The béguin-quisquater server-aided RSA protocol from crypto ’95 is not secure

Abstract

A well-known cryptographic scenario is the following: a smart card wishes to compute an RSA signature with the help of an untrusted powerful server. Several protocols have been proposed to solve this problem, and many have been broken. There exist two kinds of attacks against such protocols: passive attacks (where the server follows the instructions) and active attacks (where the server may return false values). An open question in this _eld is the existence of e_cient protocols (without expensive precomputations) provably secure against both passive and active attacks. At Crypto '95, B_eguin and Quisquater tried to answer this question by proposing an e_cient protocol which was resistant against all known passive and active attacks. In this paper, we present a very e_ective lattice-based passive attack against this protocol. An implementation is able to recover the secret factorization of an RSA-512 or RSA-768 key in less than 5 minutes once the card has produced about 50 signatures. The core of our attack is the basic notion of an orthogonal lattice which we introduced at Crypto '97 as a cryptographic tool.