Cryptanalysis of Server-Aided RSA Protocols with Private-Key Splitting

We analyze the security and the efficiency of interactive protocols where a client wants to delegate the computation of an RSA signature given a public key, a public message and the secret signing exponent. We consider several protocols where the secret exponent is splitted using some algebraic decomposition. We first provide an exhaustive analysis of the delegation protocols in which the client outsources a single RSA exponentiation to the server. We then revisit the security of the protocols RSA-S1 and RSA-S2 that were proposed by Matsumoto, Kato and Imai in 1988. We present an improved lattice-based attack on RSA-S1 and we propose a simple variant of this protocol that provides better efficiency for the same security level. Eventually, we present the first attacks on the protocol RSA-S2 that employs the Chinese Remainder Theorem to speed up the client’s computation. The efficiency of our (heuristic) attacks has been validated experimentally.

[1]  Noboru Kunihiro,et al.  Partial key exposure attacks on RSA: Achieving the Boneh-Durfee bound , 2019, Theor. Comput. Sci..

[2]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[3]  Charles M. Fiduccia,et al.  Polynomial evaluation via the division algorithm the fast Fourier transform revisited , 1972, STOC.

[4]  Johannes Merkle,et al.  Multi-round passive attacks on server-aided RSA protocols , 2000, CCS.

[5]  Dan Boneh,et al.  Cryptanalysis of RSA with private key d less than N0.292 , 1999, IEEE Trans. Inf. Theory.

[6]  Antoine Joux,et al.  Cryptanalysis of the RSA Subgroup Assumption from TCC 2005 , 2010, IACR Cryptol. ePrint Arch..

[7]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[8]  Jianfeng Ma,et al.  New Algorithms for Secure Outsourcing of Modular Exponentiations , 2014, IEEE Trans. Parallel Distributed Syst..

[9]  Johannes Merkle,et al.  On the Security of Server-Aided RSA Protocols , 1998, Public Key Cryptography.

[10]  Hideki Imai,et al.  Speeding Up Secret Computations with Insecure Auxiliary Devices , 1988, CRYPTO.

[11]  Gene Tsudik,et al.  Improving secure server performance by re-balancing SSL/TLS handshakes , 2006, ASIACCS '06.

[12]  Céline Chevalier,et al.  Privately Outsourcing Exponentiation to a Single Server: Cryptanalysis and Optimal Constructions , 2016, Algorithmica.

[13]  Markus Jakobsson,et al.  Secure Server-Aided Signature Generation , 2001, Public Key Cryptography.

[14]  D. Boneh Cryptanalysis of RSA with Private Key d Less Than N 0 , 1999 .

[15]  Lei Hu,et al.  Cryptanalysis of Dual RSA , 2016, Designs, Codes and Cryptography.

[16]  Benne de Weger,et al.  Partial Key Exposure Attacks on RSA up to Full Size Exponents , 2005, EUROCRYPT.

[17]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[18]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[19]  Sung-Ming Yen,et al.  Two Efficient Server-Aided Secret Computation Protocols Based on the Addition Sequence , 1991, ASIACRYPT.

[20]  Marc Joye,et al.  Partial Key Exposure on RSA with Private Exponents Larger Than N , 2012, ISPEC.

[21]  Anna Lysyanskaya,et al.  How to Securely Outsource Cryptographic Computations , 2005, TCC.

[22]  Alexander May,et al.  Maximizing Small Root Bounds by Linearization and Applications to Small Secret Exponent RSA , 2010, Public Key Cryptography.

[23]  Phong Q. Nguyen,et al.  Faster Algorithms for Approximate Common Divisors: Breaking Fully-Homomorphic-Encryption Challenges over the Integers , 2012, IACR Cryptol. ePrint Arch..

[24]  Noboru Kunihiro,et al.  A Tool Kit for Partial Key Exposure Attacks on RSA , 2017, CT-RSA.

[25]  Noboru Kunihiro,et al.  Better Lattice Constructions for Solving Multivariate Linear Equations Modulo Unknown Divisors , 2013, ACISP.

[26]  Chae Hoon Lim,et al.  Security and Performance of Server-Aided RSA Computation Protocols , 1995, CRYPTO.

[27]  Jean-Jacques Quisquater,et al.  Fast Server-Aided RSA Signatures Secure Against Active Attacks , 1995, CRYPTO.

[28]  Zhen Liu,et al.  Securely Outsourcing Exponentiations with Single Untrusted Program for Cloud Storage , 2014, ESORICS.

[29]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[30]  Roberto Maria Avanzi The Complexity of Certain Multi-Exponentiation Techniques in Cryptography , 2004, Journal of Cryptology.

[31]  Birgit Pfitzmann,et al.  Attacks on Protocols for Server-Aided RSA Computation , 1992, EUROCRYPT.

[32]  Yoshinori Aono,et al.  A New Lattice Construction for Partial Key Exposure Attack for RSA , 2009, Public Key Cryptography.

[33]  Bodo Möller Algorithms for Multi-exponentiation , 2001, Selected Areas in Cryptography.

[34]  Jean-Sébastien Coron,et al.  A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis , 2005, CHES.

[35]  Johannes Blömer,et al.  New Partial Key Exposure Attacks on RSA , 2003, CRYPTO.

[36]  Igor E. Shparlinski,et al.  On the Insecurity of a Server-Aided RSA Protocol , 2001, ASIACRYPT.

[37]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.