Cryptanalysis of Countermeasures Proposed for Repairing ISO 9796-1 Marc Girault and Jean-Fran¸ cois Misarsky France T´ el´ ecom - CNET 42 rue des Coutures, B.P. 6243 14066 Caen CEDEX 4, France {marc.girault,jeanfrancois.misarsky}@cnet.francetelecom.fr Abstract. ISO 9796-1, published in 1991, was the first standard specify- ing a digital signature scheme with message recovery. In [4], Coron, Nac- cache and Stern described an attack on a slight modification of ISO 9796- 1. Then, Coppersmith, Halevi and Jutla turned it into an attack against the standard in full [2]. They also proposed five countermeasures for re- pairing it. In this paper, we show that all these countermeasures can be attacked, either by using already existing techniques (including a very recent one), or by introducing new techniques, one of them based on the decomposition of an integer into sums of two squares. 1 Introduction: ISO 9796-1 and Forgery The first standard on digital signature scheme with message recovery is ISO 9796- 1 [10]. At the end of 80’s, no hash-function standard was available. Consequently, ISO 9796-1 used only redundancy function to resist attacks that exploit the multiplicative property of the RSA cryptosystem. The precautions taken in this standard are described in [8]. Until the rump session of Crypto ’99, no known attack [13] was able to forge a signature complied with the ISO 9796-1 standard. 1.1 The ISO 9796-1 Standard This standard specifies how a message m is encoded to a valid message μ iso (m) before applying the RSA signature function. Only redundancy is used, no hash- function. Notations used in this paper to describe encoded functions are the same as in [2]: – s(x): the function mapping 4 bits of message to 4 bits of redundancy. It is an Hamming code (8, 8, 4). – ¯ s(x): the result of setting the most significant bit of s(x) to 1: ¯ s(x)= s(x) OR 1000 . (1) – ˜ s(x): the result of flipping the least significant bit of s(x): ˜ s(x)= s(x) ⊕ 0001 . (2) B. Preneel (Ed.): EUROCRYPT 2000, LNCS 1807, pp. 81–90, 2000. c Springer-Verlag Berlin Heidelberg 2000