CryptoDB
The Security of Practical Two-Party RSA Signature Schemes
Authors: | |
---|---|
Download: | |
Abstract: | In a two-party RSA signature scheme, a client and server, each holding a share of an RSA decryption exponent $d$, collaborate to compute an RSA signature under the corresponding public key $N,e$ known to both. This primitive is of growing interest in the domain of server-aided password-based security, where the client's share of $d$ is based on its password. To minimize cost, designers are looking at very simple, practical protocols based on the early ideas of Boyd, but their security is unclear. We analyze a class of these protocols. We suggest two notions of security for two-party signature schemes and provide proofs of security for the schemes in our class based on assumptions about RSA and the hash function underlying the scheme. |
BibTeX
@misc{eprint-2001-11472, title={The Security of Practical Two-Party RSA Signature Schemes}, booktitle={IACR Eprint archive}, keywords={cryptographic protocols / Signatures, RSA, multi-party computation}, url={http://eprint.iacr.org/2001/060}, note={ mihir@cs.ucsd.edu 11848 received 29 Jul 2001, last revised 9 Jun 2002}, author={Mihir Bellare and Ravi Sandhu}, year=2001 }