Attacks on Protocols for Server-Aided RSA Computation
- 1.7k Downloads
On Crypto’ 88, Matsumoto, Kato, and Imai presented protocols to speed up secret computations with insecure auxiliary devices. The two most important protocols enable a smart card to compute the secret RSA operation faster with the help of a server that is not necessarily trusted by the card holder.
It was stated that if RSA is secure, the protocols could only be broken by exhaustive search in certain spaces. Our main attacks show that much smaller search spaces suffice. These attacks are passive and therefore undetectable.
It was already known that one of the protocols is vulnerable to active attacks. We show that this holds for the other protocol, too. More importantly, we show that our attack may still work if the smart card checks the correctness of the result; this was previously believed to be an easy measure excluding all active attacks.
Finally, we discuss attacks on related protocols.
KeywordsSmart Card Active Attack Parity Check Matrix Electronics Letter Chinese Remainder Theorem
- Ande.92 Ross Anderson: Personal communication, 26.5.1992; to be submitted to Electronics Letters.Google Scholar
- BaEi.90 Paul Barrett, Raymund Eisele: The smart diskette — A universal user token and personal crypto-engine; Crypto’ 89, LNCS 435, Springer-Verlag, Heidelberg 1990, 74–79.Google Scholar
- Bos.92 Jurjen Bos: Practical Privacy; Proefschrift, Technische Universiteit Eindhoven 1992.Google Scholar
- Feig.86 Joan Feigenbaum: Encrypting Problem Instances, Or..., Can You Take Advantage of Someone Without Having to Trust Him?; Crypto’ 85, LNCS 218, Springer-Verlag, Berlin 1986, 477–488.Google Scholar
- KaSh.90 Shin-ichi Kawamura, Atsushi Shimbo: Performance Analysis of Server-Aided Secret Computation Protocols for the RSA Cryptosystem; The Transactions of The Institute of Electronics, Information and Communication Engineers IEICE, E73/7 (1990) 1073–1080.Google Scholar
- LaYH.91 Chi-Sung Laih, Sung-Ming Yen, Lein Harn: Two Efficient Server-Aided Secret Computation Protocols Based on the Addition Sequence; Asiacrypt’ 91 — Abstracts, 270–274.Google Scholar
- MaIm.91 Tsutomu Matsumoto, Hideki Imai: Human Identification Through Insecure Channel; Eurocrypt’ 91, LNCS 547, Springer-Verlag, Berlin 1991, 409–421.Google Scholar
- MaKI.90 Tsutomu Matsumoto, Koki Kato, Hideki Imai: Speeding up Secret Computations with Insecure Auxiliary Devices; Crypto’ 88, LNCS 403, Springer-Verlag, Berlin 1990, 497–506.Google Scholar
- PrCh.89 Wyn L. Price, Bernard Chorley: The Intelligent Token or’ super-Smart’ Card; SMART CARD 2000 (1987), North-Holland, Amsterdam 1989, 133–138.Google Scholar
- QuSo.91 Jean-Jaques Quisquater, Marijke De Soete: Speeding up Smart Card RSA Computation with Insecure Coprocessors; Proceedings Smart Cards 2000 (1989), North-Holland, Amsterdam 1991, 191–197.Google Scholar
- QuWB.91 Jean-Jaques Quisquater, Dominique de Waleffe, Jean-Pierre Bournas: Corsair: A chip card with fast RSA capability; Proceedings Smart Cards 2000 (1989), North-Holland, Amsterdam 1991, 199–206.Google Scholar
- WaQu.91 Dominique de Waleffe, Jean-Jaques Quisquater: CORSAIR: A Smart Card for Public Key Cryptosystems; Crypto’ 90, LNCS 537, Springer-Verlag, Berlin 1991, 502–513.Google Scholar