Results 1  10
of
12
Fast ServerAided RSA Signatures Secure Against Active Attacks
 Advances in Cryptology  CRYPTO ’95
, 1995
"... . Small units like chip cards have the possibility of computing, storing and protecting data. Today such chip cards have limited computing power, then some cryptoprotocols are too slow. Some new chip cards with secure fast coprocessors are coming but are not very reliable at the moment and a little ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
. Small units like chip cards have the possibility of computing, storing and protecting data. Today such chip cards have limited computing power, then some cryptoprotocols are too slow. Some new chip cards with secure fast coprocessors are coming but are not very reliable at the moment and a little bit expensive for some applications. In banking applications there are few servers (ATM) relative to many small units: it is a better strategy to put the computing power into few large servers than into the notveryoften used cards. A possible solution is to use the computing power of the (insecure) server to help the chip card. But it remains an open question whether it is possible to accelerate significantly RSA signatures using an insecure server with the possibility of active attacks: that is, when the server returns false values to get some part of secret from the card. In this paper, we propose a new efficient protocol for accelerating RSA signatures, resistant against all known activ...
SECURE OUTSOURCING OF SEQUENCE COMPARISONS
"... Largescale problems in the physical and life sciences are being revolutionized by Internet computing technologies, like grid computing, that make possible the massive cooperative sharing of computational power, bandwidth, storage, and data. A weak computational device, once connected to such a grid ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
Largescale problems in the physical and life sciences are being revolutionized by Internet computing technologies, like grid computing, that make possible the massive cooperative sharing of computational power, bandwidth, storage, and data. A weak computational device, once connected to such a grid, is no longer limited by its slow speed, small amounts of local storage, and limited bandwidth: It can avail itself of the abundance of these resources that is available elsewhere on the network. An impediment to the use of “computational outsourcing” is that the data in question is often sensitive, e.g., of national security importance, or proprietary and containing commercial secrets, or to be kept private for legal requirements such as the HIPAA legislation, GrammLeachBliley, or similar laws. This motivates the design of techniques for computational outsourcing in a privacypreserving manner, i.e., without revealing to the remote agents whose computational power is being used, either one’s data or the outcome of the computation on the data. This paper investigates such secure outsourcing for widely applicable sequence comparison problems, and gives an efficient protocol for a
Secure outsourcing of scientific computations
 ADVANCES IN COMPUTERS
, 1998
"... We investigate the outsourcing of numerical and scientific computations using the following framework: A customer who needs computations done but lacks the computational resources (computing power, appropriate software, or programming expertise) to do these locally, would like to use an external age ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
We investigate the outsourcing of numerical and scientific computations using the following framework: A customer who needs computations done but lacks the computational resources (computing power, appropriate software, or programming expertise) to do these locally, would like to use an external agent to perform these computations. This currently arises in many practical situations, including the financial services and petroleum services industries. The outsourcing is secure if it is done without revealing to the external agent either the actual data or the actual answer to the computations. The general idea is for the customer to do some carefully designed local preprocessing (disguising) of the problem and/or data before sending it to the agent, and also some local postprocessing of the answer returned to extract the true answer. The disguise process should be as lightweight as possible, e.g., take time proportional to the size of the input and answer. The disguise preprocessing that the customer performs locally to "hide" the real computation can change the numerical properties of the computation so that numerical stability must be considered as well as security and computational performance. We present a framework for disguising scientific computations and discuss their costs, numerical
The BéguinQuisquater ServerAided RSA Protocol from Crypto '95 is not Secure
 IN PROC. OF ASIACRYPT '98, VOLUME 1514 OF LNCS
, 1998
"... A wellknown cryptographic scenario is the following: a smart card wishes to compute an RSA signature with the help of an untrusted powerful server. Several protocols have been proposed to solve this problem, and many have been broken. There exist two kinds of attacks against such protocols: passive ..."
Abstract

Cited by 19 (7 self)
 Add to MetaCart
A wellknown cryptographic scenario is the following: a smart card wishes to compute an RSA signature with the help of an untrusted powerful server. Several protocols have been proposed to solve this problem, and many have been broken. There exist two kinds of attacks against such protocols: passive attacks (where the server follows the instructions) and active attacks (where the server may return false values). An open question in this field is the existence of efficient protocols (without expensive precomputations) provably secure against both passive and active attacks. At Crypto '95, B'eguin and Quisquater tried to answer this question by proposing an efficient protocol which was resistant against all known passive and active attacks. In this paper, we present a very effective latticebased passive attack against this protocol. An implementation is able to recover the secret factorization of an RSA512 or RSA768 key in less than 5 minutes once the card has produced about 50 signa...
Security and Performance of ServerAided RSA Computation Protocols
 Advances in Cryptology  CRYPTO ’95
, 1995
"... This paper investigates various security issues and provides possible improvements on serveraided RSA computation schemes, mainly focused on the twophase protocols, RSAS1M and RSAS2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final resu ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
This paper investigates various security issues and provides possible improvements on serveraided RSA computation schemes, mainly focused on the twophase protocols, RSAS1M and RSAS2M, proposed by Matsumoto et al. [4]. We first present new active attacks on these protocols when the final result is not checked. A serveraided protocol is then proposed in which the client can check the computed signature in at most six multiplications irrespective of the size of the public exponent. Next we consider multiround active attacks on the protocol with correctness check and show that parameter restrictions cannot defeat such attacks. We thus assume that the secret exponent is newly decomposed in each run of the protocol and discuss some means of speeding up this preprocessing step. Finally, considering the implementationdependent attack, we propose a new method for decomposing the secret and performing the required computation efficiently.
Speeding up Exponentiation using an Untrusted Computational Resource
 MEMO 469, MIT CSAIL COMPUTATION STRUCTURES GROUP
, 2003
"... We present protocols for speeding up fixedbase exponentiation and variablebase exponentiation using an untrusted computation resource. In the fixedbase protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variablebase exponentiation protocol ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
We present protocols for speeding up fixedbase exponentiation and variablebase exponentiation using an untrusted computation resource. In the fixedbase protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variablebase exponentiation protocols. The protocols are the first ones for accelerating exponentiation with the aid of an untrusted resource in arbitrary cyclic groups. We also describe how to use the protocols to construct protocols that do, with the aid of an untrusted resource, exponentiation modular an integer where the modulus is the product of primes with single multiplicity. One application of the protocols is to speed up exponentiationbased verification in discrete logbased signature and credential schemes. For example, the protocols can be applied to speeding up, on small devices, the verification of signatures in DSS, El Gamal, and Schnorr’s signature schemes, and the verification of digital credentials in Brands’ credential system. The protocols use precomputation and we prove that they are unconditionally secure. We analyze the performance of our variable base protocols where the exponentiation is modulo a prime p: the protocols provide an asymptotic speedup of about O(0.24 ( k log k) 2 3), where k = log p, over the squareandmultiply algorithm, without compromising security.
Secure acceleration of DSS signatures using insecure server
 in Asiacrypt'94
"... . Small units like chip cards (smart card) have the possibility of computing, storing and protecting data. Today such chip cards have limited computing power and some cryptoprotocols are too slow. Some new chip cards with secure coprocessors are coming but are not very reliable at the moment and a l ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
. Small units like chip cards (smart card) have the possibility of computing, storing and protecting data. Today such chip cards have limited computing power and some cryptoprotocols are too slow. Some new chip cards with secure coprocessors are coming but are not very reliable at the moment and a little bit expensive. A possible alternative solution is to use an auxiliary unit in order to help the chip card. The known protocols are not very secure or are not efficient. We show how to accelerate the computation of a \Theta b mod c and of a t mod c where a; b; c; t are public. Next we show how to accelerate the discrete exponential modulo a prime number: this protocol is useful to accelerate DSS signatures and other schemes. This protocol is also the first one accelerating DSS signatures with the help of an insecure server: it is secure against both passive and active attacks (that is, when the server sends false values to get some information from the card). Moreover, this protocol ...
Server(Prover/Signer)Aided Verification of Identity Proofs and Signatures
 in Eurocrypt’95
, 1995
"... . Discrete log based identification and signature schemes are wellsuited to identity proof and signature generation, but not suitable for verification, by smart cards, due to their highly asymmetric computational load between the prover/signer and the verifier. In this paper, we present very effici ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
. Discrete log based identification and signature schemes are wellsuited to identity proof and signature generation, but not suitable for verification, by smart cards, due to their highly asymmetric computational load between the prover/signer and the verifier. In this paper, we present very efficient and practical protocols for fast verification in these schemes, where the verifier with limited computing power performs its computation fast with the aid of the powerful prover/signer. The proposed protocols require very small amounts of computation and communication. The prover/signer only needs to perform a few modular exponentiations in realtime and the two interacting parties only need to communicate a few long numbers. Using the proposed proveraided verification (PAV) protocol, the verifier can perform the Schnorrlike identification scheme almost as fast as the GuillouQuisquater scheme. We generalize the PAV protocol into the signeraided verification (SAV) protocol, which can ...
Secure outsourcing of some computations
, 1996
"... The rapid growth of the Internet facilitates the outsourcing of certain computations, in the following sense: A customer who needs these computations done on some data but lacks the computational resources (or programming expertise) to do so, can use an external agent to perform these computations. ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
The rapid growth of the Internet facilitates the outsourcing of certain computations, in the following sense: A customer who needs these computations done on some data but lacks the computational resources (or programming expertise) to do so, can use an external agent to perform these computations. This currently arises in many practical situations, including the financial services and petroleum services industries. The outsourcing is secure if it is done without revealing to the agent either the actual data or the actual answer to the computation. In this paper we describe how representative operations matrix multiplication, matrix inversion, solution of a linear system of equations, convolution, and sorting can be securely outsourced in a practical sense. The general idea is for the customer to do some carefully designed local preprocessing of the data before sending it to the agent, and also some local postprocessing of the answer returned by the agent to extract from it the true answer. The pre and postprocessing should not take time more than proportional to the size of the input, which is unavoidable because the customer must at least read the input once. The purpose of the preprocessing step that the customer performs locally is to "hide" the real data with suitably chosen noise, sending to the agent the obfuscated data. The purpose of the postprocessing is to extract from the noisy answer returned by the agent the true answer that the customer seeks.
Secure Outsourced Computation of Iris Matching ∗
"... Today biometric data propagate more heavily into our lives. With more ubiquitous use of such data, computations over biometrics become more prevalent as well. While it is well understood that privacy ofbiometric data must be protected, often computations overbiometric data involve untrusted particip ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Today biometric data propagate more heavily into our lives. With more ubiquitous use of such data, computations over biometrics become more prevalent as well. While it is well understood that privacy ofbiometric data must be protected, often computations overbiometric data involve untrusted participants or servers, let it be a cross check between different agencies who are not permitted to share the data or a researcher testing a new biometric matching algorithm on a large scale that forces the computation to be placed on a grid. Unarguably, it would be desirable to secure computation over sensitive biometric data in such environments. Currently, no secure techniques for outsourcing biometric comparisons or searching are readily available, and this work makes the first step at designing solutions for secure outsourcing iris identification to one or more untrusted servers. We develop new solutions for the singleserver (i.e., noninteractive) and multipleserver settings that use significantly different techniques. Furthermore, we carryout extensive experimentation on adatabase ofiriscodes to both validate the findings and achieve efficiency improvements. 1