I’ve a signature scheme for 1024‒bit RSA with a 65537 exponent. The signed message is constructed as follows:
760‒Bits fully_user_controlled_message_content+8 Bits incremental nonce+sha256(fully_user_controlled_message_content+Nonce)
Verification then consists of:
- the nonce in the remainder must be ++prev_nonce
sha256(remainder from Signature>>768bits)must be equal tosha256(fully_user_controlled_message_content+Nonce)
Breaking 1024‒bit RSA is impossible for small organizations. However, for large messages only the least 264 bits of the signed message are randomized.
Does this enable Oracle attacks? Does the random padding of the least significant bits introduce vulnerabilities that allow forging a signature?
