Furthermore, another version of the birthday attack can be used even if the
opponent has access to only one message and its valid signature and cannot
obtain multiple signings. Here is the scenario: We assume that the opponent
intercepts a message with a signature in the form of an encrypted hash code and
that the unencrypted hash code is bits long.
1. Use the algorithm defined at the beginning of this subsection to calculate the
unencrypted hash code .
2. Construct any desired message in the form .
3. Compute for .
4. Generate random blocks; for each block , compute . Generate
an additional random blocks; for each block , compute D( , ), where D is
the decryption function corresponding to E.
5. Based on the birthday paradox, with high probability there will be an and
such that .
6. Form the message , , . This message has the hash code
and therefore can be used with the intercepted encrypted signature
đang được dịch, vui lòng đợi..