Abstract
At Crypto’ 88, Matsumoto, Kato and Imai proposed a protocol, known as RSA-S1, in which a smart card computes an RSA signature, with the help of an untrusted powerful server. There exist two kinds of attacks against such protocols: passive attacks (where the server does not deviate from the protocol) and active attacks (where the server may return false values). Pfitzmann and Waidner presented at Eurocrypt ’92 a passive meet-in-the-middle attack and a few active attacks on RSAS1. They discussed two simple countermeasures to thwart such attacks: renewing the decomposition of the RSA private exponent, and checking the signature (in which case a small public exponent must be used). We present a new lattice-based provable passive attack on RSA-S1 which recovers the factorization of the RSA modulus when a very small public exponent is used, for many choices of the parameters. The first countermeasure does not prevent this attack because the attack is a one-round attack, that is, only a single execution of the protocol is required. Interestingly, Merkle and Werchner recently provided a security proof of RSA-S1 against one-round passive attacks in some generic model, even for parameters to which our attack provably applies. Thus, our result throws doubt on the real significance of security proofs in the generic model, at least for server-aided RSA protocols. We also present a simple analysis of a multi-round lattice-based passive attack proposed last year by Merkle.
Keywords
Work supported in part by the RNRT “Turbo-signatures” project of the French Ministry of Research.
Work supported in part by the Australian Research Council.
Download to read the full chapter text
Chapter PDF
References
M. Ajtai, ‘The shortest vector problem in L 2 is NP-hard for randomized reductions’, Proc. 30th ACM Symp. on Theory of Comput., ACM, 1998, 10–19.
M. Ajtai, R. Kumar and D. Sivakumar, ‘A sieve algorithm for the shortest lattice vector problem’ Proc. 33rd ACM Symp. on Theory of Comput., ACM, 2001, 601–610.
D. Boneh and G. Durfee, ‘Cryptanalysis of RSA with private key d less than N 0.292’, Proc. of Eurocrypt’ 99, Lect. Notes in Comp. Sci., Vol. 1592, Springer-Verlag, Berlin, 1999, 1–11.
E. Brickell, D.M. Gordon, K.S. McCurley, and D. Wilson, ‘Fast exponentiation with precomputation’, Proc. Eurocrypt’ 92, Lect. Notes in Comp. Sci., Vol. 658, Springer-Verlag, Berlin, 1993, 200–207.
M.J. Coster, A. Joux, B.A. LaMacchia, A.M. Odlyzko, C.-P. Schnorr, and J. Stern, ‘Improved low-density subset sum algorithms’, Comput. Complexity, 2 (1992), 111–128.
D. M. Gordon, ‘A survey of fast exponentiation methods’, J. of Algorithms, 27 (1998), 129–146.
A. K. Lenstra, H. W. Lenstra and L. Lovász, ‘Factoring polynomials with rational coefficients’, Mathematische Annalen, 261 (1982), 515–534.
T. Matsumoto, K. Kato, and H. Imai, ‘Speeding up secret computations with insecure auxiliary devices’, Proc. Crypto’ 88, Lect. Notes in Comp. Sci., Vol. 403, Springer-Verlag, Berlin, 1990, 497–506.
A. J. Menezes, P. C. van Oorschott and S. A. Vanstone, Handbook of applied cryptography, CRC Press, Boca Raton, FL, 1996.
J. Merkle, ‘Multi-round passive attacks on server-aided RSA protocols’, Proc. 7th ACM Conf. on Computer and Commun. Security, ACM, 2000, 102–107.
J. Merkle and R. Werchner, ‘On the security of server-aided RSA protocols’, Proc. PKC’ 98, Lect. Notes in Comp. Sci., Vol.1431, Springer-Verlag, Berlin, 1998, 99–116.
P. Q. Nguyen and J. Stern, ‘Merkle-Hellman revisited: A cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations’, Proc. Crypto’ 97, Lect. Notes in Comp. Sci., Vol.1294, Springer-Verlag, Berlin, 1997, 198–212.
P. Q. Nguyen and J. Stern, ‘The Béguin-Quisquater server-aided RSA protocol from Crypto’95 is not secure’, Proc. Asiacrypt’ 98, Lect. Notes in Comp. Sci., Vol.1514, Springer-Verlag, Berlin, 1998, 372–379.
P. Q. Nguyen and J. Stern, ‘The two faces of lattices in cryptology’, Proc. CALC’ 01, Lect. Notes in Comp. Sci., Vol.2146, Springer-Verlag, Berlin, 2001, 146–180.
B. Pfitzmann and M. Waidner, ‘Attacks on protocols for server-aided RSA computation’, Proc. Eurocrypt’ 92, Lect. Notes in Comp. Sci., Vol.658, Springer-Verlag, Berlin, 1993, 153–162.
C. P. Schnorr, ‘A hierarchy of polynomial time basis reduction algorithms’, Theor. Comp. Sci., 53 (1987), 201–224.
V. Shoup, ‘Lower bounds for discrete logarithms and related problems’, Proc. Eurocrypt’ 97, Lect. Notes in Comp. Sci., Vol.1233, Springer-Verlag, Berlin, 1997, 256–266.
D. Stinson, ‘Some baby-step giant-step algorithms for the low Hamming weight discrete logarithm problem’, To appear in Mathematicsof Computation.
V. Shoup, ‘NTL computer package version 5.0’, Available from http://www.shoup.net/.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nguyen, P.Q., Shparlinski, I.E. (2001). On the Insecurity of a Server-Aided RSA Protocol. In: Boyd, C. (eds) Advances in Cryptology — ASIACRYPT 2001. ASIACRYPT 2001. Lecture Notes in Computer Science, vol 2248. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45682-1_2
Download citation
DOI: https://doi.org/10.1007/3-540-45682-1_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42987-6
Online ISBN: 978-3-540-45682-7
eBook Packages: Springer Book Archive