{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:15:19Z","timestamp":1778040919308,"version":"3.51.4"},"reference-count":55,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2026,2,2]],"date-time":"2026-02-02T00:00:00Z","timestamp":1769990400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100002301","name":"Estonian Research Council","doi-asserted-by":"crossref","award":["PRG1780"],"award-info":[{"award-number":["PRG1780"]}],"id":[{"id":"10.13039\/501100002301","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2026,4,9]]},"abstract":"<jats:p>\n                    Smart-ID is a signing and authentication service available to residents of Belgium, Estonia, Iceland, Latvia and Lithuania. Such smartphone-based signing service delivers the usability of software keys with security guarantees of ID-cards by relying on a remote server to compensate for weak device protection. Security of current Smart-ID relies on multi-prime server-supported RSA, password-authenticated key shares and clone detection mechanism. Unfortunately, the security properties of the underlying protocol (Buldas et al. ESORICS 2017) have been specified only in \u201cgame-based\u201d manner. In other words, there are no guarantees for the protocol being secure in concurrent setting. We remedy this shortcoming by presenting two ideal functionalities\n                    <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                      <mml:mrow>\n                        <mml:msup>\n                          <mml:mi>\u2131<\/mml:mi>\n                          <mml:mrow>\n                            <mml:mtext mathvariant=\"sans-serif\">gSpl<\/mml:mtext>\n                          <\/mml:mrow>\n                        <\/mml:msup>\n                      <\/mml:mrow>\n                    <\/mml:math>\n                    and\n                    <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                      <mml:mrow>\n                        <mml:msubsup>\n                          <mml:mi>\u2131<\/mml:mi>\n                          <mml:mrow>\n                            <mml:mtext mathvariant=\"sans-serif\">Sig<\/mml:mtext>\n                          <\/mml:mrow>\n                          <mml:mrow>\n                            <mml:mtext mathvariant=\"sans-serif\">Spl<\/mml:mtext>\n                          <\/mml:mrow>\n                        <\/mml:msubsup>\n                      <\/mml:mrow>\n                    <\/mml:math>\n                    for server-supported signing in Universal Composability model. We show that improved RSA server-supported protocol realizes\n                    <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                      <mml:mrow>\n                        <mml:msup>\n                          <mml:mi>\u2131<\/mml:mi>\n                          <mml:mrow>\n                            <mml:mtext mathvariant=\"sans-serif\">gSpl<\/mml:mtext>\n                          <\/mml:mrow>\n                        <\/mml:msup>\n                      <\/mml:mrow>\n                    <\/mml:math>\n                    and give practical example of server-supported ECDSA protocol realizing\n                    <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                      <mml:mrow>\n                        <mml:msubsup>\n                          <mml:mi>\u2131<\/mml:mi>\n                          <mml:mrow>\n                            <mml:mtext mathvariant=\"sans-serif\">ECDSA<\/mml:mtext>\n                          <\/mml:mrow>\n                          <mml:mrow>\n                            <mml:mtext mathvariant=\"sans-serif\">Spl<\/mml:mtext>\n                          <\/mml:mrow>\n                        <\/mml:msubsup>\n                      <\/mml:mrow>\n                    <\/mml:math>\n                    .\n                  <\/jats:p>","DOI":"10.62056\/a3c3wa0kr","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Universally Composable Server-Supported Signatures for Smartphones"],"prefix":"10.62056","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1414-2080","authenticated-orcid":false,"given":"Nikita","family":"Snetkov","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/054gqc795","id-type":"ROR","asserted-by":"publisher"}],"name":"Cybernetica AS","place":["M\u00e4ealuse 2\/1, Tallinn, 12618, Estonia"]},{"id":[{"id":"https:\/\/ror.org\/0443cwa12","id-type":"ROR","asserted-by":"publisher"}],"name":"Tallinn University of Technology","place":["Akadeemia tee 15a, Tallinn, 12618, Estonia"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6398-3663","authenticated-orcid":false,"given":"Jelizaveta","family":"Vakarjuk","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/054gqc795","id-type":"ROR","asserted-by":"publisher"}],"name":"Cybernetica AS","place":["M\u00e4ealuse 2\/1, Tallinn, 12618, Estonia"]},{"id":[{"id":"https:\/\/ror.org\/0443cwa12","id-type":"ROR","asserted-by":"publisher"}],"name":"Tallinn University of Technology","place":["Akadeemia tee 15a, Tallinn, 12618, Estonia"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9030-8142","authenticated-orcid":false,"given":"Peeter","family":"Laud","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/054gqc795","id-type":"ROR","asserted-by":"publisher"}],"name":"Cybernetica AS","place":["M\u00e4ealuse 2\/1, Tallinn, 12618, Estonia"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:thresholdDef","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"120","DOI":"10.1007\/3-540-48184-2_8","article-title":"Society and Group Oriented Cryptography: A New Concept","volume":"293","author":"Yvo Desmedt","year":"1988"},{"key":"ref2:MPCdef","doi-asserted-by":"publisher","first-page":"86","DOI":"10.1145\/3387108","article-title":"Secure multiparty computation","volume":"64","author":"Yehuda Lindell","year":"2020","journal-title":"Commun. ACM","ISSN":"https:\/\/id.crossref.org\/issn\/0001-0782","issn-type":"electronic"},{"key":"ref3:SplitKey","doi-asserted-by":"publisher","first-page":"315","DOI":"10.1007\/978-3-319-66402-6_19","article-title":"Server-supported RSA signatures for mobile devices","author":"Ahto Buldas","year":"2017"},{"key":"ref4:NISTMPCcall","doi-asserted-by":"publisher","DOI":"10.6028\/nist.ir.8214c","volume-title":"NIST First Call for Multi-Party Threshold Schemes","author":"Luis Brando","year":"2026"},{"key":"ref5:splitkey-vs-smartcard","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"625","DOI":"10.1007\/978-3-031-25460-4_36","article-title":"A Comparison-Based Methodology for the Security Assurance of\n  Novel Systems","volume":"13785","author":"Peeter Laud","year":"2022"},{"key":"ref6:multiprimesec","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1515\/JMC.2008.006","article-title":"On the security of multi-prime RSA","volume":"2","author":"M Jason Hinek","year":"2008","journal-title":"Journal of Mathematical Cryptology"},{"key":"ref7:CloneSarr","volume-title":"Cryptanalysis and Improvement of Smart-ID's Clone Detection\n  Mechanism","author":"Augustin P. Sarr","year":"2019"},{"key":"ref8:UC","doi-asserted-by":"publisher","first-page":"136","DOI":"10.1109\/SFCS.2001.959888","article-title":"Universally Composable Security: A New Paradigm for\n  Cryptographic Protocols","author":"Ran Canetti","year":"2001"},{"key":"ref9:UC_updated","doi-asserted-by":"publisher","DOI":"10.1145\/3402457","article-title":"Universally Composable Security","volume":"67","author":"Ran Canetti","year":"2020","journal-title":"J. ACM","ISSN":"https:\/\/id.crossref.org\/issn\/0004-5411","issn-type":"electronic"},{"key":"ref10:ARF","volume-title":"The European Digital Identity Wallet Architecture and\n  Reference Framework V2.4.0","author":"European Commission","year":"2025"},{"key":"ref11:mDL","volume-title":"Personal identification \u2014 ISO-compliant driving licence\n  \u2014 Part 5: Mobile driving licence (mDL) application","author":"ISO Central Secretary","year":"2021"},{"key":"ref12:w3c","volume-title":"Verifiable Credentials Data Model v2.0","author":"Manu Sporny","year":"2025"},{"key":"ref13:hybridTLS","volume-title":"Hybrid key exchange in TLS 1.3","author":"Douglas Stebila","year":"2023"},{"key":"ref14:transitioning","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/978-3-319-59879-6_22","article-title":"Transitioning to a Quantum-Resistant Public Key\n  Infrastructure","author":"Nina Bindel","year":"2017"},{"key":"ref15:Giron2023","doi-asserted-by":"publisher","first-page":"71","DOI":"10.1007\/s13389-022-00288-9","article-title":"Post-quantum hybrid key exchange: a systematic mapping\n  study","volume":"13","author":"Alexandre Augusto Giron","year":"2023","journal-title":"Journal of Cryptographic Engineering","ISSN":"https:\/\/id.crossref.org\/issn\/2190-8516","issn-type":"electronic"},{"key":"ref16:XueECDSA","doi-asserted-by":"publisher","first-page":"558","DOI":"10.1145\/3460120.3484803","article-title":"Efficient Online-friendly Two-Party ECDSA Signature","author":"Haiyang Xue","year":"2021"},{"key":"ref17:ServerSupportedDefinition","doi-asserted-by":"publisher","first-page":"91","DOI":"10.3233\/JCS-1997-5105","article-title":"Server-supported signatures*","volume":"5","author":"N. Asokan","year":"1997","journal-title":"Journal of Computer Security"},{"key":"ref18:mackenzie2003server","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1109\/SECPRI.2001.924284","article-title":"Networked Cryptographic Devices Resilient to Capture","author":"Philip D. MacKenzie","year":"2001"},{"key":"ref19:revisited-sss","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"143","DOI":"10.1007\/978-3-540-24660-2_12","article-title":"Server Assisted Signatures Revisited","volume":"2964","author":"Kemal Bicakci","year":"2004"},{"key":"ref20:improved-sss","doi-asserted-by":"publisher","first-page":"351","DOI":"10.1016\/j.comnet.2004.08.008","article-title":"Improved server assisted signatures","volume":"47","author":"Kemal Bicakci","year":"2005","journal-title":"Computer Networks","ISSN":"https:\/\/id.crossref.org\/issn\/1389-1286","issn-type":"electronic"},{"key":"ref21:password-based","isbn-type":"print","doi-asserted-by":"publisher","first-page":"17","DOI":"10.1007\/978-3-642-29804-2_2","article-title":"Password-Based Signatures","author":"Kristian Gj\u00f8steen","year":"2012","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642298042"},{"key":"ref22:multisignatureDef","doi-asserted-by":"publisher","first-page":"432","DOI":"10.1145\/48012.48246","article-title":"A digital multisignature scheme using bijective public-key\n  cryptosystems","volume":"6","author":"Tatsuaki Okamoto","year":"1988","journal-title":"ACM Transactions on Computer Systems (TOCS)"},{"key":"ref23:YakshaServerSupported","doi-asserted-by":"publisher","first-page":"132","DOI":"10.1109\/NDSS.1995.390639","article-title":"Yaksha: augmenting Kerberos with public key cryptography","author":"R. Ganesan","year":"1995"},{"key":"ref24:MacKenzie2001server","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1145\/501983.501986","article-title":"Delegation of Cryptographic Servers for Capture-Resilient\n  Devices","author":"Philip D. MacKenzie","year":"2001"},{"key":"ref25:XuServerSupported","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"355","DOI":"10.1007\/3-540-36563-X_25","article-title":"Two Efficient and Provably Secure Schemes for\n  Server-Assisted Threshold Signatures","volume":"2612","author":"Shouhuai Xu","year":"2003"},{"key":"ref26:server-wallets24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"338","DOI":"10.1007\/978-3-031-71073-5_16","article-title":"Shared-Custodial Password-Authenticated Deterministic\n  Wallets","volume":"14974","author":"Poulami Das","year":"2024"},{"key":"ref27:VirtualSmartCard","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"353","DOI":"10.1007\/978-3-319-44618-9_19","article-title":"Virtual Smart Cards: How to Sign with a Password and a\n  Server","volume":"9841","author":"Jan Camenisch","year":"2016"},{"key":"ref28:brsim","doi-asserted-by":"publisher","first-page":"184","DOI":"10.1109\/SECPRI.2001.924298","article-title":"A Model for Asynchronous Reactive Systems and its\n  Application to Secure Message Transmission","author":"Birgit Pfitzmann","year":"2001"},{"key":"ref29:RSA-signing-original","doi-asserted-by":"publisher","first-page":"120","DOI":"10.1145\/359340.359342","article-title":"A method for obtaining digital signatures and public-key\n  cryptosystems","volume":"21","author":"R. L. Rivest","year":"1978","journal-title":"Commun. ACM","ISSN":"https:\/\/id.crossref.org\/issn\/0001-0782","issn-type":"electronic"},{"key":"ref30:RSA-FDH","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"399","DOI":"10.1007\/3-540-68339-9_34","article-title":"The Exact Security of Digital Signatures - HOw to Sign with\n  RSA and Rabin","volume":"1070","author":"Mihir Bellare","year":"1996"},{"key":"ref31:ECDSA","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/s102070100002","article-title":"The Elliptic Curve Digital Signature Algorithm (ECDSA)","volume":"1","author":"Don Johnson","year":"2001","journal-title":"Int. J. Inf. Secur.","ISSN":"https:\/\/id.crossref.org\/issn\/1615-5262","issn-type":"electronic"},{"key":"ref32:Doerner18","doi-asserted-by":"publisher","first-page":"980","DOI":"10.1109\/SP.2018.00036","article-title":"Secure Two-party Threshold ECDSA from ECDSA Assumptions","author":"Jack Doerner","year":"2018"},{"key":"ref33:KOS","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"724","DOI":"10.1007\/978-3-662-47989-6_35","article-title":"Actively Secure OT Extension with Optimal Overhead","volume":"9215","author":"Marcel Keller","year":"2015"},{"key":"ref34:SoftSpoken","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"657","DOI":"10.1007\/978-3-031-15802-5_23","article-title":"SoftSpokenOT: Quieter OT Extension from Small-Field\n  Silent VOLE in the Minicrypt Model","volume":"13507","author":"Lawrence Roy","year":"2022"},{"key":"ref35:Paillier","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"223","DOI":"10.1007\/3-540-48910-X_16","article-title":"Public-Key Cryptosystems Based on Composite Degree\n  Residuosity Classes","volume":"1592","author":"Pascal Paillier","year":"1999"},{"key":"ref36:CLencr","isbn-type":"print","doi-asserted-by":"publisher","first-page":"487","DOI":"10.1007\/978-3-319-16715-2_26","article-title":"Linearly Homomorphic Encryption from DDH","author":"Guilhem Castagnos","year":"2015","ISBN":"https:\/\/id.crossref.org\/isbn\/9783319167152"},{"key":"ref37:Joye-Libert","doi-asserted-by":"publisher","first-page":"519","DOI":"10.1007\/s00145-016-9229-5","article-title":"Efficient Cryptosystems From $2^k$-th Power Residue\n  Symbols","volume":"30","author":"Fabrice Benhamouda","year":"2016","journal-title":"Journal of Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/1432-1378","issn-type":"electronic"},{"key":"ref38:Castagnos19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"191","DOI":"10.1007\/978-3-030-26954-8_7","article-title":"Two-Party ECDSA from Hash Proof Systems and Efficient\n  Instantiations","volume":"11694","author":"Guilhem Castagnos","year":"2019"},{"key":"ref39:DKLS19","doi-asserted-by":"publisher","first-page":"1051","DOI":"10.1109\/SP.2019.00024","article-title":"Threshold ECDSA from ECDSA Assumptions: The Multiparty\n  Case","author":"J. Doerner","year":"2019"},{"key":"ref40:CMP20","doi-asserted-by":"publisher","first-page":"1769","DOI":"10.1145\/3372297.3423367","article-title":"UC Non-Interactive, Proactive, Threshold ECDSA with\n  Identifiable Aborts","author":"Ran Canetti","year":"2020"},{"key":"ref41:lindellJournal","doi-asserted-by":"publisher","first-page":"44","DOI":"10.1007\/s00145-021-09409-9","article-title":"Fast Secure Two-Party ECDSA Signing","volume":"34","author":"Yehuda Lindell","year":"2021","journal-title":"Journal of Cryptology"},{"key":"ref42:FiatShamir","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"186","DOI":"10.1007\/3-540-47721-7_12","article-title":"How to Prove Yourself: Practical Solutions to\n  Identification and Signature Problems","volume":"263","author":"Amos Fiat","year":"1987"},{"key":"ref43:Pass","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"316","DOI":"10.1007\/978-3-540-45146-4_19","article-title":"On Deniability in the Common Reference String and Random\n  Oracle Model","volume":"2729","author":"Rafael Pass","year":"2003"},{"key":"ref44:Fischlin","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"152","DOI":"10.1007\/11535218_10","article-title":"Communication-Efficient Non-interactive Proofs of Knowledge\n  with Online Extractors","volume":"3621","author":"Marc Fischlin","year":"2005"},{"key":"ref45:ChenTransform","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"381","DOI":"10.1007\/978-3-031-91820-9_13","article-title":"Universally Composable Non-interactive Zero-Knowledge from\n  Sigma Protocols via a New Straight-Line Compiler","volume":"15674","author":"Megan Chen","year":"2025"},{"key":"ref46:Schnorr","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1007\/0-387-34805-0_22","article-title":"Efficient Identification and Signatures for Smart Cards","volume":"435","author":"Claus-Peter Schnorr","year":"1990"},{"key":"ref47:GRO_NIZK","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1007\/978-3-031-22318-1_8","article-title":"Universally Composable $\\varSigma$-protocols in the\n  Global Random-Oracle Model","volume":"13747","author":"Anna Lysyanskaya","year":"2022"},{"key":"ref48:rom","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1145\/168588.168596","article-title":"Random Oracles are Practical: A Paradigm for Designing\n  Efficient Protocols","author":"Mihir Bellare","year":"1993"},{"key":"ref49:GRO","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-319-78381-9_11","article-title":"The Wonderful World of Global Random Oracles","volume":"10820","author":"Jan Camenisch","year":"2018"},{"key":"ref50:ThreeRoundDSA","doi-asserted-by":"publisher","first-page":"3053","DOI":"10.1109\/SP54263.2024.00178","article-title":"Threshold ECDSA in Three Rounds","author":"Jack Doerner","year":"2024"},{"key":"ref51:ShareTheMayo","doi-asserted-by":"publisher","first-page":"165","DOI":"10.1007\/978-3-031-86599-2_6","article-title":"Share the MAYO: Thresholdizing MAYO","author":"Sof\u00eda Celi","year":"2025"},{"key":"ref52:trilithium","volume-title":"Trilithium: Efficient and Universally Composable Distributed\n  ML-DSA Signing","author":"Anton\u00edn Dufka","year":"2025"},{"key":"ref53:FischlinOptim","doi-asserted-by":"publisher","DOI":"10.62056\/a66chey6b","article-title":"Optimizing and Implementing Fischlin's Transform for\n  UC-Secure Zero Knowledge","volume":"1","author":"Yi-Hsiu Chen","year":"2024","journal-title":"IACR Communications in Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/3006-5496","issn-type":"electronic"},{"key":"ref54:LN18","doi-asserted-by":"publisher","first-page":"1837","DOI":"10.1145\/3243734.3243788","article-title":"Fast Secure Multiparty ECDSA with Practical Distributed\n  Key Generation and Applications to Cryptocurrency Custody","author":"Yehuda Lindell","year":"2018"},{"key":"ref55:Castagnos20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"266","DOI":"10.1007\/978-3-030-45388-6_10","article-title":"Bandwidth-Efficient Threshold EC-DSA","volume":"12111","author":"Guilhem Castagnos","year":"2020"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:02:22Z","timestamp":1778040142000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":55,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/a3c3wa0kr","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2026-02-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-09","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc3-1-22"}}