Attacks on Protocols for Server-Aided RSA Computation

On Crypto ’88, Matsumoto, Kato, and Imai presented protocols to speed up secret computations with insecure auxiliary devices. The two most important protocols enable a smart card to compute the secret RSA operation faster with the help of a server that is not necessarily trusted by the card holder. It was stated that if RSA is secure, the protocols could only be broken by exhaustive search in certain spaces. Our main attacks show that much smaller search spaces suffice. These attacks are passive and therefore undetectable. It was already known that one of the protocols is vulnerable to active attacks. We show that this holds for the other protocol, too. More importantly, we show that our attack may still work if the smart card checks the correctness of the result; this was previously believed to be an easy measure excluding all active attacks. Finally, we discuss attacks on related protocols.