Abstract. Small units like chip cards have the possibility of computing, storing and protecting data. Today such chip cards have limited computing power, then some cryptoprotocols are too slow. Some new chip cards with secure fast coprocessors are coming but are not very reliable at the moment and a little bit expensive for some applications. In banking applications there are few servers (ATM) relative to many small units: it is a better strategy to put the computing power into few large servers than into the not-very-often used cards. A possible solution is to use the computing power of the (insecure) server to help the chip card. But it remains an open question whether it is possible to accelerate signi cantly RSA signatures using an insecure server with the possibility of active attacks: that is, when the server returns false values to get some part of secret from the card. In this paper, we propose a new e cient protocol for accelerating RSA signatures, resistant against all known active and passive attacks. This protocol does not use expensive precomputations; the computation done by the card, the used RAM and the data transfers between the card and the server are small. With current chip cards it is thus possible to implement e ciently this protocol.
Introduction
Small devices, like chip cards or smart cards are easy to carry and have the possibility of computing, storing and protecting data. Unfortunately, today such ? Part of this work was done while the author was visiting the Laboratoire de Micro electronique, Universit e Catholique de Louvain, Belgium. ?? Supported by the Centre National de la Recherche Scienti que URA 1327. chip cards have limited computing power and some protocols are not executed in an e cient way: for example, public-key cryptographic protocols. Some new chip cards with fast and secure coprocessors are coming but are not reliable at the moment (due to problems of auxiliary memory) and are in some cases too expensive. Anyway, it is useful to have many cheap secure cards and to put the expensive part into one or few insecure servers.
A possible solution is to use an auxiliary unit such as a banking terminal, a card reader, ... in order to help the chip card. In this paper we shall use the words card for the main unit and server for the auxiliary unit. From a theoretical point of view it is interesting to study how to share the computing power of two parties with some security constraints. This paper is a new e cient contribution in this important eld.
If the server is secure and will not leak the secrets, it is possible to imagine a secure link between the card and the server: the card sends the secret values to be used to the server; the server computes the result and sends it using again the secure link. The interesting (real life) case is working with an insecure server. This server may then be under the in uence of an opponent trying to obtain the secrets of the card or to cheat with a false result. The conclusion of this short analysis is that the card must protect its secrets and verify the computations received from the server. Let us remark that many proposed protocols ( 11] , 16] , 10]) did not have a strong veri cation step and then were broken ( 2] , 13], 9]).
There exist two kinds of attacks against such protocols: classical searching ones are called passive attacks; speci c ones where the server returns false values to get some information from the card, are called active attacks.
Such protocols were rst studied by Matsumoto, Kato 11] , where a dishonest server could obtain the secret key, by using only one false signature. But these attacks could be very easily defeated if the card checks the correctness of the computed signatures and by increasing the parameters used in 11]. On the other hand Quisquater and De Soete's protocol is provably secure against passive attacks but it is very less e cient than Matsumoto, Kato and Imai's ones. Then Yen and Laih 16] and Matsumoto, Imai, Laih and Yen 10] presented an improvement of protocols presented in 11] secure against passive attacks: unfortunately they need expensive precomputations and thus, they are not very e cient. Next Kawamura and Shimbo 6] proposed four protocols provably secure against passive attacks: the two rst are not very e cient and the two last are more e cient but they need expensive precomputations. So, all previously known protocols secure against passive attacks are not e cient or need expensive precomputations. Moreover, absolutely none of these protocols (provably or not provably secure against passive attacks) are secure against active attacks presented in 13]. As it is said in 6], it was an open question whether it is possible or not to construct a secure protocol against active attacks.
Burns and Mitchell 5] construct improvements of the two protocols presented in 11] (RSA-S1 and RSA-S2) secure against active attacks. Unfortunately, the rst one (RSA-S1) is ine cient: the card has to do at least 188 modular multiplications for each signature. Otherwise, the second one (RSA-S2) is much e cient but it ignores P tzmann and Waidner's attacks 13] and thus is not secure.
Lim and Lee 9] developed other protocols using precomputations, based on the two-phase protocols due to Matsumoto, Imai, Laih and Yen 10] .
Otherwise, B eguin and Quisquater 3] give the rst method for accelerating signi cantly DSS signatures 12] provably secure against both passive and active attacks.
But it remains an open question whether it is possible to accelerate significantly (without expensive precomputations) RSA signatures using an insecure server, in a secure way against both passive and active attacks. In this paper, we propose a new e cient protocol resistant against all known passive and active attacks, including those presented in 13]. Moreover, we will show that our protocol is secure against more speci c passive attacks. This protocol does not use expensive precomputations; the computation done by the card, the used RAM and the data transfers between the card and the server are small. Then, it is possible to implement e ciently this protocol with current chip cards.
We begin by giving some preliminaries, then we outline the protocol of Brickell, Gordon, McCurley and Wilson 4], which we will use. Then we describe our protocol and study its security. Finally, we expose the performances of this protocol.
Preliminaries
We denote by n the public modulus of RSA (n = p q), by s the secret signature key and by v the public veri cation key such that s v = 1 mod (n) with (n) = (p ? 1)(q ? 1). The card receives the message M and wants to compute, using the server, the signature of M: i.e. S = M s mod n.
For a number a, we denote by l(a) the number of bits of a, i.e. l(a) = blog 2 ac + 1, and for a set F, we denote by #F the cardinality of F. Let k = l(n) and let t = max(l(p); l(q)) ? 1. In this paper, we will study the acceleration of the RSA signatures with 512 bit numbers (k = 512) and with 768 bit numbers (k = 768). We denote by modular multiplication the multiplication of two k bit numbers modulo a k bit number. In this paper, the computations done by the card will be measured in terms of modular multiplications. In our protocol, the x i will be known by the server which computes a xi , but x must be kept secret. Then, the card must use constant time to obtain a x ; otherwise, by observing the time used to compute a x , an opponent could obtain some information about x. A solution is an algorithm with a constant number of multiplications, using, if necessary, the simulation (same time, no operation) of some multiplications. During the computations, the card uses one of the two following methods. where % p is a random number of f0; : : : ; q?2g, % q is a random number of f0; : : :; p?2g:
8. The card sends to the server p , q .
9. The server computes and sends to the card y p = M p mod n y q = M q mod n: 10. The card computes S p = y p z p mod p and S q = y q z q mod q. 11 . Now the card computes S = w q S p + w p S q mod n. 12. The card veri es S v mod n = M. 13 . If during the step 12, the veri cation is correct, then the card transmits S.
Security

An Exhaustive Search
A possible attack is to make an exhaustive search over s 1 We here describe two ways to perform this attack. The second way needs a lot of cache and RAM memory. Theoretically this way b's attack needs X(log X) 2 steps, but practically the needed hundred Gigabytes will be stored on \slow" discs instead of fast access-memory. So, the practical complexity of the second way is quite the same as the complexity of the rst one. Hence, the parameters used in section 6.2 to counter way b's attack will be more secure than we need.
An Attack Using the LLL Algorithm 7]
We consider that the card computes several signatures. We denote by s i] 1 Consider for simplicity l(p) = l(q) = t + 1 = k=2. w(193) = 2 194 . Recall that we must perform w( ) LLL reductions, then these attacks are ine ective.
Active Attacks
If the server cheats to obtain some information, the card will detect that. Then the card will not reveal the false value of S. Hence an active attack using only 
Performances
We suppose v = 3. We also suppose for evaluating the computations done by the card that l(p) = k=2 and l(q) = k=2. We use the results explained in section 2; all values used here are clearly more precise than needed, but in order to overcome the addition of error factors, we will approximate the results only at the end of the analysis.
Computations done by the Card
The card must multiply a k=2 bit number (say y) by a k bit number (say z) modulo a k=2 bit number (say p). The best way is to compute z mod p, then multiply the two k=2 bit numbers and then take the result modulo p. We consider now the RAM. In step 2., the card chooses a 0 and x 0 and computes s 1 = a 0 x 0 , then sends x 0 to the server. Then it chooses a 1 ; x 1 and computes s 1 := s 1 + a 1 x 1 ... The card keeps in mind s 1 ; a 0 ; : : : ; a m?1 ; x i . Hence it is easy to see that the maximum needed RAM for the card is in step 6. In step 6., the card must store case 1 s 1 ; a 0 ; : : : ; a m?1 ; A; B; z i ; n: the needed RAM is 4k+t?2+m log 2 (h+1) bits. case 2 s 1 ; a 0 ; : : : ; a m?1 ; A p ; B p ; A q ; B q ; z i ; p; q. To obtain the new A p ; B p , the card must compute and store z i mod p, next to obtain the new A q ; B q , it must compute and store z i mod q which can be put instead of z i mod p.
Then the needed RAM is t ? 2 + m log 2 (h + 1) + 4k + t + 1 bits.
The Data Transfers
In the two cases, the card must send to the server M; n; x 0 ; : : : ; x m?1 ; p ; q , and the server must send to the card z 0 ; : : : ; z m?1 ; y p ; y q . Then the data transfers are 
Results
The following tables give for the two cases, the number of modular multiplications done by the card and by the server, the needed RAM, EEPROM (in bytes), the number of bytes exchanged between the card and the server and the factor of acceleration by using our protocol. We also give the total number of bytes written into the EEPROM during the protocol and the maximal average times we must write in each bytes. We take for t the value k=2 ? 1. In the rst table, we give results for the RSA 512 bits, and in the second for the RSA 768 bits. We recall that, using the Chinese Remainder Theorem, the card can compute a RSA signature in 260 modular multiplications when k = 512 and in 388 when k = 768.
Let us notice that today it is possible to write into the EEPROM in parallel with other computations (without any penalty of time) and to use a data transfer of 100 kbits/s. Table 2 . RSA{768 
Conclusion
We have presented a new e cient protocol for accelerating RSA signatures using an insecure and fast server. This protocol is resistant against all known active and passive attacks. It does not use expensive precomputations; the computation done by the card, the needed RAM and the data transfers between the card and the server are small. Then, it is possible to implement e ciently this protocol with current chip cards.
It remains an open question: the existence of e cient protocols (without the use of precomputation) for accelerating RSA signatures provably secure against passive and active attacks.
