International audienceWe analyze the security and the efficiency of interactive protocols where a client wants to delegate the computation of an RSA signature given a public key, a public message and the secret signing exponent. We consider several protocols where the secret exponent is splitted using some algebraic decomposition. We first provide an exhaustive analysis of the delegation protocols in which the client outsources a single RSA exponentiation to the server. We then revisit the security of the protocols RSA-S1 and RSA-S2 that were proposed by Matsumoto, Kato and Imai in 1988. We present an improved lattice-based attack on RSA-S1 and we propose a simple variant of this protocol that provides better efficiency for the same securit...
AbstractMany cryptographic protocols and attacks on these protocols make use of the fact that the or...
In a two-party RSA signature scheme, a client and server, each holding a share of an RSA decryption ...
In this paper, secure two-party protocols are provided in order to securely generate a random $k$-bi...
International audienceWe address the problem of speeding up group computations in cryptography using...
International audienceLet (n = pq, e = n^β) be an RSA public key with private exponent d = n^δ , whe...
International audienceThis paper presents three new attacks on the RSA cryptosystem. The first two a...
Many public-key cryptosystems and, more generally, cryptographic protocols, use group exponentiation...
We introduce the notion of Linear Integer Secret-Sharing (LISS) schemes, and show constructions of s...
International audienceThis article introduces a new Combined Attack on a CRT-RSA implementation resi...
We present two new, highly efficient, protocols for securely generating a distributed RSA key pair i...
In this paper we propose a variant of RSA public key scheme, called "Hidden Exponent RSA"...
Group exponentiation is an important operation used in many cryptographic protocols, specifically pu...
Many public-key cryptosystems and, more generally, cryptographic protocols, use group exponentiation...
International audiencePublic-key cryptographic primitives are time-consuming for resource-constraine...
Abstract. Among all countermeasures that have been proposed to thw-art side-channel attacks against ...
AbstractMany cryptographic protocols and attacks on these protocols make use of the fact that the or...
In a two-party RSA signature scheme, a client and server, each holding a share of an RSA decryption ...
In this paper, secure two-party protocols are provided in order to securely generate a random $k$-bi...
International audienceWe address the problem of speeding up group computations in cryptography using...
International audienceLet (n = pq, e = n^β) be an RSA public key with private exponent d = n^δ , whe...
International audienceThis paper presents three new attacks on the RSA cryptosystem. The first two a...
Many public-key cryptosystems and, more generally, cryptographic protocols, use group exponentiation...
We introduce the notion of Linear Integer Secret-Sharing (LISS) schemes, and show constructions of s...
International audienceThis article introduces a new Combined Attack on a CRT-RSA implementation resi...
We present two new, highly efficient, protocols for securely generating a distributed RSA key pair i...
In this paper we propose a variant of RSA public key scheme, called "Hidden Exponent RSA"...
Group exponentiation is an important operation used in many cryptographic protocols, specifically pu...
Many public-key cryptosystems and, more generally, cryptographic protocols, use group exponentiation...
International audiencePublic-key cryptographic primitives are time-consuming for resource-constraine...
Abstract. Among all countermeasures that have been proposed to thw-art side-channel attacks against ...
AbstractMany cryptographic protocols and attacks on these protocols make use of the fact that the or...
In a two-party RSA signature scheme, a client and server, each holding a share of an RSA decryption ...
In this paper, secure two-party protocols are provided in order to securely generate a random $k$-bi...