On the Security of Distributed Multiprime RSA

  • Ivan Damgård
  • Gert Læssøe Mikkelsen
  • Tue Skeltved
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8949)


Threshold RSA encryption and signing is a very useful tool to increase the security of the secret keys used. Key generation is, however, either done in a non-threshold way, or computationally inefficient protocols are used. This is not a big problem in a setup where one organization has a few high profile keys to secure, however, this does not scale well to systems with a lot of secret keys, like eID schemes where there exist one key pair per user, especially not if the we want the users’ personal devices like smart phones to participate in the threshold setup. In this paper we present novel approaches to distributed RSA key generation which are efficient enough to let smart phones participate. This is done by generating keys consisting of more than two primes instead of generating standard RSA keys.

We present a 2-party protocol based on the ideas of [BH98] which produces a 3-prime modulo. We demonstrate that the protocol is efficient enough to be used in practical scenarios even from a mobile device which has not been demonstrated before. Then we show the first 2-party distributed multiprime RSA key generation protocol that are as efficient as standard centralized key generation, even if security against malicious adversaries is desired. Further, we show that RSA keys based on moduli with more than two prime factors and where part of the factorization is leaked to the adversary are useful in practice by showing that commonly used schemes such as PSS-RSA and OAEP-RSA is secure even if the adversary knows a partial factorization of the multiprime moduli. From all other parties the generated keys cannot be distinguished from standard RSA keys, which is very important as this make these protocols compatible with existing infrastructure and standards.


Random Oracle Chinese Remainder Theorem Partial Domain Additive Share Padding Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [ACS02]
    Algesheimer, J., Camenisch, J.L., Shoup, V.: Efficient computation modulo a shared secret with application to the generation of shared safe-prime products. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 417–432. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  2. [BF97]
    Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 425–439. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  3. [BF01]
    Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  4. [BH98]
    Boneh, D., Horwitz, J.: Generating a product of three primes with an unknown factorization. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 237–251. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  5. [Ble98]
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 1. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  6. [BR94]
    Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  7. [BR96]
    Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996) CrossRefGoogle Scholar
  8. [DK01]
    Damgård, I.B., Koprowski, M.: Practical threshold RSA signatures without a trusted dealer. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 152. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  9. [DM09]
    Damgård, I., Mikkelsen, G.L.: On the theory and practice of personal digital signatures. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 277–296. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  10. [DM10]
    Damgård, I., Mikkelsen, G.L.: Efficient, robust and constant-round distributed rsa key generation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 183–200. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  11. [DMS14]
    Damgård, I., Mikkelsen, G.L., Skeltved, T.: On the security of distributed multiprime RSA. IACR ePrint Archive (2014)Google Scholar
  12. [FMY98]
    Frankel, Y., MacKenzie, P.D., Yung, M.: Robust efficient distributed RSA-key generation. In: Vitter, J.S. (ed.) STOC, pp. 663–672. ACM (1998)Google Scholar
  13. [FOPS04]
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. J. Cryptol. 17(2), 81–104 (2004)CrossRefzbMATHMathSciNetGoogle Scholar
  14. [Gil99]
    Gilboa, N.: Two party RSA key generation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 116. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  15. [Gir91]
    Girault, M.: Self-certified public keys. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 490–497. Springer, Heidelberg (1991) CrossRefGoogle Scholar
  16. [GRJK07]
    Gennaro, R., Rabin, T., Jarecki, S., Krawczyk, H.: Robust and efficient sharing of RSA functions. J. Cryptol. 20(3), 393 (2007)CrossRefMathSciNetGoogle Scholar
  17. [HMRT12]
    Hazay, C., Mikkelsen, G.L., Rabin, T., Toft, T.: Efficient RSA key generation and threshold paillier in the two-party setting. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 313–331. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  18. [Pai99]
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 223. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  19. [RSA02]
    RSA Laboratories. PKCS #1 v2.1: RSA cryptography standard. Technical report (2002)Google Scholar
  20. [Sch91]
    Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefzbMATHMathSciNetGoogle Scholar
  21. [Sho02]
    Shoup, V.: OAEP reconsidered. J. Cryptol. 15(4), 223–249 (2002)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Ivan Damgård
    • 1
  • Gert Læssøe Mikkelsen
    • 2
  • Tue Skeltved
    • 3
  1. 1.Department of Computer ScienceAarhus UniversityAarhusDenmark
  2. 2.The Alexandra InstituteAarhusDenmark
  3. 3.Signaturgruppen A/SAarhusDenmark

Personalised recommendations