Which new RSA signatures can be computed from RSA signatures, obtained in a specific interactive protocol?

Abstract

We consider certain interactive protocols, based on RSA. In these protocols, a signature authority Z(which chooses the RSA-modulus N that is kept fixed) issues a fixed number of RSA-signatures to an individual A. These RSA-signatures consist of products of rational powers of residue classes modulo N; some of these residue classes are chosen by Z and the others can be chosen freely by A. Thus, A can influence the form of the signatures that he gets from Z. Awants to choose his residue classes in such a way that he can use the signatures he gets from Zto compute a signature of a type not issued by Z. In previous literature, some special cases of our protocols were considered, namely that only Achooses the residue classes ([Dav82],[Denn84],[DO85]) and that only Z chooses the residue classes [EvH92]. The results in our paper are used under the following assumptions: • A cannot compute RSA-roots on randomly chosen residue classes modulo N. • In his computations, A uses only multiplications and divisions modulo N. Our main result gives a necessary and sufficient condition under which A is able to influence the signatures he gets from Z in such a way that he can use these RSA-signatures to compute a signature of a type not issued by Z. It turns out that this condition is equivalent to the solvability of a particular quadratic equation in integral matrices. We also study a particular case of this problem in more detail.