Calculating RSA Signature at Message m=2 w/o Hash Function

[mathmari]

Hey!

1. Construct a pair of private/public key RSA, where the prime numbers that we use are $p=11, q=13$.
2. Describe how we can calculate a RSA signature at the message $m=2$ without using a hash function.
3. Show that, given the above signature, we can calculate a valid signature at the message $m'=8$ without using the private key.

I have done the following:

1. $n=p \cdot q=11 \cdot 13$

$\phi(n)=(p-1)(q-1)=10 \cdot 12=120$

We choose a $e$ such that $(e,\phi(n))=1$. We take for example, $e=7$.

Then we calculate $d$ such that $ed \equiv 1 \pmod {\phi(n)}$. So, $d=13$.

The private key is $d=13$ and the public key is $(e, n)=(7, n)$.

2. The signature is $c=m^d \pmod {\phi(n)}$.

3. There is a $m_1$ such that $m=m'm_1$.

$c=m^d \pmod {\phi(n)} \Rightarrow c=m'^dm_1^d \pmod {\phi(n)} \\ \Rightarrow c(m_1^d)^{-1}=m'^d \pmod {\phi(n)} \Rightarrow cm_1^{-d}=m'^d \pmod {\phi(n)} \\ \Rightarrow ((cm_1^{-d})^{-e})^{-\frac{1}{e}}=m'^d \pmod {\phi(n)} \Rightarrow (c^{-e}m_1^{ed})^{-\frac{1}{e}}=m'^d \pmod {\phi(n)} \\ \Rightarrow (c^{-e}m_1)^{-\frac{1}{e}}=m'^d \pmod {\phi(n)}$

That means that the signature of the message $m'$ is $(c^{-e}m_1)^{-\frac{1}{e}}$.

Could you tell me if it is correct what I have done?? (Wondering)

 

[Sudharaka]

Hey!

1. Construct a pair of private/public key RSA, where the prime numbers that we use are $p=11, q=13$.
2. Describe how we can calculate a RSA signature at the message $m=2$ without using a hash function.
3. Show that, given the above signature, we can calculate a valid signature at the message $m'=8$ without using the private key.

I have done the following:

1. $n=p \cdot q=11 \cdot 13$

$\phi(n)=(p-1)(q-1)=10 \cdot 12=120$

We choose a $e$ such that $(e,\phi(n))=1$. We take for example, $e=7$.

Then we calculate $d$ such that $ed \equiv 1 \pmod {\phi(n)}$. So, $d=13$.

The private key is $d=13$ and the public key is $(e, n)=(7, n)$.

2. The signature is $c=m^d \pmod {\phi(n)}$.

3. There is a $m_1$ such that $m=m'm_1$.

$c=m^d \pmod {\phi(n)} \Rightarrow c=m'^dm_1^d \pmod {\phi(n)} \\ \Rightarrow c(m_1^d)^{-1}=m'^d \pmod {\phi(n)} \Rightarrow cm_1^{-d}=m'^d \pmod {\phi(n)} \\ \Rightarrow ((cm_1^{-d})^{-e})^{-\frac{1}{e}}=m'^d \pmod {\phi(n)} \Rightarrow (c^{-e}m_1^{ed})^{-\frac{1}{e}}=m'^d \pmod {\phi(n)} \\ \Rightarrow (c^{-e}m_1)^{-\frac{1}{e}}=m'^d \pmod {\phi(n)}$

That means that the signature of the message $m'$ is $(c^{-e}m_1)^{-\frac{1}{e}}$.

Could you tell me if it is correct what I have done?? (Wondering)

Hi mathmari,

The first part is correct. For the second part the signature is $c=m^d \pmod {n}=2^{13}\mbox{mod 141}$. For the third part you can use the homomorphic property of the RSA scheme. That is, $c^3=m^{3d}\pmod{n}$.

 

[mathmari]

The first part is correct.

I calculated again $13 \cdot 7 \pmod {121} \equiv 91 \pmod {121}$. So, it is wrong, isn't it?? (Wondering)

For the second part the signature is $c=m^d \pmod {n}=2^13\mbox{mod 141}$.

Oh, I wrote $c=m^d \pmod {\phi(n)}$ instead of $c=m^d \pmod {n}$. (Tmi)

For the third part you can use the homomorphic property of the RSA scheme. That is, $c^3=m^{3d}\pmod{n}$.

So, is my idea completely wrong?? (Wondering)

 

[Nono713]

The requirement that $ed \equiv 1 \pmod{\varphi(n)}$ is actually too strong. All you need is that:
$$ed \equiv 1 \pmod{\mathrm{lcm}(p - 1, q - 1)}$$
But, yes, that is still wrong, as the lcm of 10 and 12 is 60, so 91 doesn't work out. A working $d$ is for example $d = 103$, or $d = 43$. Though $d = 13$ still "works" for a little more than half of all possible plaintext inputs, so the error isn't immediately visible. An example of failure, with $M = 2$:
$$2^7 \equiv 128 \pmod{143}$$
but
$$128^{13} \equiv 24 \not \equiv 2 \pmod{143}$$