Cryptanalysis of Server-Aided RSA Protocols with Private-Key Splitting

International audienceWe analyze the security and the efficiency of interactive protocols where a client wants to delegate the computation of an RSA signature given a public key, a public message and the secret signing exponent. We consider several protocols where the secret exponent is splitted using some algebraic decomposition. We first provide an exhaustive analysis of the delegation protocols in which the client outsources a single RSA exponentiation to the server. We then revisit the security of the protocols RSA-S1 and RSA-S2 that were proposed by Matsumoto, Kato and Imai in 1988. We present an improved lattice-based attack on RSA-S1 and we propose a simple variant of this protocol that provides better efficiency for the same security level. Eventually, we present the first attacks on the protocol RSA-S2 that employs the Chinese Remainder Theorem to speed up the client's computation. The efficiency of our (heuristic) attacks has been validated experimentally

On the Security of Server-aided RSA Protocols

. In this paper we investigate the security of the server-aided RSA protocols RSA-S1 and RSA-S1M proposed by Matsumoto, Kato and Imai ([MKI89]) and Matsumoto, Imai, Laih and Yen ([MILY93]), respectively. In these protocols a smart card calculates an RSA signature with the aid of an untrusted powerful server. We focus on generic attacks, that is, passive attacks that do not exploit any special properties of the encoding of the group elements. Generic algorithms have been introduced by Nechaev ([Nec94]) and Shoup ([Sho97]). We prove lower bounds for the complexity of generic attacks on these two protocols and show that the bounds are sharp by describing attacks that almost match our lower bounds. To the best of our knowledge these are the first security proofs for efficient server-aided RSA protocols. Keywords: server-aided secret computation, RSA, signature, generic algorithms 1 Introduction In this paper, we investigate the security of server-aided secret computations of R..