Paper 2018/878

RSA Signatures Under Hardware Restrictions

Marc Joye and Yan Michalevsky

Abstract

We would like to compute RSA signatures with the help of a Hardware Security Module (HSM). But what can we do when we want to use a certain public exponent that the HSM does not allow or support? Surprisingly, this scenario comes up in real-world settings such as code-signing of Intel SGX enclaves. Intel SGX enclaves have to be signed in order to execute in release mode, using 3072-bit RSA signature scheme with a particular public exponent. However, we encountered commercial hardware security modules that do not support storing RSA keys corresponding to this exponent. We ask whether it is possible to overcome such a limitation of an HSM and answer it in the affirmative (under stated assumptions). We show how to convert RSA signatures corresponding to one public exponent, to valid RSA signatures corresponding to another exponent. We define security and show that it is not compromised by the additional public knowledge available to an adversary in this setting.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Attacks and Solutions in Hardware Security (ASHES 2018)
DOI
10.1145/3266444.3266451
Keywords
RSA
Contact author(s)
yanm2 @ cs stanford edu
History
2018-09-23: received
Short URL
https://ia.cr/2018/878
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/878,
      author = {Marc Joye and Yan Michalevsky},
      title = {{RSA} Signatures Under Hardware Restrictions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/878},
      year = {2018},
      doi = {10.1145/3266444.3266451},
      url = {https://eprint.iacr.org/2018/878}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.