On verifiable implicit asking protocols for RSA computation

Abstract

The verifiable implicit asking is to speed up a certain feasible computation (e.g., y = xd rood n) based on a secret (d) stored in a relatively powerless device (called Client) with the help of powerful device(s) (called Server(s)) in such a way that Client can check the behavior of Server(s) and that the leakage of the secret to Server(s) should be suppressed as much as possible. Possible attacks to obtain Client's secret are classified into passive and active attacks. Passive attacks can be completely nullified by dividing the target computation into two parts so that one depends on d but the other does not and then by asking Server to do only the latter part. However since such a method brings relatively low speed-up performance, we discuss a method to obtain verifiable implicit asking protocols highly secure against passive attacks by modifying some base protocols which are fast enough but not completely free from passive attacks since sending to Server some information not independent from d.