TY - GEN
T1 - On the insecurity of a server-aided RSA protocol
AU - Nguyen, Phong Q.
AU - Shparlinski, Igor E.
PY - 2001/12
Y1 - 2001/12
N2 - At Crypto ’88, Matsumoto, Kato and Imai proposed a protocol, known as RSA-S1, in which a smart card computes an RSA signature, with the help of an untrusted powerful server. There exist two kinds of attacks against such protocols: passive attacks (where the server does not deviate from the protocol) and active attacks (where the server may return false values). Pfitzmann and Waidner presented at Eurocrypt ’92 a passive meet-in-the-middle attack and a few active attacks on RSAS 1. They discussed two simple countermeasures to thwart such attacks: renewing the decomposition of the RSA private exponent, and checking the signature (in which case a small public exponent must be used). We present a new lattice-based provable passive attack on RSA-S1 which recovers the factorization of the RSA modulus when a very small public exponent is used, for many choices of the parameters. The first countermeasure does not prevent this attack because the attack is a one-round attack, that is, only a single execution of the protocol is required. Interestingly, Merkle and Werchner recently provided a security proof of RSA-S1 against one-round passive attacks in some generic model, even for parameters to which our attack provably applies. Thus, our result throws doubt on the real significance of security proofs in the generic model, at least for server-aided RSA protocols. We also present a simple analysis of a multi-round lattice-based passive attack proposed last year by Merkle.
AB - At Crypto ’88, Matsumoto, Kato and Imai proposed a protocol, known as RSA-S1, in which a smart card computes an RSA signature, with the help of an untrusted powerful server. There exist two kinds of attacks against such protocols: passive attacks (where the server does not deviate from the protocol) and active attacks (where the server may return false values). Pfitzmann and Waidner presented at Eurocrypt ’92 a passive meet-in-the-middle attack and a few active attacks on RSAS 1. They discussed two simple countermeasures to thwart such attacks: renewing the decomposition of the RSA private exponent, and checking the signature (in which case a small public exponent must be used). We present a new lattice-based provable passive attack on RSA-S1 which recovers the factorization of the RSA modulus when a very small public exponent is used, for many choices of the parameters. The first countermeasure does not prevent this attack because the attack is a one-round attack, that is, only a single execution of the protocol is required. Interestingly, Merkle and Werchner recently provided a security proof of RSA-S1 against one-round passive attacks in some generic model, even for parameters to which our attack provably applies. Thus, our result throws doubt on the real significance of security proofs in the generic model, at least for server-aided RSA protocols. We also present a simple analysis of a multi-round lattice-based passive attack proposed last year by Merkle.
KW - Cryptanalysis
KW - Lattices
KW - RSA signature
KW - Server-aided protocol
UR - http://www.scopus.com/inward/record.url?scp=84946830399&partnerID=8YFLogxK
U2 - 10.1007/3-540-45682-1_2
DO - 10.1007/3-540-45682-1_2
M3 - Conference proceeding contribution
AN - SCOPUS:84946830399
SN - 3540429875
SN - 9783540429876
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 21
EP - 35
BT - Advances in Cryptology - ASIACRYPT 2001
A2 - Boyd, Colin
PB - Springer, Springer Nature
CY - Berlin; New York
T2 - 7th International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT - 2001
Y2 - 9 December 2001 through 13 December 2001
ER -