Cryptanalysis of Server-Aided RSA Protocols with Private-Key Splitting

Mefenza, Thierry; Vergnaud, Damien

doi:10.1093/comjnl/bxz040

Cited by 7 publications

(11 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Chevalier et al [4] provided simple constructions (essentially optimal in terms of operations in the underlying group) in groups of known prime order. For RSA-based cryptography, most proposed protocols are variants of two protocols (named RSA-S1 and RSA-S2) that were proposed by Matsumoto, Kato and Imai in 1988 [10] and analyzed by Mefenza and Vergnaud [11]. For a variable base (which is the case of interest for RSA decryption/signature), all known secure delegation protocols only improve the client efficiency by a constant factor and are thus probably not suitable for limited devices in IoT.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Comment on “Efficient and Secure Outsourcing Scheme for RSA Decryption in Internet of Things”

Vergnaud

2020

IEEE Internet Things J.

Self Cite

View full text Add to dashboard Cite

Internet of Things (IoT) devices have grown in popularity over the past few years. The RSA public-key cryptographic primitive is time-consuming for resource-constrained IoT. Recently, Zhang, Yu, Tian, Tong, Lin, Ge and Wang proposed a two-party outsourcing protocol between a client and a server for RSA decryption in IoT. It relies on the Chinese Remainder Theorem as proposed by Quisquater and Couvreur in 1982 and is very efficient.We show that their protocol does not achieve the claimed security guarantees: (1) the (secret) decryption exponent, the plaintext and the factorization of the RSA modulus are revealed to a passive adversary, and (2) a malicious server can make the client accept an (invalid) value of its choice as the result of the delegated computation.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Chevalier et al proved lower bounds on the efficiency for generic modular outsourcing protocols (in prime order groups) [4]. These bounds suggest that improving the protocols from [11] in unknown order groups is probably difficult.…”

Section: Discussionmentioning

confidence: 99%

Comment on “Efficient and Secure Outsourcing Scheme for RSA Decryption in Internet of Things”

Vergnaud

2020

IEEE Internet Things J.

Self Cite

View full text Add to dashboard Cite

show abstract

“…In particular, it is interesting to propose efficient delegation protocols and to improve our lower bounds in settings where the memory complexity of the client is limited. It is also interesting to provide provably secure protocols and complexity lower bounds for exponentiation protocols in groups of unknown order (which are of interest to delegate the computation of an RSA signature) [17,32].…”

Section: Discussionmentioning

confidence: 99%

Privately Outsourcing Exponentiation to a Single Server: Cryptanalysis and Optimal Constructions

2020

Self Cite

View full text Add to dashboard Cite

We address the problem of speeding up group computations in cryptography using a single untrusted computational resource. We analyze the security of two efficient protocols for securely outsourcing (multi-)exponentiations. We show that the schemes do not achieve the claimed security guarantees and we present practical polynomial-time attacks on the delegation protocols which allow the untrusted helper to recover part (or the whole) of the device's secret inputs. We then provide simple constructions for outsourcing group exponentiations in different settings (e.g. public/secret, fixed/variable bases and public/secret exponents). Finally, we prove that our attacks are unavoidable if one wants to use a single untrusted computational resource and to limit the computational cost of the limited device to a constant number of (generic) group operations. In particular, we show that our constructions are actually optimal in terms of operations in the underlying group.

show abstract

“…[23]). Recently, Mefenza and Vergnaud [19] proposed an improved lattice-based attack on RSA-S1 and a simple variant of this protocol that provides better efficiency for the same security level. They also presented the first attacks on the protocol RSA-S2.…”

Section: Group Exponentiationmentioning

confidence: 99%

Secure Outsourcing in Discrete-Logarithm-Based and Pairing-Based Cryptography (Invited Talk)

Vergnaud

2019

Information Security Theory and Practice

Self Cite

View full text Add to dashboard Cite

Cryptographic operations are performed everywhere, from standard laptop to smart cards. Some devices computational resources can be very limited and it is natural to delegate costly operations to another device capable of carrying out cryptographic algorithms. In this setting, it is obviously important to ensure the limited device that the computation is carried out correctly and that the powerful device does not learn anything about what is actually computing (including the secret inputs and outputs). We briefly review the recent advances on secure outsourcing of group exponentiation (in groups of known prime order as well as in groups of unknown order) and pairing computation.

show abstract

Cryptanalysis of Server-Aided RSA Protocols with Private-Key Splitting

Cited by 7 publications

References 37 publications

Comment on “Efficient and Secure Outsourcing Scheme for RSA Decryption in Internet of Things”

Comment on “Efficient and Secure Outsourcing Scheme for RSA Decryption in Internet of Things”

Privately Outsourcing Exponentiation to a Single Server: Cryptanalysis and Optimal Constructions

Secure Outsourcing in Discrete-Logarithm-Based and Pairing-Based Cryptography (Invited Talk)

Contact Info

Product

Resources

About