# x - Faculty of Computer Science - Technische Universität Dresden

x - Faculty of Computer Science - Technische Universität Dresden

## m 2 Transition to

Davida's attacks simple version of Davida's attack: (against RSA as signature system) 1. Given Sig1 = m s 1 Sig2 = m s 2 � Sig := Sig1 • Sig2 = (m1 • m2) s New signature generated ! (Passive attack, m not selectable.) 2. Active, desired Sig = m s Choose any m 1; m 2 := m • m 1 -1 Let m 1, m 2 be signed. Further as mentioned above. 3. Active, more skillful (Moore) {see next transparency} "Blinding" : choose any r , m 2 := m • r t m 2 s = m s • r t • s = m s • r sign • r -1 m s = Sig

Active Attack of Davida against RSA 1.) asymmetric encryption system: Decryption of the chosen message m c Attacker chooses random number r, 0 < r < n generates r c mod n; this is uniformly distributed in [1, n-1] lets the attacked person decrypt r c • m c �: n prod Attacked person generates prod d mod n Attacker knows that prod d � n (r c • m c ) d � n r c • d • m c • d � n r • m divides prod d by r and thereby gets m. If this doesn't work: Factor n. 2.) digital signature system: Signing of the chosen message m. Attacker chooses random number r, 0 < r < n generate r t mod n; this is uniformly distributed in [1, n-1] lets the attacked person sign r t • m �: n prod Attacked person generates prod s mod n Attacker knows that prod s � n (r t • m) s � n r t • s • m s � n r • m s divides prod s by r and thereby gets m s . If this doesn't work: Factor n.

