A New Efficient Server-Aided RSA Secret Computation Protocol against Active Attacks

In the RSA signature scheme [17], the secret computation M mod N is the most time consuming operation, where N is the product of two large prime numbers and d is the secret key. To perform this operation is hard for the device with limited computation power, so Matsumoto et al. [13] proposed the idea of server-aided secret computation protocols. In a server-aided secret computation protocol, the device with limited computation power is the client while the device with huge computation power is the server. With the help of a server, a client performs the secret computation easily without releasing the secret key of the client. Many protocols are proposed for the RSA secret computation. According to the relation between the transmitted data and the secret key, these protocols are classified into two classes: the dependent protocols [7], [10]–[14] and the independent protocols [9], [16]. For the independent protocols, there is no relation between transmitted data and secret key. On the other hand, for the dependent protocols, there is a relation between the transmitted data and the secret key. To break these protocols, there are two kinds of the proposed attacks: the active attacks [1]–[4], [6], [15], [18] and the passive attacks [2], [7], [15]. By the passive attacks, an intruder derives the secret data of the client only from the transmitted data of the client. By the active attacks, the server first sends the altered data with some special form to the client. Then the server may discover the secret data of the client from the final result of the secret computation. To remove the threat of active attacks, [2], [15] sug-