International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2001: Advances in Cryptology — ASIACRYPT 2001 pp 310-330

Fully Distributed Threshold RSA under Standard Assumptions

  • Pierre-Alain Fouque
  • Jacques Stern
Conference paper

DOI: 10.1007/3-540-45682-1_19

Volume 2248 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Fouque PA., Stern J. (2001) Fully Distributed Threshold RSA under Standard Assumptions. In: Boyd C. (eds) Advances in Cryptology — ASIACRYPT 2001. ASIACRYPT 2001. Lecture Notes in Computer Science, vol 2248. Springer, Berlin, Heidelberg


The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup proposed a practical RSA threshold signature scheme that allows to share the ability to sign between a set of players. This scheme can be used for decryption as well. However, Shoup’s protocol assumes a trusted dealer to generate and distribute the keys. This comes from the fact that the scheme needs a special assumption on the RSA modulus and this kind of RSA moduli cannot be easily generated in an efficient way with many players. Of course, it is still possible to call theoretical results on multiparty computation, but we cannot hope to design efficient protocols. The only practical result to generate RSA moduli in a distributive manner is Boneh and Franklin’s protocol but it seems difficult to modify it in order to generate the kind of RSA moduli that Shoup’s protocol requires.

The present work takes a diffierent path by proposing a method to enhance the key generation with some additional properties and revisits Shoup’s protocol to work with the resulting RSA moduli. Both of these enhancements decrease the performance of the basic protocols. However, we think that in the applications we target, these enhancements provide practical solutions. Indeed, the key generation protocol is usually run only once and the number of players used to sign or decrypt is not very large. Moreover, these players have time to perform their task so that the communication or time complexity are not overly important.


Threshold RSA key generation and signature
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Pierre-Alain Fouque
    • 1
  • Jacques Stern
    • 1
  1. 1.Département d’InformatiqueÉcole Normale SupérieureParis Cedex 05France