An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol
Stanislaw Jarecki, Nitesh Saxena, Jeong Hyun Yi


Recently, Luo, et al. in a series of papers [LL00, KZLLZ01, KLXL02, LZKLZ02, LKZLZ04] proposed a system called URSA for providing ubiquitous and robust access control in mobile ad hoc networks without relying on a centralized authority. The URSA system relies on the new proactive RSA signature scheme, which allows members in an ad hoc group to make access control decisions in a distributed manner. The proposed proactive RSA signature scheme is assumed secure as long as no more than an allowed threshold of participating members is simultaneously corrupted at any point in the lifetime of the scheme.

In this paper we show an attack on this proposed proactive RSA scheme, in which an admissible threshold of malicious group members can completely recover the group RSA secret key in the course of the lifetime of this scheme. Our attack stems from the fact that the threshold signature protocol which is a part of this proactive RSA scheme leaks some seemingly innocuous information about the secret signature key. We show how the corrupted members can influence the execution of the scheme in such a way so that the slowly leaked information is used to reconstruct the entire shared secret.