Article

The Béguin-Quisquater Server-Aided RSA Protocol from Crypto '95 is not Secure

Authors:

Phong Q. Nguyen,

Jacques SternAuthors Info & Claims

ASIACRYPT '98: Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology

Pages 372 - 379

Published: 18 October 1998 Publication History

Abstract

A well-known cryptographic scenario is the following: a smart card wishes to compute an RSA signature with the help of an untrusted powerful server. Several protocols have been proposed to solve this problem, and many have been broken. There exist two kinds of attacks against such protocols: passive attacks (where the server follows the instructions) and active attacks (where the server may return false values). An open question in this field is the existence of efficient protocols (without expensive precomputations) provably secure against both passive and active attacks. At Crypto '95, Béguin and Quisquater tried to answer this question by proposing an efficient protocol which was resistant against all known passive and active attacks. In this paper, we present a very effective lattice-based passive attack against this protocol. An implementation is able to recover the secret factorization of an RSA-512 or RSA-768 key in less than 5 minutes once the card has produced about 50 signatures. The core of our attack is the basic notion of an orthogonal lattice which we introduced at Crypto '97 as a cryptographic tool.

References

[1]

R. J. Anderson. Attack on server assisted authentication protocols. Electronic Letters, 28(15):1473, 1992.

[2]

P. Béguin and J.-J. Quisquater. Fast server-aided RSA signatures secure against active attacks. In Proc. of Crypto '95, volume 963 of LNCS, pages 70-83. Springer, 1995.

[3]

E. Brickell, D. M. Gordon, K. S. McCurley, and D. Wilson. Fast exponentiation with precomputation. In Proc. of Eurocrypt '92, volume 658 of LNCS, pages 200- 207. Springer, 1993.

[4]

J. Burns and C. J. Mitchell. Parameter selection for server-aided RSA computation schemes. IEEE Transactions on Computers, 43, 1994.

[5]

S. Kawamura and A. Shimbo. Fast server-aided secret computation protocols for modular exponentiation. IEEE Journal on Selected Areas Communications, 11, 1993.

[6]

A. K. Lenstra, H. W. Lenstra, and L. Lovász. Factoring polynomials with rational coe_cients. Math. Ann., 261:515-534, 1982.

[7]

C. H. Lim and P. J. Lee. Security and performance of server-aided RSA computation protocols. In Proc. of Crypto '95, volume 963 of LNCS, pages 70-83. Springer, 1995.

[8]

T. Matsumoto, H. Imai, C.-S. Laih, and S.-M. Yen. On verifiable implicit asking protocols for RSA computation. In Proc. of Auscrypt '92, volume 718 of LNCS, pages 296-307. Springer, 1993.

[9]

T. Matsumoto, K. Kato, and H. Imai. Speedings up secret computation with insecure auxiliary devices. In Proc. of Crypto '88, volume 403 of LNCS, pages 497-506. Springer, 1989.

[10]

P. Nguyen and J. Stern. Merkle-Hellman revisited: a cryptanalysis of the Qu-Vanstone cryptosystem based on group factorizations. In Proc. of Crypto '97, volume 1294 of LNCS, pages 198-212. Springer-Verlag, 1997.

[11]

P. Nguyen and J. Stern. Cryptanalysis of a fast public key cryptosystem presented at SAC' 97. In Proc. of SAC '98, LNCS. Springer-Verlag, 1998.

[12]

P. Nguyen and J. Stern. Cryptanalysis of the Ajtai-Dwork cryptosystem. In Proc. of Crypto '98, volume 1462 of LNCS. Springer-Verlag, 1998.

[13]

B. Pfitzmann and M. Waidner. Attacks on protocols for server-aided RSA computation. In Proc. of Eurocrypt '92, volume 658 of LNCS, pages 153-162. Springer, 1993.

[14]

R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21:120-126, 1978.

[15]

V. Shoup. NTL computer package version 2.0. Can be obtained at http://www.cs.wisc.edu/~shoup/ntl.

Cited By

Gentry CMitzenmacher M(2009)Fully homomorphic encryption using ideal latticesProceedings of the forty-first annual ACM symposium on Theory of computing10.1145/1536414.1536440(169-178)Online publication date: 31-May-2009
https://dl.acm.org/doi/10.1145/1536414.1536440
Kong FYu JQin BLi D(2007)Cryptanalysis of server-aided RSA key generation protocols at MADNES 2005Proceedings of the 4th international conference on Autonomic and Trusted Computing10.5555/2394798.2394808(52-60)Online publication date: 11-Jul-2007
https://dl.acm.org/doi/10.5555/2394798.2394808
Dijk MClarke DGassend BSuh GDevadas S(2006)Speeding up Exponentiation using an Untrusted Computational ResourceDesigns, Codes and Cryptography10.1007/s10623-005-3710-839:2(253-273)Online publication date: 1-May-2006
https://dl.acm.org/doi/10.1007/s10623-005-3710-8
Show More Cited By

The Béguin-Quisquater Server-Aided RSA Protocol from Crypto '95 is not Secure

Recommendations

Provably secure server-aided verification signatures

A server-aided verification signature scheme consists of a digital signature scheme and a server-aided verification protocol. With the server-aided verification protocol, some computational tasks for a signature verification are carried out by a server, ...
A Provably Secure Server-Aided Verification Signature
EIDWT '13: Proceedings of the 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies

A server-aided verification signature scheme consists of a standard signature scheme and a server-aided verification protocol. Signatures can be verified by executing the server-aided verification protocol with the server, which is generally untrusted. ...
On the Insecurity of a Server-Aided RSA Protocol
ASIACRYPT '01: Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology

At Crypto '88, Matsumoto, Kato and Imai proposed a protocol, known as RSA-S1, in which a smart card computes an RSA signature, with the help of an untrusted powerful server. There exist two kinds of attacks against such protocols: passive attacks (where ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

ASIACRYPT '98: Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology

October 1998

432 pages

ISBN:3540651098

Editors:
Kazuo Ohta,
Dingyi Pei

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 18 October 1998

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Gentry CMitzenmacher M(2009)Fully homomorphic encryption using ideal latticesProceedings of the forty-first annual ACM symposium on Theory of computing10.1145/1536414.1536440(169-178)Online publication date: 31-May-2009
https://dl.acm.org/doi/10.1145/1536414.1536440
Kong FYu JQin BLi D(2007)Cryptanalysis of server-aided RSA key generation protocols at MADNES 2005Proceedings of the 4th international conference on Autonomic and Trusted Computing10.5555/2394798.2394808(52-60)Online publication date: 11-Jul-2007
https://dl.acm.org/doi/10.5555/2394798.2394808
Dijk MClarke DGassend BSuh GDevadas S(2006)Speeding up Exponentiation using an Untrusted Computational ResourceDesigns, Codes and Cryptography10.1007/s10623-005-3710-839:2(253-273)Online publication date: 1-May-2006
https://dl.acm.org/doi/10.1007/s10623-005-3710-8
Kunz-Jacques SPointcheval D(2006)A new key exchange protocol based on MQV assuming public computationsProceedings of the 5th international conference on Security and Cryptography for Networks10.1007/11832072_13(186-200)Online publication date: 6-Sep-2006
https://dl.acm.org/doi/10.1007/11832072_13
Cao TMao XLin D(2006)Security analysis of a server-aided RSA key generation protocolProceedings of the Second international conference on Information Security Practice and Experience10.1007/11689522_29(314-320)Online publication date: 11-Apr-2006
https://dl.acm.org/doi/10.1007/11689522_29
Girault MLefranc D(2005)Server-Aided verificationProceedings of the 11th international conference on Theory and Application of Cryptology and Information Security10.1007/11593447_33(605-623)Online publication date: 4-Dec-2005
https://dl.acm.org/doi/10.1007/11593447_33
Steinfeld RZheng Y(2004)On the Security of RSA with Primes Sharing Least-Significant BitsApplicable Algebra in Engineering, Communication and Computing10.1007/s00200-004-0164-615:3-4(179-200)Online publication date: 1-Nov-2004
https://dl.acm.org/doi/10.1007/s00200-004-0164-6
Sella Y(2002)Speeding up secure sessions establishment on the internetProceedings of the 5th international conference on Information security and cryptology10.5555/1765361.1765399(433-450)Online publication date: 28-Nov-2002
https://dl.acm.org/doi/10.5555/1765361.1765399
Hong SLee SPark YCho YYoon H(2000)On the construction of a powerful distributed authentication server without additional key managementComputer Communications10.1016/S0140-3664(00)00250-423:17(1638-1644)Online publication date: 1-Nov-2000
https://dl.acm.org/doi/10.1016/S0140-3664%2800%2900250-4

View Options

View options

Media

Figures

Other

Tables

View Table of Contents