Cryptology ePrint Archive: Report 2001/060

The Security of Practical Two-Party RSA Signature Schemes

Mihir Bellare and Ravi Sandhu

Abstract: In a two-party RSA signature scheme, a client and server, each holding a share of an RSA decryption exponent $d$, collaborate to compute an RSA signature under the corresponding public key $N,e$ known to both. This primitive is of growing interest in the domain of server-aided password-based security, where the client's share of $d$ is based on its password. To minimize cost, designers are looking at very simple, practical protocols based on the early ideas of Boyd, but their security is unclear. We analyze a class of these protocols. We suggest two notions of security for two-party signature schemes and provide proofs of security for the schemes in our class based on assumptions about RSA and the hash function underlying the scheme.

Category / Keywords: cryptographic protocols / Signatures, RSA, multi-party computation

Date: received 29 Jul 2001, last revised 9 Jun 2002

Contact author: mihir at cs ucsd edu

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20020610:021238 (All versions of this report)

Short URL: ia.cr/2001/060

Discussion forum: Show discussion | Start new discussion