## **Q2: Signing with RSA**

Let $d$ denote the private key and $e$ denote the public key for RSA, $m$ denote the message we want tosign and $σ$ denote the produced signature. A naive way to use RSA for digital signatures is to simply encrypt the message using the private key. Consider the following signature scheme:

• **Sign:** $σ ← M^d \mod{N}$

• **Verify:** Compute $M'←σ^e \mod{N}$. Accept if M=M'

**Question - P1:** 
Show how this signature can never be shown to be unforgeable, by constructing a valid signature for a message without knowledge of the private key $d$.

To demonstrate that the given RSA signature scheme is not unforgeable, we can construct a valid signature for a message without knowing the private key $ d $.

1. **Given:**
    - Public key (e,N)
    - Message (M)
    - Signature (σ) computed as $σ ← M^d \mod{N}$
    - Verify: $M'←σ^e \mod{N}$. Accept if M=M'

2. **Constructing a Forged Signature:**
    - Choose a random number $k$ such that $1 < k < N$
    - Compute $σ' \leftarrow k^e \mod{N}$

3. **Verification:**
    - Compute $M' \leftarrow σ'^e \mod{N}$
    - As $σ' = k^e \mod{N}$, we have:
    $$M' = (k^e)^e \mod{N} = k^{e^2} \mod N$$
    - If $e$ is chosen such that $e^2 \equiv 1 \mod φ(N)$, then $M' = k \mod N$
    - Therefore, M' = k, which is a valid signature for the message M.

This demonstrates that the signature scheme is not unforgeable, as it is possible to forge a valid signature for any chosen message $ k $ using only the public key $ (e, N) $.


Full Domain Hash (FDH) are constructions that also rely on RSA to produce digital signatures, but make use of a cryptographic hash function (H) to avoid these issues. FDH behaves as follows:

• **Sign:** Compute $ h ← H(M) $ , and $σ ← h^d \mod{N}$

• **Verify:** Compute $h'←σ^e \mod{N}$. Accept if H(M)=h'

**Question - P2:**
What properties of the hash functions are we using to ensure that the previous attack no longer works?

- **Preimage Resistance:** Prevents an attacker from directly finding a message $ M $ that corresponds to a chosen hash value $ h $. Without knowing $ M $, the attacker cannot compute a valid signature $ \sigma $ for $ M $.

- **Second Preimage Resistance:** Ensures that even if an attacker has a valid message-signature pair $ (M, \sigma) $, they cannot find another message $ M' $ that produces the same hash value $ H(M) $. This prevents the attacker from reusing the signature $ \sigma $ for a different message.

- **Collision Resistance:** Ensures that it is highly unlikely for two different messages to produce the same hash value. This prevents the attacker from finding two messages $ M $ and $ M' $ such that $ H(M) = H(M') $, which would allow them to forge a signature for $ M' $ using the signature for $ M $.