CryptoDB
The Security of Practical Two-Party RSA Signature Schemes
| Authors: | |
|---|---|
| Download: | |
| Abstract: | In a two-party RSA signature scheme, a client and server, each holding a share of an RSA decryption exponent $d$, collaborate to compute an RSA signature under the corresponding public key $N,e$ known to both. This primitive is of growing interest in the domain of server-aided password-based security, where the client's share of $d$ is based on its password. To minimize cost, designers are looking at very simple, practical protocols based on the early ideas of Boyd, but their security is unclear. We analyze a class of these protocols. We suggest two notions of security for two-party signature schemes and provide proofs of security for the schemes in our class based on assumptions about RSA and the hash function underlying the scheme. |
BibTeX
@misc{eprint-2001-11472,
title={The Security of Practical Two-Party RSA Signature Schemes},
booktitle={IACR Eprint archive},
keywords={cryptographic protocols / Signatures, RSA, multi-party computation},
url={http://eprint.iacr.org/2001/060},
note={ mihir@cs.ucsd.edu 11848 received 29 Jul 2001, last revised 9 Jun 2002},
author={Mihir Bellare and Ravi Sandhu},
year=2001
}