this case, the attacker should attempt to find an integer cube of the form $EM+N$ or $EM-N$ where $N$ is the RSA modulus. Note that $N$ is odd so that the LSB of $E+N$ is 1 and there is no prohibition on the number being a cube. The degrees of freedom permitted by the digits of PS will still permit a cube to be found for suitable sizes of emlen and tlen.

Verification will still pass as our cube will be reduced modulo $N$ leaving the same $EM$ to be incorrectly parsed as before.

Daniel S
  • 29,316
  • 1
  • 33
  • 73