How (not) to Design RSA Signature Schemes.
Abstract:

The concept of public-key cryptography was invented in 1976 by Diffie and Hellman [DH]. The following year, Rivest, Shamir and Adleman provided an implementation of this idea [RSA]. The RSA signature, like any other signature, is message-dependent and signer-dependent. Thus, the recipient cannot modify the message and the signer cannot deny the validity of his signature. However, several attacks have appeared since. These attacks do not challenge RSA in itself but only the way to design a signature scheme based on it.