Date: 12 May 2000

Computing Inverses over a Shared Secret Modulus


We discuss the following problem: Given an integer φ shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e −1 mod φ. The most interesting case is when φ is the Euler function of a known RSA modulus N, φ = φ(N). The problem has several applications, among which the construction of threshold variants for two recent signature schemes proposed by Gennaro-Halevi-Rabin and Cramer-Shoup.

We present new and efficient protocols to solve this problem, improving over previous solutions by Boneh-Franklin and Frankel et al. Our basic protocol (secure against honest but curious players) requires only two rounds of communication and a single GCD computation. The robust protocol (secure against malicious players) adds only a couple of rounds and a few modular exponentiations to the computation.

Extended Abstract. A more complete version is available from The first author’s research was carried out while visiting the Computer Science Department of Columbia University.