Virtual Smart Cards: How to Sign with a Password and a Server

  • Jan Camenisch
  • Anja LehmannEmail author
  • Gregory Neven
  • Kai Samelin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9841)


An important shortcoming of client-side cryptography on consumer devices is the poor protection of secret keys. Encrypting the keys under a human-memorizable password hardly offers any protection when the device is stolen. Trusted hardware tokens such as smart cards can provide strong protection of keys but are cumbersome to use. We consider the case where secret keys are used for digital signatures and propose a password-authenticated server-aided signature \(\mathsf {Pass2Sign}\) protocol, where signatures are collaboratively generated by a device and a server, while the user authenticates to the server with a (low-entropy) password. Neither the server nor the device store enough information to create a signature by itself or to perform an offline attack on the password. The signed message remains hidden from the server. We argue that our protocol offers comparable security to trusted hardware, but without its inconveniences. We prove it secure in the universal composability (UC) framework in a very strong adaptive corruption model where, unlike standard UC, the adversary does not obtain past inputs and outputs upon corrupting a party. This is crucial to hide previously entered passwords and messages from the adversary when the device gets corrupted. The protocol itself is surprisingly simple: it is round-optimal, efficient, and relies exclusively on standard primitives such as hash functions and RSA. The security proof involves a novel random-oracle programming technique.


Smart Card Random Oracle Blind Signature Ideal Functionality Trapdoor Permutation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Algesheimer, J., Camenisch, J., Shoup, V.: Efficient computation modulo a shared secret with application to the generation of shared safe-prime products. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 417–432. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Almansa, J.F., Damgård, I.B., Nielsen, J.B.: Simplified threshold RSA with adaptive and proactive security. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 593–611. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Beaver, D., Haber, S.: Cryptographic protocols provably secure against dynamic adversaries. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 307–323. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-rsa-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993, pp. 62–73 (1993)Google Scholar
  6. 6.
    Bellare, M., Sandhu, R.S.: The security of practical two-party RSA signature schemes. ePrint Report 2001/060 (2001)Google Scholar
  7. 7.
    Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Boyd, C.: Digital multisignatures. In: Cryptography and Coding 1989, pp. 241–246 (1989)Google Scholar
  9. 9.
    Camenisch, J., Enderlein, R.R., Neven, G.: Two-server password-authenticated secret sharing UC-secure against transient corruptions. ePrint Report 2015/006 (2015)Google Scholar
  10. 10.
    Camenisch, J., Enderlein, R.R., Shoup, V.: Practical and employable protocols for UC-secure circuit evaluation over \(\mathbb{Z}\) \(_\text{ n }\). In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 19–37. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Camenisch, J., Lehmann, A., Neven, G., Samelin, K.: Virtual smart cards: how to sign with a password and a server. ePrint Report 2015/1101 (2015)Google Scholar
  12. 12.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. ePrint Report 2000/067 (2000)Google Scholar
  13. 13.
    Canetti, R.: Universally composable signature, certification, and authentication. In: CSFW 2004, pp. 219–233 (2004)Google Scholar
  14. 14.
    Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404–421. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  16. 16.
    Damgård, I., Mikkelsen, G.L.: On the theory and practice of personal digital signatures. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 277–296. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Desmedt, Y.G., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990)Google Scholar
  18. 18.
    Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 381–402. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Ganesan, R.: Yaksha: augmenting kerberos with PKC. In: NDSS 1995, pp. 132–143 (1995)Google Scholar
  20. 20.
    Gennaro, R., Rabin, T., Jarecki, S., Krawczyk, H.: Robust and efficient sharing of RSA functions. J. Cryptol. 13(2), 273–300 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Gjøsteen, K.: Partially blind password-based signatures using elliptic curves. ePrint Report 2013/472 (2013)Google Scholar
  22. 22.
    Gjøsteen, K., Thuen, Ø.: Password-based signatures. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds.) EuroPKI 2011. LNCS, vol. 7163, pp. 17–33. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  23. 23.
    Gosney, J.M.: Password cracking HPC. In: Passwords\(\hat{~}\)12 Conference (2012)Google Scholar
  24. 24.
    Hazay, C., Mikkelsen, G.L., Rabin, T., Toft, T.: Efficient RSA key generation and threshold paillier in the two-party setting. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 313–331. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  25. 25.
    Hazay, C., Patra, A., Warinschi, B.: Selective opening security for receivers. ePrint Report 2015/860 (2015)Google Scholar
  26. 26.
    He, Y.-Z., Wu, C.-K., Feng, D.-G.: Server-aided digital signature protocol based on password. In: CCST 2005, pp. 89–92 (2005)Google Scholar
  27. 27.
    Hofheinz, D., Müller-Quade, J.: Universally composable commitments using random oracles. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 58–76. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  28. 28.
    Kiayias, A., Zhou, H.-S.: Equivocal blind signatures and adaptive UC-security. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 340–355. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. 29.
    Kömmerling, O., Kuhn, M.G.: Design principles for tamper-resistant smartcard processors. In: WOST 1999 (1999)Google Scholar
  30. 30.
    MacKenzie, P.D., Reiter, M.K.: Networked cryptographic devices resilient to capture. Int. J. Inf. Sec. 2(1), 1–20 (2003)CrossRefGoogle Scholar
  31. 31.
    Mannan, M., van Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: FC 2007, pp. 88–103 (2007)Google Scholar
  32. 32.
    Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  33. 33.
    Rabin, T.: A simplified approach to threshold and proactive RSA. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 89–104. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  34. 34.
    Venkitasubramaniam, M.: On adaptively secure protocols. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 455–475. Springer, Heidelberg (2014)Google Scholar
  35. 35.
    Xu, S., Sandhu, R.: Two efficient and provably secure schemes for server-assisted threshold signatures. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 355–372. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Jan Camenisch
    • 1
  • Anja Lehmann
    • 1
    Email author
  • Gregory Neven
    • 1
  • Kai Samelin
    • 1
    • 2
  1. 1.IBM Research – ZurichRüschlikonSwitzerland
  2. 2.Technische Universität DarmstadtDarmstadtGermany

Personalised recommendations