I know that because of the multplicative property of RSA
$s =(s_1s_2) \bmod n = (m_1m_2)^d \bmod n$
If Oscar wants to sign now an own message $m$ he chooses another message $m_1$ with $\gcd(m_1,n)=1$ and he calculates $m_2 = m\cdot m_1^{-1} \bmod n$
After this part I don't understand the attack...
How is he able to sign now his own message $m$ ?
Suppose you want to obtain the signature $s = m^d \bmod n$ on a chosen message $m$. Here is that attack.
From the pairs $(m_1,s_1)$ and $(m_2,s_2)$, the signature $s$ on chosen message $m$ can be recovered as $s = s_1 \cdot s_2 \bmod n$.
To see it, observe that $s \equiv s_1 \cdot s_2 \equiv m_1^d \cdot m_2^d \equiv m_1^d \cdot (m\cdot m_1^{-1})^d \equiv m_1^d \cdot m^d \cdot m_1^{-d} \equiv m^d \pmod n$.
Note that you could obtain the signature on message $m$ by only asking one signature to the signer. Indeed, you can construct the pair $(m_1,s_1)$ in Step 1 above by yourself as follows: choose a random $s_1$ modulo $n$ and define $m_1 = s_1^e \bmod n$ (where $e$ is the public verification exponent). We then have $m_1^d \equiv s_1 \pmod n$ as required.
Step 1: Factor the original signature $s$ into $s=\prod_{i=1}^n s_i$ and then exponentiate each signature with $e$ as in: $m=\prod_{i=1}^n s_i^e=\prod_{i=1}^n m_i$. Different methods to obtain multiple $s_i,m_i$ pairs work just as well, such as asking the signing oracle.
Step 2: Build a new message with a valid signature as the product of any subset of the $m_i$, e.g. $m'=\prod_{k\in M'\subseteq \{m_1,...,m_n\}}m_k$ now build the same product for the signatures and you've successfully forged your message: $s'=\prod_{k\in S'\subseteq \{s_1,...,s_n\}}s_k$ where $S'$ is the corresponding set of signatures to $M'$.
The theory behind step 2 is exactly as you'd have imagined, e.g. you have some $(m_i,s_i=m_i^d \bmod n)$ pairs and multiply them the signatures to get the new signature $s'=s_1\cdot s_2 \cdot ... \cdot s_n=m_1^d\cdot m_2^d \cdot ... \cdot m_n^d=(m_1\cdot m_2 \cdot ... \cdot m_n)^d=(m')^d$ which by definition of the RSA signature scheme is a valid signature for $m'$.
Let's take the example from the comments: $p=3,q=11,n=33,\varphi(n)=20,e=3,d=7$ and we are provided with two message / signature pairs: $(m_1,s_1)=(4,16),(m_2,s_2)=(6,30)$.
Now let's skip step 1 for now and directly proceed with step 2 (as we already have more than one message-signature-pair). Step 2 says: "select any message-signature-pairs and multiply them together". So we have $m'=m_1\cdot m_2\bmod n=(4\cdot 6) \bmod 33 = 24$ and we have $s'=s_1\cdot s_2 \bmod n=16\cdot 30 \bmod 33=18$. Thus we have constructed the message-signature-pair $(24,18)$.
Let's also quickly apply the theory part here: $m^d\bmod n$ is a valid signature for any message $m$. $s'=16\cdot 30 \bmod 33=(4^7\bmod 33)\cdot (6^7 \bmod 33) =(4\cdot 6 )^7 \bmod 33=(24)^7\bmod 33 = 18$
Alice did send Bob two messages --> (m,s) = (4,16) and (6,30)
Then we calculated m' = (46 mod 33 = 24) and s'=(1630 mod 33 = 18)
– userkir May 28 '16 at 15:08Nearly everthing is clear except for m' . So in this case Oscar can't choose the message m' freely , can he ?
– userkir May 28 '16 at 18:25