On Two Kinds of Flaws in Some Server-Aided Verification Schemes

At Asiacrypt’05, Girault and Lefranc introduced the primitive of server-aided verification (SAV). In the proposed model, the server is assumed to be untrusted but is supposed to not collude with the legitimate prover. At ProvSec’08, Wu et al. have generalized the GiraultLefranc SAV model by allowing the server to collude with the legitimate prover, and presented two corresponding SAV signature schemes, SAV-BLS-1 and SAV-BLS-2. In this paper, we argue that the SAV-BLS-1 scheme is somewhat artificial because the computational gain in the scheme is at the expense of additional communication costs. This is a common flaw in most outsourcing computation proposals which have neglected the comparisons between the computational gain and the incurred communication costs. We show also that the SAV-BLS-2 scheme is insecure against collusion attacks. It is another common flaw to have the verifier delegate most computations to the server in a way that prevent the verifier to confirm that the returned values are really bound to the signer’s public key.