International Conference on the Theory and Application of Cryptology and Information Security Fully Distributed Threshold RSA under Standard Assumptions
Conference paper First Online: 20 November 2001 DOI:
2248 of the book series
Lecture Notes in Computer Science (LNCS) Cite this paper as: Fouque PA., Stern J. (2001) Fully Distributed Threshold RSA under Standard Assumptions. In: Boyd C. (eds) Advances in Cryptology — ASIACRYPT 2001. ASIACRYPT 2001. Lecture Notes in Computer Science, vol 2248. Springer, Berlin, Heidelberg Abstract
The aim of this article is to propose a
fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup proposed a practical RSA threshold signature scheme that allows to share the ability to sign between a set of players. This scheme can be used for decryption as well. However, Shoup’s protocol assumes a trusted dealer to generate and distribute the keys. This comes from the fact that the scheme needs a special assumption on the RSA modulus and this kind of RSA moduli cannot be easily generated in an efficient way with many players. Of course, it is still possible to call theoretical results on multiparty computation, but we cannot hope to design efficient protocols. The only practical result to generate RSA moduli in a distributive manner is Boneh and Franklin’s protocol but it seems difficult to modify it in order to generate the kind of RSA moduli that Shoup’s protocol requires.
The present work takes a diffierent path by proposing a method to enhance the key generation with some additional properties and revisits Shoup’s protocol to work with the resulting RSA moduli. Both of these enhancements decrease the performance of the basic protocols. However, we think that in the applications we target, these enhancements provide practical solutions. Indeed, the key generation protocol is usually run only once and the number of players used to sign or decrypt is not very large. Moreover, these players have time to perform their task so that the communication or time complexity are not overly important.
Keywords Threshold RSA key generation and signature Download to read the full conference paper text References
O. Baudron, P.A. Fouque, D. Pointcheval, G. Poupard, and J. Stern. Practical Multi-Candidate Election System. In
PODC’ 01. ACM, 2001.
M. Ben-Or, S. Goldwasser, and A. Widgerson. Completeness theorems for noncryptographic fault-tolerant distributed computing. In
Proceedings of the 20th STOC, ACM, pages 1–10, 1988.
S. Blackburn, S. Blake-Wilson, S. Galbraith, and M. Burmester. Shared Generation of Shared RSA Keys. Technical report, University of Waterloo, Canada, February 1998. CORR-98-19.
D. Boneh and M. Franklin. Efficient Generation of Shared RSA keys. In
, LNCS 1233, pages 425–439. Springer-Verlag, 1997.
D. Boneh, M. Malkin, and T. Wu. Experimenting with Shared Generation of RSA keys. In
Internet Society’s 1999 Symposium on Network and Distributed System Security (SNDSS), pages 43–56, 1999.
R. Canetti, R. Gennaro, A. Herzberg, and D. Naor. Proactive Security: Long-term Protection Against Break-ins.
CryptoBytes, 3(1), Spring 1997.
R. Canetti and S. Goldwasser. An Efficient Threshold Public Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack. In
, LNCS 1592, pages 90–106. Springer-Verlag, 1999.
D. Catalano, R. Gennaro, and S. Halevi. Computing Inverses over a Shared Secret Modulus. In
, LNCS 1807, pages 190–207. Springer-Verlag, 2000.
C. Cocks. Split Knowledge Generation of RSA Parameters. In
Cryptography and Coding: 6th IMA Conference
, LNCS 1355, pages 89–95. Springer-Verlag, 1997.
C. Cocks. Split Generation of RSA Parameters with Multiple Participants. Technical report, CESG, 1998. Available at
I. Damgård and M. Jurik. A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In
, LNCS 1992, pages 119–136. Springer-Verlag, 2001.
I. Damgård and M. Koprowski. Practical Threshold RSA Signatures Without a Trusted Dealer. In
, LNCS 2045, pages 152–165. Springer-Verlag, 2001.
Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signature. In
, LNCS 576, pages 457–469. Springer-Verlag, 1991.
P. A. Fouque, G. Poupard, and J. Stern. Sharing Decryption in the Context of Voting or Lotteries. In
Financial Crypto’ 00
, LNCS. Springer-Verlag, 2000.
P. A. Fouque and J. Stern. One Round Threshold Discrete-Log Key Generation without Private Channels. In
, LNCS 1992. Springer-Verlag, 2001.
Y. Frankel, P. Gemmell, P. MacKenzie, and M. Yung. Optimal Resilience Proactive Public-Key Cryptosystems. In
FOCS’ 97, pages 384–393, 1997.
Y. Frankel, P. Gemmell, P. MacKenzie, and M. Yung. Proactive RSA. In
Crypto’ 97, pages 440–454, 1997.
Y. Frankel, P. MacKenzie, and M. Yung. Robust Efficient Distributed RSA Key Generation. In
STOC’ 98, pages 663–672, 1995.
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and Efficient Sharing of RSA Functions. In
, LNCS 1109, pages 157–172. Springer-Verlag, 1996.
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust Threshold DSS Signatures. In
, LNCS 1070, pages 425–438. Springer-Verlag, 1996.
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. In
, LNCS 1592, pages 295–310. Springer-Verlag, 1999.
R. Gennaro, D. Micciancio, and T. Rabin. An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products. In
Proc. of the Fifth ACM Conference on Computer and Communications Security’ 98. ACM, 1998.
N. Gilboa. Two Party RSA Key Generation. In
, LNCS 1666. Springer-Verlag, 1999.
L. C. Guillou and J.-J. Quisquater. A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory. In
, LNCS 330, pages 123–128. Springer-Verlag, 1988.
B. King. Improved Methods to Perform Threshold RSA. In
, LNCS 1976, pages 359–372. Springer-Verlag, 2000.
S. Miyazaki, K. Sakurai, and M. Yung. On Threshold RSA-signing with no dealer. In
, LNCS 1787. Springer-Verlag, 1999.
T.P. Pedersen. A Threshold Cryptosystem without a Trusted Party. In
, LNCS 547, pages 522–526. Springer-Verlag, 1991.
C. Pomerance. On the distribution of pseudoprimes. In
Mathematics of Computation
, 37(156), pages 587–593, 1981.
MATH CrossRef MathSciNet Google Scholar
C. Pomerance. Two methods in elementary analytic number theory. pages 135–161. Kluwer Academic Publishers, 1989.
G. Poupard and J. Stern. Generation of Shared RSA Keys by Two Parties. In
, LNCS 1514, pages 11–24. Springer-Verlag, 1998.
G. Poupard and J. Stern. Short Proofs of Knowledge for Factoring. In
, LNCS 1751, pages 147–166. Springer-Verlag, 2000.
T. Rabin. A Simplified Approach to Threshold and Proactive RSA. In
, LNCS 1462, pages 89–104. Springer-Verlag, 1998.
R. Rivest. Finding Four Million Large Random Primes. In
, LNCS 537, pages 625–626. Springer-Verlag, 1991.
R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems.
Communications of the ACM
, 21(2):120–126, February 1978.
MATH CrossRef MathSciNet Google Scholar
A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In
STOC’ 94, pages 522–533. ACM, 1994.
A. Shamir. How to Share a Secret.
Communications of the ACM, 22:612–613, November 1979.
V. Shoup. Practical Threshold Signatures. In
, LNCS 1807, pages 207–220. Springer-Verlag, 2000.
V. Shoup and R. Gennaro. Securing Threshold Cryptosystems against Chosen Ciphertext Attack. In
, LNCS 1403, pages 1–16. Springer-Verlag, 1998. cf. the extended version for the Journal of Cryptology, available at
CrossRef Google Scholar
R.D. Silverman. Fast Generation of Random, Strong RSA Primes. RSA Laboratories, May 1997.
© Springer-Verlag Berlin Heidelberg 2001