LOGBOOK

HELP

Quiz Entry - updated: 2026.07.10

Even without the secret key, how can an attacker forge a valid RSA signature out of two signatures they already have?

Multiply them: if $s_1 = m_1^d$ and $s_2 = m_2^d$ are valid signatures, then $s_1 \cdot s_2 \bmod N$ is a valid signature of the message $m_1 \cdot m_2 \bmod N$ — RSA's multiplicative homomorphism lets signatures combine.

Two-signature forgery: s1 x s2 signs m1 x m2, using no secret key

* Multiplying two valid signatures yields a valid signature of the product message — public information only, d never touched. *

RSA signing inherits the same homomorphism as RSA encryption: raising to the exponent $d$ distributes over multiplication, so

$$(m_1 \cdot m_2)^d \equiv m_1^{\,d} \cdot m_2^{\,d} \pmod N.$$

An attacker who has collected two legitimately signed pairs $(m_1, s_1)$ and $(m_2, s_2)$ can therefore compute

$$s^* \equiv s_1 \cdot s_2 \pmod N,$$

and $s^*$ verifies correctly as the signature of $m^* \equiv m_1 \cdot m_2 \pmod N$ — all from public information, never recovering $d$. As with existential forgery, the attacker can't choose a meaningful $m^*$; it just falls out as the product. But a signature scheme must reject even a nonsensical forgery — "a cryptosystem must not admit any successful attack, whether or not it is practically useful." The cure is the same one that fixes existential forgery: hash-then-sign with padding (PKCS#1 / PSS). Once the signed value is $h(m)$ wrapped in a fixed format, the raw product $s_1 \cdot s_2$ no longer corresponds to any correctly-padded message, so the multiplicative trick fails.

Contrast with existential forgery: that attack starts from nothing (pick $s$, let $M = s^e$ fall out); this one starts from two real signatures and combines them. Both exploit that verification uses only the public exponent.

Go deeper:

From Quiz: KRYPTOG / Digital Signatures and Advanced Public Key Techniques | Updated: Jul 10, 2026