International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Paper: The Security of Practical Two-Party RSA Signature Schemes

Authors:
Mihir Bellare
Ravi Sandhu
Download:
URL: http://eprint.iacr.org/2001/060
Search ePrint
Search Google
Abstract: In a two-party RSA signature scheme, a client and server, each holding a share of an RSA decryption exponent $d$, collaborate to compute an RSA signature under the corresponding public key $N,e$ known to both. This primitive is of growing interest in the domain of server-aided password-based security, where the client's share of $d$ is based on its password. To minimize cost, designers are looking at very simple, practical protocols based on the early ideas of Boyd, but their security is unclear. We analyze a class of these protocols. We suggest two notions of security for two-party signature schemes and provide proofs of security for the schemes in our class based on assumptions about RSA and the hash function underlying the scheme.
BibTeX
@misc{eprint-2001-11472,
  title={The Security of Practical Two-Party RSA Signature Schemes},
  booktitle={IACR Eprint archive},
  keywords={cryptographic protocols / Signatures, RSA, multi-party computation},
  url={http://eprint.iacr.org/2001/060},
  note={ mihir@cs.ucsd.edu 11848 received 29 Jul 2001, last revised 9 Jun 2002},
  author={Mihir Bellare and Ravi Sandhu},
  year=2001
}