International Journal of Network Security, Vol.2, No.2, PP.105–110, Mar. 2006 (http://isrc.nchu.edu.tw/ijns/) 105 Active Trial-and-error Attack on SASC Protocols Heeyoul Kim, Younho Lee, Seong-Min Hong, and Hyunsoo Yoon (Corresponding author: Seong-Min Hong) Department of EECS, Korea Advanced Institute of Science and Technology 373-1 Guseng-dong, Yuseong-gu, Daejeon 305-701, Rep. of Korea (Email: {hykim, yhlee, smhong, hyoon}@camars.kaist.ac.kr) (Received July 1, 2005; revised and accepted Aug. 2, 2005) Abstract SASC (Server-Aided Secret Computation) protocols en- able a client (a smart card) to borrow computing power from a server (e.g., an untrustworthy auxiliary device like an ATM) without revealing its secret information. In this paper, we propose a new active attack on server-aided secret computation protocols. We describe our attack by using Beguin and Quisquater’s protocol. (We modify the protocol in order to immunize it against Nguyen and Stern’s lattice reduction attack.) The proposed attack re- duces the search space P to 1 p + pP , where 0 <p< 1. It is 2 √ P for optimal p. Practically, it effectively threatens SASC protocols because an attacker can choose an appro- priate value p according to the situation. Therefore, the security parameters in the existing SASC protocols must be reconsidered. Keywords: Active attack, SASC protocol, smart card 1 Introduction Management of secret information is one of the most im- portant problems that needs to be solved in cryptosys- tems. It is especially necessary to use a device that can carry secret information in public-key cryptosystems such as RSA [14] because of their large key sizes. Smart cards (plastic cards to which IC chips are attached) are very use- ful for this purpose due to their portability and security. Additionally they have computability, and are widely used as electronic wallets in electronic commerce, ID cards, and so on. However, RSA signature generation requires such a heavy computation that devices with poor computing power such as smart cards cannot perform it efficiently. To answer this weakness, there have been many studies on how to enable a smart card to borrow computing power from a server. (As it is generally used in cooperation with auxiliary devices including ATMs, it is natural to put more computing power into few large servers than into portable smart cards.) SASC (Server-Aided Secret Computation) protocols enable a smart card (a client) to perform secret com- putations faster with the aid of a server (an untrusted auxiliary device like an ATM). Matsumoto, Kato, and Imai proposed the first SASC protocol for the RSA sig- nature generation [11], and it significantly accelerated the computation. Afterwards, a lot of effective attacks that can threaten SASC protocols have been designed and the corresponding countermeasures also have been proposed [1, 2, 4, 5, 6, 7, 8, 9, 10, 12, 13, 16, 17]. The previous studies related to this topic are reviewed in [3, 8] in de- tail. Attacks on SASC protocols are divided into two groups: passive attacks and active ones. A passive at- tack does not disturb the protocol and uses the only in- formation that can be obtained by observing it. Rep- resentative passive attacks are Pfitzmann and Waidner’s birthday-like attack [13] and Nguyen and Stern’s orthog- onal lattice reduction attack [12]. On the other hand, in an active attack, an attacker participates in the pro- tocol as a malicious server and obtains additional infor- mation by returning wrong results to the client. There are some representative active attacks: Anderson’s one- round attack which uses prime numbers [1], Shimbo and Kawamura’s factorization attack [15] and Lim and Lee’s generalized version of it [8], and Pfitzmann and Waidner’s multi-round attack which uses the Jacobi symbol [13]. The one-round active attacks that can break the sys- tem in one step are prevented by checking at the client whether the resulting signature is correct [1, 8, 15]. How- ever, the final signature checking cannot be the counter- measure of the multi-round attack that reveals some infor- mation by observing whether the client gives the correct signature [13]. There are three protocols that were designed to be se- cure against the Pfitzmann and Waidner’s multiround ac- tive attack. Beguin and Quisquater proposed a server- aided RSA computation protocol that is secure against all known passive and active attacks including the multi-