An active attack on protocols for server-aided RSA signature computation

The main purpose of server-aided RSA signature computation protocols is to make use of an auxiliary processor to speed up the RSA signature computations to be performed by a device with limited processing power. However, all server-aided secret computation protocols are vulnerable to active attacks. A malicious server can manipulate the data provided to the client, and try to derive useful information about the secret exponent from the result released by the client. Most of the active attacks can be defeated if the client verifies the correctness of the final result before releasing it. In this paper, we propose a powerful active attack which can make the server-aided protocols insecure even if the client verifies the final signature. (C) 1998 Elsevier Science B.V.