A method for obtaining digital signatures and public-key cryptosystems
Communications of the ACM
Parameter Selection for Server-Aided RSA Computation Schemes
IEEE Transactions on Computers
Speeding Up Secret Computations with Insecure Auxiliary Devices
CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
Security and Performance of Server-Aided RSA Computation Protocols
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Cryptanalysis of the Ajtai-Dwork Cryptosystem
CRYPTO '98 Proceedings of the 18th Annual International Cryptology Conference on Advances in Cryptology
On Verifiable Implicit Asking Protocols for RSA Computation
ASIACRYPT '92 Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Attacks on protocols for server-aided RSA computation
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Fast exponentiation with precomputation
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Accelerating Key Establishment Protocols for Mobile Communication
ACISP '99 Proceedings of the 4th Australasian Conference on Information Security and Privacy
An Advantage of Low-Exponent RSA with Modulus Primes Sharing Least Significant Bits
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC '97
SAC '98 Proceedings of the Selected Areas in Cryptography
The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Generating RSA Keys on a Handheld Using an Untrusted Server
INDOCRYPT '00 Proceedings of the First International Conference on Progress in Cryptology
On the Insecurity of a Server-Aided RSA Protocol
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
The Two Faces of Lattices in Cryptology
CaLC '01 Revised Papers from the International Conference on Cryptography and Lattices
Server-Aided Verification Signatures: Definitions and New Constructions
ProvSec '08 Proceedings of the 2nd International Conference on Provable Security
Provably secure server-aided verification signatures
Computers & Mathematics with Applications
Server-Aided verification: theory and practice
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Security analysis of a server-aided RSA key generation protocol
ISPEC'06 Proceedings of the Second international conference on Information Security Practice and Experience
A new key exchange protocol based on MQV assuming public computations
SCN'06 Proceedings of the 5th international conference on Security and Cryptography for Networks
Cryptanalysis of server-aided RSA key generation protocols at MADNES 2005
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
Hi-index | 0.00 |
A well-known cryptographic scenario is the following: a smart card wishes to compute an RSA signature with the help of an untrusted powerful server. Several protocols have been proposed to solve this problem, and many have been broken. There exist two kinds of attacks against such protocols: passive attacks (where the server follows the instructions) and active attacks (where the server may return false values). An open question in this field is the existence of efficient protocols (without expensive precomputations) provably secure against both passive and active attacks. At Crypto '95, Béguin and Quisquater tried to answer this question by proposing an efficient protocol which was resistant against all known passive and active attacks. In this paper, we present a very effective lattice-based passive attack against this protocol. An implementation is able to recover the secret factorization of an RSA-512 or RSA-768 key in less than 5 minutes once the card has produced about 50 signatures. The core of our attack is the basic notion of an orthogonal lattice which we introduced at Crypto '97 as a cryptographic tool.