Generating RSA signature, by manipulating shorter message signatures?

Question

Given a server that can return me RSA sign for any plaintext shorter or equal length of the given plaintext (excluding the given plaintext), how can I fraud/get the sign of the given?

$$sign = M^{d} \pmod{N}$$

$m$ is 63 bytes, if not it is left-padded with zeroes
$M = \mathtt{0x00}\mathbin\|m\mathbin\|\mathtt{0x00}\mathbin\|m$, which is always 128 bytes
$(e,N)$ is public key
$(d,N)$ is private key
$N$ is 128 bytes long

Hint: Assume that a non-trivial factor $m_0$ of $m$ can be found, which is possible for all but prime $m$, and easy for all but a small fraction of possible $m$. Obtain the signature of $m_0$, $m/m_0$, and $1$. Toss. I do not immediately see a solution for prime $m$. — fgrieu, Jan 08 '19 at 21:06
so, the sign will be $s(m0) * s(m/m0) * ModularInverseOf(s(1)) mod(N)$ ? — Tamar Geldiashvili, Jan 08 '19 at 21:09
A hack would be to simply remove the initial 0x00 byte, but I have the idea that this might not be what is meant. — Maarten Bodewes, Jan 09 '19 at 13:52

fgrieu · Accepted Answer · 2019-01-09T15:29:11.513

We notice that $M=k\cdot m$ with constant $k=2^{512}+1$. Hence the signature $\mathcal S(m)$ of $m$ is $\mathcal S(m)=k^d\cdot m^d\bmod N$.

It follows that for any valid messages $m_0$ and $m_1$ with $m=m_0\cdot m_1$ a valid message, we have $\mathcal S(m)\cdot\mathcal S(1)\equiv\mathcal S(m_0)\cdot\mathcal S(m_1)\pmod N$.

Hence, when we can write $m$ as $m_0\cdot m_1$ with $m_0>1$ and $m_1>1$, we can obtain the signature of $m$ by asking to the server the signature of $m_0$, $m_1$, and $1$. We can then compute $\mathcal S(m)$ as $\mathcal S(m_0)\cdot\mathcal S(m_1)\cdot\mathcal S(1)^{-1}\bmod N$. The last term of the product is obtained by modular inversion modulo $N$, using e.g. the half-extended Euclidean algorithm.
_{Note: that solution was found by the OP, based on a (strong) hint.}

Given the server's limitation, we can get $\mathcal S(m)$ for any composite $m\in[4,2^{504}($, using three oracle queries (or just two when $m$ is a square). We can most often pull a factor $m_0$ using trial division, Pollard's Rho, ECM (all in GMP-ECM). We need GNFS in some difficult cases (e.g. CADO-NFS or Msieve, perhaps as packaged as FaaS).

With the "lengh" of a message counted in bits, I see no solution for prime $m$, or for $m=1$.

If the "lengh" of a message was counted in bytes excluding leading zero bytes, and for those $m$ such that $2m$ has the same length as $m$, then we can use $\mathcal S(m)\,=\,\mathcal S(2m)\cdot\mathcal S(1)\cdot\mathcal S(2)^{-1}\bmod N$ for $m>1$, and $\mathcal S(1)\,=\,\mathcal S(2)^2\cdot\mathcal S(4)^{-1}\bmod N$ for $m=1$. That still leaves quite a few problematic $m$, such as $131$ and $2^{504}-503$.
_{Note: We have $S(0)=0$ with no query for $m=0$.}
_{Note: $k=F_9$ where $F_m=2^{(2^m)}+1$. The factorization of Fermat integers is well-studied, and it has been known since 1903 that $2424833$ divides $F_9$. But I do not see that it helps.}

Generating RSA signature, by manipulating shorter message signatures?

1 Answers1