The Béguin-Quisquater Server-Aided RSA Protocol from Crypto '95 is not Secure

A well-known cryptographic scenario is the following: a smart card wishes to compute an RSA signature with the help of an untrusted powerful server. Several protocols have been proposed to solve this problem, and many have been broken. There exist two kinds of attacks against such protocols: passive attacks (where the server follows the instructions) and active attacks (where the server may return false values). An open question in this field is the existence of efficient protocols (without expensive precomputations) provably secure against both passive and active attacks. At Crypto '95, Beguin and Quisquater tried to answer this question by proposing an efficient protocol which was resistant against all known passive and active attacks. In this paper, we present a very effective lattice-based passive attack against this protocol. An implementation is able to recover the secret factorization of an RSA-512 or RSA-768 key in less than 5 minutes once the card has produced about 50 signatures. The core of our attack is the basic notion of an orthogonal lattice which we introduced at Crypto '97 as a cryptographic tool.

[1]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[2]  Hideki Imai,et al.  On Verifiable Implicit Asking Protocols for RSA Computation , 1992, AUSCRYPT.

[3]  Ross Anderson,et al.  Attack on server assisted authentication protocols , 1992 .

[4]  Birgit Pfitzmann,et al.  Attacks on Protocols for Server-Aided RSA Computation , 1992, EUROCRYPT.

[5]  Jacques Stern,et al.  Cryptanalysis of the Ajtai-Dwork Cryptosystem , 1998, CRYPTO.

[6]  Hideki Imai,et al.  Speeding Up Secret Computations with Insecure Auxiliary Devices , 1988, CRYPTO.

[7]  Chae Hoon Lim,et al.  Security and Performance of Server-Aided RSA Computation Protocols , 1995, CRYPTO.

[8]  Jean-Jacques Quisquater,et al.  Fast Server-Aided RSA Signatures Secure Against Active Attacks , 1995, CRYPTO.

[9]  Jacques Stern,et al.  Merkle-Hellman Revisited: A Cryptanalysis of the Qu-Vanstone Cryptosystem Based on Group Factorizations , 1997, CRYPTO.

[10]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[11]  Shin-ichi Kawamura,et al.  Fast Server-Aided Secret Computation Protocols for Modular Exponentiation , 1993, IEEE J. Sel. Areas Commun..

[12]  Kenneth J. Giuliani Factoring Polynomials with Rational Coeecients , 1998 .

[13]  Chris J. Mitchell,et al.  Parameter Selection for Server-Aided RSA Computation Schemes , 1994, IEEE Trans. Computers.

[14]  Jacques Stern,et al.  Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC '97 , 1998, Selected Areas in Cryptography.