Multi-round passive attacks on server-aided RSA protocols

At Crypto'88, Matsumoto, Kato, and Imai presented two server-aided RSA protocols, RSA-S1 and RSA-S2, which speed up a client's RSA signature generation by interacting with a computationally strong but untrusted server. These protocols are quite attractive due to their e ciency, but unfortunately they are susceptible to multi-round active attacks. Therefore, on Eurocrypt'92, P tzmann and Waidner suggested to renew the decomposition of the secret key after each signature generation. In this paper we show that in this case the non-binary version of RSA-S1 becomes totally insecure. Our experiments show that the secret key can be reconstructed very e ciently by lattice reduction using the data obtained by the server in the course of several executions of the protocol. On the other hand we show that if the decomposition of the secret key is modi ed slightly, our attacks become ine cient. This modi cation does not a ect the e ciency of the protocol signi cantly. Furthermore, we present a very simple attack on the serveraided RSA protocol presented by Hong, Shin, Lee-Kwang and Yoon at ICISC'98. Using the parameters suggested by the authors, we can factor the modulus in only 2 steps.

[1]  Ross Anderson,et al.  Attack on server assisted authentication protocols , 1992 .

[2]  Miklós Ajtai,et al.  The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract) , 1998, STOC '98.

[3]  Claus-Peter Schnorr,et al.  Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction , 1995, EUROCRYPT.

[4]  Birgit Pfitzmann,et al.  Attacks on Protocols for Server-Aided RSA Computation , 1992, EUROCRYPT.

[5]  Jean-Jacques Quisquater,et al.  Fast Server-Aided RSA Signatures Secure Against Active Attacks , 1995, CRYPTO.

[6]  A. Odlyzko,et al.  Lattice points in high-dimensional spheres , 1990 .

[7]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[8]  Atsushi Shimbo,et al.  Performance Analysis of Server-Aided Secret Computation Protocols for the RSA Cryptosystem , 1990 .

[9]  Johannes Merkle,et al.  On the Security of Server-Aided RSA Protocols , 1998, Public Key Cryptography.

[10]  Hideki Imai,et al.  Speeding Up Secret Computations with Insecure Auxiliary Devices , 1988, CRYPTO.

[11]  Hyunsoo Yoon,et al.  A new appraoch to server-aided secret computation , 1998, ICISC.

[12]  Hideki Imai,et al.  On Verifiable Implicit Asking Protocols for RSA Computation , 1992, AUSCRYPT.

[13]  Chae Hoon Lim,et al.  Security and Performance of Server-Aided RSA Computation Protocols , 1995, CRYPTO.

[14]  Gwoboa Horng An Active Attack on Protocols for Server-Aided RSA Signature Computation , 1998, Inf. Process. Lett..

[15]  Kenneth J. Giuliani Factoring Polynomials with Rational Coeecients , 1998 .

[16]  M. De Soete,et al.  Speeding up smart card RSA computations with insecure coprocessors , 1991 .

[17]  Chris J. Mitchell,et al.  Parameter Selection for Server-Aided RSA Computation Schemes , 1994, IEEE Trans. Computers.