T. Matsumoto, K. Kato, and H. Imai, Speeding up secret computations with insecure auxiliary devices, Advances in Cryptology -- Crypto '88, LNCS 403, Springer-Verlag, 1990, pp. 497-506.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....shown to be either ine#cient or insecure (see for instance the two recent examples [13, 10] which explains why, to our knowledge, none of these protocols has ever been used in practice. Many of these protocols are variants of the protocols RSA S1 and RSA S2 proposed by Matsumoto, Kato and Imai [8] at Crypto 88, which use a random linear decomposition of the RSA private exponent. At Eurocrypt 92, Pfitzmann and Waidner [15] presented several natural meet in the middle passive attacks and some e#cient active attacks against RSA S1 and RSA S2. To prevent such attacks, they discussed two ....

....Werchner claimed in [11] the generic model is not appropriate for investigating the security of server aided RSA protocols. The rest of the paper is organized as follows. In Section 2, we make a short description of the RSA S1 server aided protocol and review some useful background. We refer to [8, 15] for more details. In Section 3, we present our variant of Merkle s lattice based attack, together with an analysis. In Section 4, we present our new lattice based attack on low exponent RSA S1. 2 Background 2.1 The RSA S1 Server Aided Protocol Let N be an RSA modulus and let # denote the Euler ....

[Article contains additional citation context not shown here]

T. Matsumoto, K. Kato, and H. Imai, `Speeding up secret computations with insecure auxiliary devices', Proc. Crypto '88 , Lect. Notes in Comp. Sci., Vol. 403, Springer-Verlag, Berlin, 1990, 497--506.

....Work The idea of off loading time consuming RSA computation from a weak device to a powerful server without exposing information about the secret exponent has been studied extensively under the title server aided RSA. The first protocols, RSA S1 and RSA S2, were invented by Matsumoto et al. [17]. Their basic idea was to hide necessary computations by requesting additional unnecessary ones. These protocols were attacked in [22] an attempt to improve them was made in [16] but the improved versions, RSA S1M and RSA S2M, were attacked again in [15] Protocols proposed more recently [1, 11] ....

T. Matsumoto, K. Karo, and H. Imai. Speeding up Secret Computations with Insecure Auxiliary Devices. In Proceedings of Crypro 88, LNCS 403, Springer-Verlag, pages 497-506, Berlin 1990

....the one of having a smartcard take advantage of a host s superior processing power in order to do a publickey computation without leaking the input to the host. For a discussion of the (well studied) problem of host assisted public key cryptography, see e.g. Feigenbaum [10] Matsumoto et al. [17], and the references therein. Furthermore, note that the goal of a remotely keyed encryption scheme (RKES) is not session key exchange between two different hosts each connected to a card, where the two cards share a key. In an RKES application, such as the encryption of disk traffic, there is ....

T. Matsumoto, K. Kato, and H. Imai, "Speeding Up Secret Computations with Insecure Auxiliary Devices," in Advances in Cryptology -- Crypto '88, Lecture Notes in Computer Science, vol. 403, Springer, Berlin, pp. 497--506, 1990.

....(SASC) protocol is a scheme that allows a client to speed up secret computation, e.g. RSA digital signature, with the help of another sever which is capable of performing high speed computation while the secret information of the client do not compromise to the sever. In 1988, Matsumoto et [6] proposed two concrete SASC protocols (which we refer to as MKI Schemes) for RSA signature computation. Since then some attacks on the SASC protocols are proposed [1,7 8] and several modified Schemes are proposed to remedy those attacks [3 5] In [2] Burns and Mitchell gave a practical guidance ....

....the same security level. Finally, it is easy to see that SASC protocol always leakage information to sever. And under certain acquirement of those information s, system would become vulnerable. The organization of this paper is as follows. In Section 2, we first review the MKI Schemes proposed in [6], then the BM Guidance on SASC protocols parameter selection was discussed. Our attacks to MKI schemes, which were designed under BM Guidance, are proposed in Section 3. In Section 4, based on the discussions above, we give a description of the strict security requirements on SASC protocol design ....

[Article contains additional citation context not shown here]

T. Matsumoto, K. Kate, and H. Imai, "Speeding up Secret Computations with Insecure Auxiliary Devices," Advances in CrYPtology CRY TO'88, p.497- 506, Springer Verlag, New York, 1989.

.... for most public key cryptosystems (e.g. signature generation with RSA and signature verification in ElGamal like signature schemes) To speed up such computations by a weak power smart card, much research has been conducted under the subject called the server aided secret computation (SASC) [1 12]. In the SASC protocol, the client (the smart card) wants to perform a secret computation (e.g. RSA signature generation) by borrowing the computing power of an untrusted powerful server without revealing its secret information. A lot of (passive and active) attacks have been developed on the ....

....signature generation) by borrowing the computing power of an untrusted powerful server without revealing its secret information. A lot of (passive and active) attacks have been developed on the server aided RSA computation protocols (called RSA S1 and RSA S2) proposed by Matsumoto, Kato and Imai [1] (e.g. see, 7 9,11] Matsumoto, Imai, Laih and Yen [4] also proposed two phase versions of the basic protocols (called RSA S1M and RSA S2M) to gain resistance against passive attacks, mainly to counter the passive attack proposed by Pfitzmann and Waidner [8] On the other hand, Quisquater and ....

T.Matsumoto, K.Kato and H.Imai, Speeding up secret computations with insecure auxiliary devices, In Proc. of Crypto'88, Springer-Verlag, LNCS 403, 497-506 (1990).

....SASC (Server Aided Secret Computation) protocols enable a client (a smart card) to borrow computing power from a server (e.g. an untrusted auxiliary device like ATM) without revealing its secret information. Matsumoto, Kato, and Imai proposed the first SASC protocol for RSA signature generation [24], and it significantly accelerates the computation. Afterwards, a lot of effective attacks that can threaten SASC protocols have been designed and the corresponding countermeasures also have been proposed [25 33, 21] The previous works related with this topic are reviewed in references [20] and ....

....client to efficiently compute m s modn with the aid of the server. Splitting based techniques The first SASC protocol uses decomposition of secret s into several pieces (x i and a i , where s = P m Gamma1 i=0 x i a i mod OE(n) and reveals some of them(x i ) and conceals the others(a i ) [24]. More advanced ones that are designed afterwards use similar basic decomposition with more refined techniques, and we call them splitting based techniques. In this paper, we use Beguin and Quisquater s protocol [20] as a representative splitting based technique, because it is one of the most ....

T.Matsumoto, K.Kato, and H.Imai, "Speeding up secret computations with insecure auxiliary devices," in Crypto'88, pp. 497--506, 1988.

....portable smart cards. SASC (Server Aided Secret Computation) protocols enable a smart card (a client) to perform secret computations faster with the aid of a server (an untrusted auxiliary device like ATM) Matsumoto, Kato, and Imai proposed the first SASC protocol for RSA signature generation [2], and it significantly accelerates the computation. Afterwards, a lot of effective attacks that can threaten SASC protocols have been designed and the corresponding countermeasures also have been proposed [3 12] The previous works related with this topic are reviewed in references [12] and [7] ....

....w p M d mod (q Gamma1) mod q Theta w q j M d mod N: Because the operand size is reduced to half, the speed up is nearly two times. This technique is used in the proposed protocol. 2. 2 Previous approach to SASC We briefly explain RSA S1 protocol which was proposed by Matsumoto et al. in [2]. The purpose of the protocol is to make the client get RSA signature for a message M with the aid of the server, that is, M d mod N , while keeping the secret information d unknown to the server. Decomposition Client precomputes two vectors d and f which satisfy the following equation : d j P ....

T.Matsumoto, K.Kato, and H.Imai, "Speeding up secret computations with insecure auxiliary devices," in Crypto'88, pp. 497--506, 1988.

....the influence of an opponent trying to obtain the secrets of the card or to cheat with a false result. The conclusion of this short analysis is that the card must protect its secrets and verify the computations received from the server. Such protocols were first studied by Matsumoto, Kato and Imai [6] and Quisquater and De Soete [9] Next Pfitzmann and Waidner [8] and Anderson [1] have shown that these protocols are not very secure. Then Yen and Laih [12] Matsumoto, Imai, Laih and Yen [5] and Kawamura and Shimbo [4] propose protocols using expensive precomputation and then not very efficient. ....

Matsumoto, T., Kato, K., Imai, H.: Speeding up secret computation with insecure auxiliary devices. In Advances in Cryptology -- Proceedings of Crypto '88 (1989) vol. Lecture Notes in Computer Science 403 Springer-Verlag pp. 497--506.

....here. Some possibilities include zeroknowledge proofs and public key systems. The main problem would seem to be the rather limited processing capacity of a smart card. However, there are ways of utilizing computing power in untrusted machines to execute complicated secret computations efficiently[7]. 4.4 Decreasing Password Guessability The main weakness in any password system is that users often choose easily guessable passwords: English words, names, trivial extensions to English words, etc. because they are easy to remember. It is important that passwords be difficult to guess. One way ....

T. Matsumoto, K. Kato, and H. Imai. Speeding up secret computations with insecure auxiliary devices. In Proceedings of Crypto '88, August 1988.

....One distinguishes two kinds of attacks against such protocols: attacks where the server respects the instructions are called passive attacks, while attacks where the server may return false computations are called active attacks. The first SASC protocol was proposed by Matsumoto, Kato and Imai [9] in the case of RSA signatures [14] Pfitzmann and Waidner [13] presented several 2 passive attacks against all the protocols of [9] and Anderson [1] described an efficient active attack against one of the protocols of [9] Several new protocols such as [8, 5, 4, 2, 7] have been proposed since. ....

....attacks, while attacks where the server may return false computations are called active attacks. The first SASC protocol was proposed by Matsumoto, Kato and Imai [9] in the case of RSA signatures [14] Pfitzmann and Waidner [13] presented several 2 passive attacks against all the protocols of [9], and Anderson [1] described an efficient active attack against one of the protocols of [9] Several new protocols such as [8, 5, 4, 2, 7] have been proposed since. Among these, the protocol of B eguin and Quisquater [2] was quite attractive: it was relatively efficient (since it was based on the ....

[Article contains additional citation context not shown here]

T. Matsumoto, K. Kato, and H. Imai. Speedings up secret computation with insecure auxiliary devices. In Proc. of Crypto '88, volume 403 of LNCS, pages 497--506. Springer, 1989.

....the one of having a smart card take advantage of a host s superior processing power in order to do a public key computation without leaking the input to the host. For a discussion of the (well studied) problem of host assisted public key cryptography, see e.g. Feigenbaum [8] Matsumoto et al. [13], and the references therein. Finally, note that the goal of a remotely keyed encryption scheme (RKES) is not session key exchange between two different hosts each connected to a card, where the two cards share a key. In an RKES application, such as the encryption of disk traffic, there is only ....

T. Matsumoto, K. Kato, and H. Imai, "Speeding Up Secret Computations with Insecure Auxiliary Devices," in Advances in Cryptology -- Crypto '88, Lecture Notes in Computer Science, vol. 403, Springer, Berlin, pp. 497--506, 1990.

....the one of having a smartcard take advantage of a host s superior processing power in order to do a publickey computation without leaking the input to the host. For a discussion of the (well studied) problem of host assisted public key cryptography, see e.g. Feigenbaum [10] Matsumoto et al. [17], and the references therein. Furthermore, note that the goal of a remotely keyed encryption scheme (RKES) is not session key exchange between two different hosts each connected to a card, where the two cards share a key. In an RKES application, such as the encryption of disk traffic, there is ....

T. Matsumoto, K. Kato, and H. Imai, "Speeding Up Secret Computations with Insecure Auxiliary Devices," in Advances in Cryptology -- Crypto '88, Lecture Notes in Computer Science, vol. 403, Springer, Berlin, pp. 497--506, 1990.

....up exponentiation on the smart card. This section is devoted to devising such protocols for server aided key exchange (SAKE) 4. 1 The Model and Security Requirements The server aided secret computation (SASC) protocol is a client server based computation scheme first proposed by Matsumoto et al. [26]. It is an interactive protocol between a powerful computer (called Server hereafter) and a weak power device (called Client hereafter) in which Client wants to compute a certain secret heavy function by borrowing the computing power of Server while not revealing its secret information. Server ....

....may deviate the prescribed protocol and manipulate its transmissions to find out Client s secret. Typical application of the SASC protocol is to generate RSA signatures on smart cards. Much research has been done on design and analysis of server aided protocols for RSA computation (e.g. see [26, 37, 25, 19, 36, 11, 3, 23]) We also note that there has been proposed a protocol for accelerating modular multiplication itself [2] The server aided public verification (SAPV) protocol is another client server based computation scheme in which Client wants to check the validity of a certain public equation with the aid ....

T.Matsumoto, K.Kato and H.Imai, Speeding up secret computations with insecure auxiliary devices, Advances in Cryptology-CRYPTO'88 (S.Goldwasser, ed.), Springer-Verlag, LNCS 403 (1990), 497-506.

.... without revealing information about the functions arguments to the other party (cf. the many references in, for example, 22, 19] Also reminescent of this work is the server aided computation literature, but most papers there deal with modular exponentiations and not with numerical computing [15, 17, 20, 16, 13, 11, 3, 14, 10]) In this paper s framework, the encryption methods we use are very straightforward and are similar to one time pad schemes: For example, when we hide a number x by adding to it a random value r, then we do not re use that same r to hide another number y (we generate another random number for ....

T. Matsumoto, K. Kato, H. Imai. Speeding Up Secret Computations with Insecure Auxiliary Devices. CRYPTO 1988, pp. 497--506.

....may then be under the influence of an opponent trying to obtain the secrets of the card or to cheat with a false result. The conclusion of this short analysis is that the card must protect its secrets and verify the computations received from the server. Let us remark that many proposed protocols ([11], 16] 10] did not have a strong verification step and then were broken ( 2] 13] 9] There exist two kinds of attacks against such protocols: classical searching ones are called passive attacks; specific ones where the server returns false values to get some information from the card, are ....

....There exist two kinds of attacks against such protocols: classical searching ones are called passive attacks; specific ones where the server returns false values to get some information from the card, are called active attacks. Such protocols were first studied by Matsumoto, Kato and Imai [11] and by Quisquater and De Soete [14] for accelerating RSA signatures [15] Next Pfitzmann and Waidner [13] proposed some passive attacks against all protocols presented in [11] And Anderson [2] proposed a very efficient active attack against one of the two protocols presented in [11] where a ....

[Article contains additional citation context not shown here]

Matsumoto, T., Kato, K., Imai, H.: Speeding up secret computation with insecure auxiliary devices. In Advances in Cryptology -- Proceedings of Crypto '88 (1989) Lecture Notes in Computer Science vol. 403 Springer-Verlag pp. 497--506.

....the other way are also efficient for smart card implementations. This motivated us to develop methods for speeding up the computation by the verifier in some way or another. We first considered the applicability of the server aided approach to secret computation, first proposed by Matsumoto et al. [10] and since then widely studied by many researchers [11 15] to the public verification of identity proofs and signatures. And we found a related work performed by Yen and Laih [16] but unfortunately their protocol can be easily shown to be insecure. Furthermore, this kind of protocols seems to ....

T.Matsumoto, K.Kato and H.Imai : `Speeding up secret computations with insecure auxiliary devices', Advances in Cryptology-Crypto'88,Springer-Verlag, pp.497506 (1990).

....term: Information theory The basic server assisted authentication protocol of Matsumoto, Kato and Imai can be broken in a one round active attack. The improvements necessary to make it secure may well render it impractical. Introduction: Matsumoto, Kato and Imai proposed various protocols in [1] to speed up secret computations using insecure auxiliary devices. A typical application would be where a smart card wishes to calculate an RSA signature m d (mod n) 2] on a financial transaction and wants computational assistance from a powerful server such as a digital signal processor ....

Matsumoto T, Kato K and Imai H, "Speeding up Secret Computations with Insecure Auxiliary Devices", in Advances in Cryptology - Crypto 88, LNCS 403, pp 497 - 506, Springer 1989

No context found.

T. Matsumoto, K. Kato, and H. Imai, Speeding up secret computations with insecure auxiliary devices, Advances in Cryptology -- Crypto '88, LNCS 403, Springer-Verlag, 1990, pp. 497-506.

No context found.

T. Matsumoto, K. Kato, and H. Imai, "Speeding up Secret Computations with Insecure Auxiliary Devices," Proceedings of Crypto '88, pp. 497--506, 1988.

No context found.

T. Matsumoto, K. Kato, and H. Imai. Speeding up secret computations with insecure auxiliary devices. In Proceedings of Crypro '88, August 1988.

No context found.

T. Matsumoto, K. Kato, H. Imai, \Speeding up secret computations with insecure auxiliary devices ", In proc. of Crypto '88, Lecture Notes in Computer Science, Vol. 403, Springer-Verlag, pp. 497-506, 1998.

No context found.

T. Matsumoto, K. Kato, H. Imai, Speeding up secret computations with insecure auxiliary devices, CRYPTO, (1988), 497--506.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC