Shamir (1993) presented a family of cryptographic signature schemes based on birational permutations of the integers modulo a large integer <i>N</i> of unknown factorization. These schemes are attractive because of the low computational requirements, both for signature generation and signature verification. However, the two schemes presented in Shamir's paper are weak. We show how to break the first scheme, by first reducing it algebraically to the earlier Ong-Schnorr-Shamir signature scheme (1984), and then applying the Pollard (1987) solution to that scheme. We then show some attacks on the second scheme. These attacks give ideas which can be applied to schemes in this general family
