Server-Aided Verification: Theory and Practice

  • Marc Girault
  • David Lefranc
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3788)


We introduce the server-aided verification (SAV) concept, which consists in speeding up the verification step of an authentication/signature scheme, by delegating a substantial part of computations to a powerful (but possibly untrusted) server. After giving some motivations for designing SAV protocols, we provide a simple but realistic model, which captures most situations one can meet in practice (note that this model is much more general than the one recently proposed by Hohenberger and Lysyanskaya, who require the server to be made of two softwares which do not communicate with each other [14]). Then, we analyze and prove in this model the security of two existing SAV protocols, namely the Lim-Lee [15] modification of Schnorr scheme [28] and the Girault-Quisquater variant [10] of GPS scheme [7,24]. Finally, we propose a generic method for designing SAV versions of schemes based on bilinear maps, which can be applied to the Boneh-Boyen signature schemes [3], the Zhang-Safavi-Naini-Susilo [32] signature scheme and the Shao-Lu-Cao identification scheme [30].


identification protocol digital signature interactive proof zero-knowledge discrete logarithm non-repudiation bilinear map pairing 


  1. 1.
    Bellare, M., Garay, J.A., Rabin, T.: Fast Batch Verification for Modular Exponentiation and Digital Signatures. In: Nyberg, (ed.) [21], pp. 236–250Google Scholar
  2. 2.
    Boneh, D., Boyen, X.: Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles. In: Cachin, Camenisch (eds.) [5], pp. 382–400Google Scholar
  3. 3.
    Boneh, D., Boyen, X.: Short Signatures without Random Oracles. In: Cachin, Camenisch (eds.) [5], pp. 382–400Google Scholar
  4. 4.
    Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast Exponentiation with Precomputation (Extended abstract). In: Rueppel, (ed.) [27], pp. 200–207Google Scholar
  5. 5.
    Cachin, C., Camenisch, J.L. (eds.): EUROCRYPT 2004. LNCS, vol. 3027. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  6. 6.
    Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  7. 7.
    Girault, M.: Self-Certified Public Keys. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 490–497. Springer, Heidelberg (1991)Google Scholar
  8. 8.
    Girault, M., Paillès, J.C.: On-line/Off-line RSA-like. In: International Workshop on Coding and Cryptography 2003 (2003)Google Scholar
  9. 9.
    Girault, M., Poupard, G., Stern, J.: Some Modes of Use of the GPS Identification Scheme. In: 3rd Nessie Conference. Springer, Heidelberg (2002)Google Scholar
  10. 10.
    Girault, M., Quisquater, J.J.: GQ + GPS = new ideas + new protocols. In: Eurocrypt 2002 - Rump Session (2002)Google Scholar
  11. 11.
    Goldasser, S., Micali, S., Rackoff, C.: The Knowledge Complexity of Interactive Proof Systems. In: 19th Annual ACM Symposium on the Theory of Computing, pp. 210–217 (1985)Google Scholar
  12. 12.
    Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure against Adaptive Chosen-Message Attacks. SIAM Journal on Computing 17(2), 281–308 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Guillou, L.C., Quisquater, J.J.: A Practical Zero-knowledge Protocol Fitted to Security Microprocessor Minimizing both Transmission and Memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)Google Scholar
  14. 14.
    Hohenberger, S., Lysyanskaya, A.: How to Securely Outsource Cryptographic Computations. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Lim, C.H., Lee, P.J.: Server (prover/signer)-Aided Verification of Identity Proofs and Signatures. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 64–78. Springer, Heidelberg (1995)Google Scholar
  16. 16.
    Matsumoto, T., Kato, K., Imai, H.: Speeding up Secret Computations with Insecure Auxiliary Devices. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 497–506. Springer, Heidelberg (1990)Google Scholar
  17. 17.
    Mitsunari, S., Sakai, R., Kasahara, M.: A New Traitor Tracing. IEICE Trans. E85A(2), 481–484 (2002)Google Scholar
  18. 18.
    M’Raihi, D., Naccache, D.: Couponing Scheme Reduces Computational Power Requirements for DSS Signatures. In: CardTech, pp. 99–104 (1994)Google Scholar
  19. 19.
    Nguyen, P.Q., Shparlinski, I.E.: On the Insecurity of a Server-Aided RSA Protocol. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 21–35. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Nguyên, P.Q., Stern, J.: The Béguin-Quisquater Server-Aided RSA Protocol from Crypto ’95 is not Secure. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 372–379. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  21. 21.
    Nyberg, K. (ed.): EUROCRYPT 1998. LNCS, vol. 1403. Springer, Heidelberg (1998)zbMATHGoogle Scholar
  22. 22.
    Pfitzmann, B., Waidner, M.: Attacks on Protocols for Server-Aided RSA Computation. In: Rueppel, (ed.) [27], pp. 153–162Google Scholar
  23. 23.
    Pointcheval, D., Stern, J.: Security Proofs for Signature Schemes. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996)Google Scholar
  24. 24.
    Poupard, G., Stern, J.: Security Analysis of a Practical ”on the fly” Authentication and Signature Generation. In: Nyberg, (ed.) [21], pp. 422–436Google Scholar
  25. 25.
    Rabin, M.O.: Digitalized Signatures and Public-Key Functions as Intractable as Factorization. Technical Report MIT/LCS/TR-212, Massachusetts Institute of Technology - Laboratory for Computer Science (January 1979)Google Scholar
  26. 26.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communication of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Rueppel, R.A. (ed.): EUROCRYPT 1992. LNCS, vol. 658. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  28. 28.
    Schnorr, C.P.: Efficient Identification and Signatures for Smart Cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  29. 29.
    Schnorr, C.P.: Efficient Signature Generation by Smart Cards. Journal of Cryptology 4(3), 161–174 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  30. 30.
    Shao, J., Lu, R., Cao, Z.: A New Efficient Identification Scheme Based on the Strong Diffie-Hellman Assumption. In: International Symposium on Future Software Technology (2004)Google Scholar
  31. 31.
    De Soete, M., Quisquater, J.J.: Speeding Up Smart Card RSA Computations with Insecure Coprocessors. In: Smart Card 2000, pp. 191–198 (1989)Google Scholar
  32. 32.
    Zhang, F., Safavi-Naini, R., Susilo, W.: An Efficient Signature Scheme from Bilinear Pairing and its Applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Marc Girault
    • 1
  • David Lefranc
    • 1
  1. 1.France Telecom, Research and DevelopmentCaenFrance

Personalised recommendations