A Multiplicative Attack Using LLL Algorithm on RSA Signatures with Redundancy.

We show that some RSA signature schemes using fixed or modular redundancy and dispersion of redundancy bits are insecure. Our attack is based on the multiplicative property of RSA signature function and extends old results of De Jonge and Chaum [DJC] as well as recent results of Girault and Misarsky [GM]. Our method uses the lattice basis reduction [LLL] and algorithms of László Babai [B]. Our attack is valid when the length of redundancy is roughly less than half the length of the public modulus. We successfully apply our attack to a scheme proposed for discussion inside ISO. Afterwards, we also describe possible adaptations of our method to attack schemes using mask or different modular redundancies. We explain limits of our attack and how to defeat it.