A hierarchy of polynomial time lattice basis reduction algorithms
Theoretical Computer Science
Improved low-density subset sum algorithms
Computational Complexity
The shortest vector problem in L2 is NP-hard for randomized reductions (extended abstract)
STOC '98 Proceedings of the thirtieth annual ACM symposium on Theory of computing
A survey of fast exponentiation methods
Journal of Algorithms
Multi-round passive attacks on server-aided RSA protocols
Proceedings of the 7th ACM conference on Computer and communications security
A sieve algorithm for the shortest lattice vector problem
STOC '01 Proceedings of the thirty-third annual ACM symposium on Theory of computing
Handbook of Applied Cryptography
Handbook of Applied Cryptography
Speeding Up Secret Computations with Insecure Auxiliary Devices
CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
The Béguin-Quisquater Server-Aided RSA Protocol from Crypto '95 is not Secure
ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
On the Security of Server-Aided RSA Protocols
PKC '98 Proceedings of the First International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem
Mathematics of Computation
Lower bounds for discrete logarithms and related problems
EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
Attacks on protocols for server-aided RSA computation
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Fast exponentiation with precomputation
EUROCRYPT'92 Proceedings of the 11th annual international conference on Theory and application of cryptographic techniques
Cryptanalysis of RSA with private key d less than N0:292
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
On the Analysis of Cryptographic Assumptions in the Generic Ring Model
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Publishing upper half of RSA decryption exponent
IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
Server-Aided verification: theory and practice
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
How to securely outsource cryptographic computations
TCC'05 Proceedings of the Second international conference on Theory of Cryptography
Fully homomorphic encryption over the integers
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Hi-index | 0.00 |
At Crypto '88, Matsumoto, Kato and Imai proposed a protocol, known as RSA-S1, in which a smart card computes an RSA signature, with the help of an untrusted powerful server. There exist two kinds of attacks against such protocols: passive attacks (where the server does not deviate from the protocol) and active attacks (where the server may return false values). Pfitzmann and Waidner presented at Eurocrypt '92 a passive meet-in-the-middle attack and a few active attacks on RSAS1. They discussed two simple countermeasures to thwart such attacks: renewing the decomposition of the RSA private exponent, and checking the signature (in which case a small public exponent must be used). We present a new lattice-based provable passive attack on RSA-S1 which recovers the factorization of the RSA modulus when a very small public exponent is used, for many choices of the parameters. The first countermeasure does not prevent this attack because the attack is a one-round attack, that is, only a single execution of the protocol is required. Interestingly, Merkle and Werchner recently provided a security proof of RSA-S1 against one-round passive attacks in some generic model, even for parameters to which our attack provably applies. Thus, our result throws doubt on the real significance of security proofs in the generic model, at least for server-aided RSA protocols. We also present a simple analysis of a multi-round lattice-based passive attack proposed last year by Merkle.