Paper 2001/060

The Security of Practical Two-Party RSA Signature Schemes

Mihir Bellare and Ravi Sandhu

Abstract

In a two-party RSA signature scheme, a client and server, each holding a share of an RSA decryption exponent $d$, collaborate to compute an RSA signature under the corresponding public key $N,e$ known to both. This primitive is of growing interest in the domain of server-aided password-based security, where the client's share of $d$ is based on its password. To minimize cost, designers are looking at very simple, practical protocols based on the early ideas of Boyd, but their security is unclear. We analyze a class of these protocols. We suggest two notions of security for two-party signature schemes and provide proofs of security for the schemes in our class based on assumptions about RSA and the hash function underlying the scheme.

Metadata
Available format(s)
PDF PS
Category
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Keywords
SignaturesRSAmulti-party computation
Contact author(s)
mihir @ cs ucsd edu
History
2002-06-10: last of 2 revisions
2001-07-29: received
See all versions
Short URL
https://ia.cr/2001/060
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2001/060,
      author = {Mihir Bellare and Ravi Sandhu},
      title = {The Security of Practical Two-Party {RSA} Signature Schemes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2001/060},
      year = {2001},
      url = {https://eprint.iacr.org/2001/060}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.