Abstract
In 2006, Bleichenbacher presented a new forgery attack against the signature scheme RSASSA-PKCS1-v1_5. The attack allows an adversary to forge a signature on almost arbitrary messages, if an implementation is not proper. Since the example was only limited to the case when the public exponent is 3 and the bit-length of the public composite is 3, 072, the potential threat is not known. This paper analyzes Bleichenbacher's forgery attack and shows applicable composite sizes for given exponents. Moreover, we extend Bleichenbacher's attack and show that when 1, 024-bit composite and the public exponent 3 are used, the extended attack succeeds the forgery with the probability 2-16.6.
