RSA Signature

Question 1

What is the biggest thread of naive RSA Signature?

Answer 1

Homomorphism. You know how this works by now…

Question 2

How does the naive RSA Signature work?

Answer 2

It is basic RSA encryption: The sender “signs” the message by decrypting it, and then the receiver can encrypt the signatrue to verify the sender.

Question 3

How does padding help secure naive RSA signature?

Answer 3

The signature of meaning ful message m can be constructed with r2 = m/r1. Such that s1* s2 = s, a valid signature of m. However, padding will make sure that (r1 padded and r2 padded) after multiplication, the padding is no longer valid. Hence padding kinda solves homomorphism.

Question 4

Explain the standard approach in document signing.

Answer 4

Because siging often uses a block cipher, and documents are often quite large, signing is very time consuming. Hence, often the hash of the document is signed.
Hashes also perform over all blocks, but are way faster to compute than block ciphers.

Question 5

Explain what the thread is of a shared modulus (case 1)

Answer 5

In case 1, the attacker has the factorization of the modulus, hence it can knows p and q. Hence it can compute de private key of the other party using ed = 1 mod phi

Question 6

Explain what the thread is of a shared modulus (case 2)

Answer 6

In case 2, the attacker does not know the factorizaiton. However, when it obtains two ciphertexts of the same message, using both of the encryption keys, it is able to use algebra to uncover the original message.

So it can decrypt the message without knowing d.

Question 7

Explain the issue with using small public component e in RSA encryption.

Answer 7

If the value is small enough, like 3 or 7, it is computationally possible to reverse the encryption using different multiple cipher text with values of N. (using CRT)

Question 8

What is the advantage of using 3, 7 or 65565 as public key?

Answer 8

They are binary represented as {1}* , which leads to fast encryption.

Question 9

Altough its risks, why is it still recommended to use small e value in RSA encryption?

Answer 9

The risks are related to the naive RSA implementation. However, in practise a IND-CCA version of RSA is used. So there are no risks, and computation is faster.