Fully Distributed Threshold RSA under Standard Assumptions

  • Pierre-Alain Fouque
  • Jacques Stern
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2248)


The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup proposed a practical RSA threshold signature scheme that allows to share the ability to sign between a set of players. This scheme can be used for decryption as well. However, Shoup’s protocol assumes a trusted dealer to generate and distribute the keys. This comes from the fact that the scheme needs a special assumption on the RSA modulus and this kind of RSA moduli cannot be easily generated in an efficient way with many players. Of course, it is still possible to call theoretical results on multiparty computation, but we cannot hope to design efficient protocols. The only practical result to generate RSA moduli in a distributive manner is Boneh and Franklin’s protocol but it seems difficult to modify it in order to generate the kind of RSA moduli that Shoup’s protocol requires.

The present work takes a diffierent path by proposing a method to enhance the key generation with some additional properties and revisits Shoup’s protocol to work with the resulting RSA moduli. Both of these enhancements decrease the performance of the basic protocols. However, we think that in the applications we target, these enhancements provide practical solutions. Indeed, the key generation protocol is usually run only once and the number of players used to sign or decrypt is not very large. Moreover, these players have time to perform their task so that the communication or time complexity are not overly important.


Threshold RSA key generation and signature 


  1. 1.
    O. Baudron, P.A. Fouque, D. Pointcheval, G. Poupard, and J. Stern. Practical Multi-Candidate Election System. In PODC’ 01. ACM, 2001.Google Scholar
  2. 2.
    M. Ben-Or, S. Goldwasser, and A. Widgerson. Completeness theorems for noncryptographic fault-tolerant distributed computing. In Proceedings of the 20th STOC, ACM, pages 1–10, 1988.Google Scholar
  3. 3.
    S. Blackburn, S. Blake-Wilson, S. Galbraith, and M. Burmester. Shared Generation of Shared RSA Keys. Technical report, University of Waterloo, Canada, February 1998. CORR-98-19.Google Scholar
  4. 4.
    D. Boneh and M. Franklin. Efficient Generation of Shared RSA keys. In Crypto’ 97, LNCS 1233, pages 425–439. Springer-Verlag, 1997.Google Scholar
  5. 5.
    D. Boneh, M. Malkin, and T. Wu. Experimenting with Shared Generation of RSA keys. In Internet Society’s 1999 Symposium on Network and Distributed System Security (SNDSS), pages 43–56, 1999.Google Scholar
  6. 6.
    R. Canetti, R. Gennaro, A. Herzberg, and D. Naor. Proactive Security: Long-term Protection Against Break-ins. CryptoBytes, 3(1), Spring 1997.Google Scholar
  7. 7.
    R. Canetti and S. Goldwasser. An Efficient Threshold Public Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack. In Eurorypt’ 99, LNCS 1592, pages 90–106. Springer-Verlag, 1999.Google Scholar
  8. 8.
    D. Catalano, R. Gennaro, and S. Halevi. Computing Inverses over a Shared Secret Modulus. In Eurocrypt’ 00, LNCS 1807, pages 190–207. Springer-Verlag, 2000.Google Scholar
  9. 9.
    C. Cocks. Split Knowledge Generation of RSA Parameters. In Cryptography and Coding: 6th IMA Conference, LNCS 1355, pages 89–95. Springer-Verlag, 1997.Google Scholar
  10. 10.
    C. Cocks. Split Generation of RSA Parameters with Multiple Participants. Technical report, CESG, 1998. Available at
  11. 11.
    I. Damgård and M. Jurik. A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In PKC’ 01, LNCS 1992, pages 119–136. Springer-Verlag, 2001.Google Scholar
  12. 12.
    I. Damgård and M. Koprowski. Practical Threshold RSA Signatures Without a Trusted Dealer. In Eurocrypt’ 01, LNCS 2045, pages 152–165. Springer-Verlag, 2001.Google Scholar
  13. 13.
    Y. Desmedt and Y. Frankel. Shared Generation of Authenticators and Signature. In Crypto’ 91, LNCS 576, pages 457–469. Springer-Verlag, 1991.Google Scholar
  14. 14.
    P. A. Fouque, G. Poupard, and J. Stern. Sharing Decryption in the Context of Voting or Lotteries. In Financial Crypto’ 00, LNCS. Springer-Verlag, 2000.Google Scholar
  15. 15.
    P. A. Fouque and J. Stern. One Round Threshold Discrete-Log Key Generation without Private Channels. In PKC’ 01, LNCS 1992. Springer-Verlag, 2001.Google Scholar
  16. 16.
    Y. Frankel, P. Gemmell, P. MacKenzie, and M. Yung. Optimal Resilience Proactive Public-Key Cryptosystems. In FOCS’ 97, pages 384–393, 1997.Google Scholar
  17. 17.
    Y. Frankel, P. Gemmell, P. MacKenzie, and M. Yung. Proactive RSA. In Crypto’ 97, pages 440–454, 1997.Google Scholar
  18. 18.
    Y. Frankel, P. MacKenzie, and M. Yung. Robust Efficient Distributed RSA Key Generation. In STOC’ 98, pages 663–672, 1995.Google Scholar
  19. 19.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and Efficient Sharing of RSA Functions. In Crypto’ 96, LNCS 1109, pages 157–172. Springer-Verlag, 1996.Google Scholar
  20. 20.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust Threshold DSS Signatures. In Eurocrypt’ 96, LNCS 1070, pages 425–438. Springer-Verlag, 1996.Google Scholar
  21. 21.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. In Eurocrypt’ 99, LNCS 1592, pages 295–310. Springer-Verlag, 1999.Google Scholar
  22. 22.
    R. Gennaro, D. Micciancio, and T. Rabin. An Efficient Non-Interactive Statistical Zero-Knowledge Proof System for Quasi-Safe Prime Products. In Proc. of the Fifth ACM Conference on Computer and Communications Security’ 98. ACM, 1998.Google Scholar
  23. 23.
    N. Gilboa. Two Party RSA Key Generation. In Crypto’ 99, LNCS 1666. Springer-Verlag, 1999.Google Scholar
  24. 24.
    L. C. Guillou and J.-J. Quisquater. A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory. In Eurocrypt’ 88, LNCS 330, pages 123–128. Springer-Verlag, 1988.Google Scholar
  25. 25.
    B. King. Improved Methods to Perform Threshold RSA. In Asiacrypt’ 00, LNCS 1976, pages 359–372. Springer-Verlag, 2000.Google Scholar
  26. 26.
    S. Miyazaki, K. Sakurai, and M. Yung. On Threshold RSA-signing with no dealer. In ICICS’ 99, LNCS 1787. Springer-Verlag, 1999.Google Scholar
  27. 27.
    T.P. Pedersen. A Threshold Cryptosystem without a Trusted Party. In Eurocrypt’91, LNCS 547, pages 522–526. Springer-Verlag, 1991.Google Scholar
  28. 28.
    C. Pomerance. On the distribution of pseudoprimes. In Mathematics of Computation, 37(156), pages 587–593, 1981.zbMATHCrossRefMathSciNetGoogle Scholar
  29. 29.
    C. Pomerance. Two methods in elementary analytic number theory. pages 135–161. Kluwer Academic Publishers, 1989.Google Scholar
  30. 30.
    G. Poupard and J. Stern. Generation of Shared RSA Keys by Two Parties. In Asiacrypt’ 98, LNCS 1514, pages 11–24. Springer-Verlag, 1998.Google Scholar
  31. 31.
    G. Poupard and J. Stern. Short Proofs of Knowledge for Factoring. In PKC’ 00, LNCS 1751, pages 147–166. Springer-Verlag, 2000.Google Scholar
  32. 32.
    T. Rabin. A Simplified Approach to Threshold and Proactive RSA. In Crypto’ 98, LNCS 1462, pages 89–104. Springer-Verlag, 1998.Google Scholar
  33. 33.
    R. Rivest. Finding Four Million Large Random Primes. In Crypto’ 90, LNCS 537, pages 625–626. Springer-Verlag, 1991.Google Scholar
  34. 34.
    R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public Key Cryptosystems. Communications of the ACM, 21(2):120–126, February 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  35. 35.
    A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In STOC’ 94, pages 522–533. ACM, 1994.Google Scholar
  36. 36.
    A. Shamir. How to Share a Secret. Communications of the ACM, 22:612–613, November 1979.Google Scholar
  37. 37.
    V. Shoup. Practical Threshold Signatures. In Eurocrypt’ 00, LNCS 1807, pages 207–220. Springer-Verlag, 2000.Google Scholar
  38. 38.
    V. Shoup and R. Gennaro. Securing Threshold Cryptosystems against Chosen Ciphertext Attack. In Eurocrypt’ 98, LNCS 1403, pages 1–16. Springer-Verlag, 1998. cf. the extended version for the Journal of Cryptology, available at Scholar
  39. 39.
    R.D. Silverman. Fast Generation of Random, Strong RSA Primes. RSA Laboratories, May 1997.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Pierre-Alain Fouque
    • 1
  • Jacques Stern
    • 1
  1. 1.Département d’InformatiqueÉcole Normale SupérieureParis Cedex 05France

Personalised recommendations