[Resource Topic] 2001/060: The Security of Practical Two-Party RSA Signature Schemes

Welcome to the resource topic for 2001/060

The Security of Practical Two-Party RSA Signature Schemes

Authors: Mihir Bellare, Ravi Sandhu


In a two-party RSA signature scheme, a client and server, each
holding a share of an RSA decryption exponent d, collaborate to compute an
RSA signature under the corresponding public key N,e known to both. This
primitive is of growing interest in the domain of server-aided password-based
security, where the client’s share of d is based on its password. To minimize
cost, designers are looking at very simple, practical protocols based on the
early ideas of Boyd, but their security is unclear. We analyze a class of these
protocols. We suggest two notions of security for two-party signature schemes
and provide proofs of security for the schemes in our class based on
assumptions about RSA and the hash function underlying the scheme.

ePrint: https://eprint.iacr.org/2001/060

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .