论文信息 - On the Security of Server-Aided RSA Protocols

On the Security of Server-Aided RSA Protocols

In this paper we investigate the security of the server-aided RSA protocols RSA-S1 and RSA-S1M proposed by Matsumoto, Kato and Imai ([MKI89]) and Matsumoto, Imai, Laih and Yen ([MILY93]), respectively. In these protocols a smart card calculates an RSA signature with the aid of an untrusted powerful server. We focus on generic attacks, that is, passive attacks that do not exploit any special properties of the encoding of the group elements. Generic algorithms have been introduced by Nechaev ([Nec94]) and Shoup ([Sho97]). We prove lower bounds for the complexity of generic attacks on these two protocols and show that the bounds are sharp by describing attacks that almost match our lower bounds. To the best of our knowledge these are the first security proofs for efficient server-aided RSA protocols.

Johannes Merkle | Ralph Werchner

[1] Victor Shoup,et al. Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[2] Perfect, Generic Pseudo-Randomness for Cyclic Groups , 1998 .

[3] Chae Hoon Lim,et al. Security and Performance of Server-Aided RSA Computation Protocols , 1995, CRYPTO.

[4] V. Nechaev. Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[5] Paul C. van Oorschot,et al. Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude , 1996, CRYPTO.

[6] Douglas R. Stinson,et al. Cryptography: Theory and Practice , 1995 .

[7] Hideki Imai,et al. Speeding Up Secret Computations with Insecure Auxiliary Devices , 1988, CRYPTO.

[8] Jean-Jacques Quisquater,et al. Fast Server-Aided RSA Signatures Secure Against Active Attacks , 1995, CRYPTO.

[9] Richard J. Lipton,et al. Algorithms for Black-Box Fields and their Application to Cryptography (Extended Abstract) , 1996, CRYPTO.

[10] Endre Szemerédi,et al. On the Complexity of Matrix Group Problems I , 1984, FOCS.

[11] Claus-Peter Schnorr. Security of Allmost ALL Discrete Log Bits , 1998, Electron. Colloquium Comput. Complex..

[12] Hideki Imai,et al. On Verifiable Implicit Asking Protocols for RSA Computation , 1992, AUSCRYPT.

[13] Ueli Maurer,et al. Lower Bounds on Generic Algorithms in Groups , 1998, EUROCRYPT.

[14] Birgit Pfitzmann,et al. Attacks on Protocols for Server-Aided RSA Computation , 1992, EUROCRYPT.