Advertisement

On the security of server-aided RSA protocols

  • Johannes Merkle
  • Ralph Werchner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1431)

Abstract

In this paper we investigate the security of the server-aided RSA protocols RSA-S1 and RSA-S1M proposed by Matsumoto, Kato and Imai ([MKI89]) and Matsumoto, Imai, Laih and Yen ([MILY93]), respectively. In these protocols a smart card calculates an RSA signature with the aid of an untrusted powerful server. We focus on generic attacks, that is, passive attacks that do not exploit any special properties of the encoding of the group elements. Generic algorithms have been introduced by Nechaev ([Nec94]) and Shoup ([Sho97]). We prove lower bounds for the complexity of generic attacks on these two protocols and show that the bounds are sharp by describing attacks that almost match our lower bounds. To the best of our knowledge these are the first security proofs for efficient server-aided RSA protocols.

Keywords

server-aided secret computation RSA signature generic algorithms 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [BL96]
    D. Boneh and R. Lipton. Algorithms for black-box fields and their application to cryptography. In Advances in Cryptology — Proceedings of Crypto '96, volume 1109 of Lecture Notes in Computer Science, pages 283–297. Springer Verlag, 1996.Google Scholar
  2. [Bol78]
    B. Bollobas. Extremal graph theory, volume 11 of L. M. S. Monographs, page 158. Academic Press. XX, London, 1978.Google Scholar
  3. [BQ95]
    P. Béguin and J. J. Quisquater. Fast server-aided rsa signatures secure against active attacks. In Advances in Cryptology — Proceedings of Crypto '95, volume 963 of Lecture Notes in Computer Science, pages 57–69. Springer Verlag, 1995.Google Scholar
  4. [BS84]
    L. Babai and E. Szemerédi. On the complexity of matrix group problems I. In 25th Annual Symposium on Foundations of Computer Science — FOCS'84, pages 229–240, 1984.Google Scholar
  5. [LL95]
    C. H. Lim and P. J. Lee. Security and performance of server-aided RSA computation protocolls. In Advances in Cryptology — Proceedings of Crypto '95, volume 963 of Lecture Notes in Computer Science, pages 70–83. Springer Verlag, 1995.Google Scholar
  6. [LLMP90]
    A. K. Lenstra, H. W. Lenstra, M. Manasse, and J. M. Pollard. The number field sieve. In Proceedings 22nd Ann. ACM Symp. on Theory of Computing (STOC), pages 564–572, 1990.Google Scholar
  7. [MILY93]
    T. Matsumoto, H. Imai, C. S. Laih, and S. M. Yen. On verifiable implicit asking protocols for RSA computation. In Advances in Cryptology — Proceedings of Auscrypt'92, volume 718 of Lecture Notes in Computer Science, pages 296–307. Springer Verlag, 1993.Google Scholar
  8. [MKI89]
    T. Matsumoto, K. Kato, and H. Imai. Speeding up computation with insecure auxiliary devices. In Advances in Cryptology — Proceedings of Crypto '88, volume 403 of Lecture Notes in Computer Science, pages 497–506. Springer Verlag, 1989.Google Scholar
  9. [MS]
    J. Merkle and C. P. Schnorr. Perfect, generic pseudo-randomness for cyclic groups. Unpublished.Google Scholar
  10. [MW]
    U. Maurer and S. Wolf. Lower bounds on generic algorithms in groups. To appear in Proceedings of Eurocrypt'98.Google Scholar
  11. [Nec94]
    V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes, 55(2):165–172, 1994.MATHCrossRefMathSciNetGoogle Scholar
  12. [PW93]
    B. Pfitzmann and M. Waidner. Attacks on protocols for server-aided RSA computation. In Advances in Cryptology — Proceedings of Eurocrypt'92, volume 658 of Lecture Notes in Computer Science, pages 153–162. Springer Verlag, 1993.Google Scholar
  13. [Sch]
    C. P. Schnorr. Security of arbitrary RSA and of all discrete log bits. Unpublished.Google Scholar
  14. [Sho97]
    V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology — Proceedings of Eurocrypt'97, volume 1233 of Lecture Notes in Computer Science, pages 256–266. Springer Verlag, 1997.Google Scholar
  15. [Sti95]
    D. R. Stinson. Cryptography: Theory and practice. CRC Press, 1995.Google Scholar
  16. [vOW96]
    P. van Oorschot and M. Wiener. Improving implementable meet-in-the-middle attacks by orders of magnitude. In Advances in Cryptology — Proceedings of Crypto'96, volume 1109 of Lecture Notes in Computer Science, pages 229–236. Springer Verlag, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Johannes Merkle
    • 1
  • Ralph Werchner
    • 1
  1. 1.UniversitÄt FrankfurtFrankfurtGermany

Personalised recommendations