On 6/20/05, James Muir <[EMAIL PROTECTED]> wrote:
> The attack I am trying to recall is a chosen-message attack and its
> efficiency is related to the probability that a random 128-bit integer can
> be factorized over a small set of primes (ie. the prob that a uniformily
> selected 128-bit integer is "B-smooth" for a small integer B).  Basically,
> you pick a message for which you'd like to forge a signature, find a variant
> of the message that hashes to a B-smooth 128-bit integer, and then you
> construct the forgery after solving a linear system modulo e (the linear
> system incorporates the signatures on the chosen messages).

I think you're referring to the Desmedt-Odlyzko selective forgery attack.

See http://www.ipa.go.jp/security/enc/CRYPTREC/fy15/doc/1014_Menezes.sigs.pdf


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to