. Small units like chip cards have the possibility of computing, storing and protecting data. Today such chip cards have limited computing power, then some cryptoprotocols are too slow. Some new chip cards with secure fast coprocessors are coming but are not very reliable at the moment and a little bit expensive for some applications. In banking applications there are few servers (ATM) relative to many small units: it is a better strategy to put the computing power into few large servers than into the not-very-often used cards. A possible solution is to use the computing power of the (insecure) server to help the chip card. But it remains an open question whether it is possible to accelerate significantly RSA signatures using an insecure server with the possibility of active attacks: that is, when the server returns false values to get some part of secret from the card. In this paper, we propose a new efficient protocol for accelerating RSA signatures, resistant against all known activ...

We present protocols for speeding up fixed-base exponentiation and variable-base exponentiation using an untrusted computation resource. In the fixed-base protocols, the base and exponent may be blinded. If the exponent is fixed, the base may be blinded in the variable-base exponentiation protocols. The protocols are the first ones for accelerating exponentiation with the aid of an untrusted resource in arbitrary cyclic groups. We also describe how to use the protocols to construct protocols that do, with the aid of an untrusted resource, exponentiation modular an integer where the modulus is the product of primes with single multiplicity. One application of the protocols is to speed up exponentiation-based verification in discrete log-based signature and credential schemes. For example, the protocols can be applied to speeding up, on small devices, the verification of signatures in DSS, El Gamal, and Schnorr’s signature schemes, and the verification of digital credentials in Brands’ credential system. The protocols use precomputation and we prove that they are unconditionally secure. We analyze the performance of our variable base protocols where the exponentiation is modulo a prime p: the protocols provide an asymptotic speedup of about O(0.24 ( k log k) 2 3), where k = log p, over the square-and-multiply algorithm, without compromising security.

. Mobile communication is more vulnerable to security attacks such as interception and unauthorized access than fixed network communication. To overcome these problems, many protocols have been proposed to provide a secure channel between a mobile station and a base station. However, the public-key based protocols are not fully utilized due to the poor computing power and the small battery capacity of a mobile station. In this paper, we propose some techniques accelerating public-key based key establishment protocols between a mobile station and a base station. The proposed techniques enable a mobile station to borrow computing power from a base station without revealing its secret information. The proposed schemes accelerate the previous protocols up to five times and reduce the amount of power consumption of a mobile station. The proposed schemes use SASC (Server-Aided Secret Computation) protocols that are used for smart cards. Our insight is that the unbalanced prope...

SASC (Server-Aided Secret Computation) protocols enable a client (a smart card) to borrow computing power from a server (e.g., an untrustworthy auxiliary device like an ATM) without revealing its secret information. In this paper, we propose a new active attack on server-aided secret computation protocols. We describe our attack by using Beguin and Quisquater’s protocol. (We modify the protocol in order to immunize it against Nguyen and Stern’s lattice reduction attack.) The proposed attack re-+ pP, where 0 < p < 1. It duces the search space P to 1 p is 2 √ P for optimal p. Practically, it effectively threatens SASC protocols because an attacker can choose an appropriate value p according to the situation. Therefore, the security parameters in the existing SASC protocols must be reconsidered.