I came across an application which uses RSA signatures on plain MD5
hashes, without padding (the more significant bits are all zero).
Even worse, the application doesn't check if the padding bits are
actually zero during signature verification. The downside is that the
encryption exponent is

There is an attack against this type of RSA signature scheme, although
cannot remember just now if it requires that the verfication exponent be
small (ie. e=3).
The attack I am trying to recall is a chosen-message attack and its
efficiency is related to the probability that a random 128-bit

On 6/20/05, James Muir [EMAIL PROTECTED] wrote:
The attack I am trying to recall is a chosen-message attack and its
efficiency is related to the probability that a random 128-bit integer can
be factorized over a small set of primes (ie. the prob that a uniformily
selected 128-bit integer is

Taral wrote:
On 6/20/05, James Muir [EMAIL PROTECTED] wrote:
The attack I am trying to recall is a chosen-message attack and its
efficiency is related to the probability that a random 128-bit integer can
be factorized over a small set of primes (ie. the prob that a uniformily
selected 128-bit