Fast Distributed RSA Key Generation for Semi-honest and Malicious Adversaries

  • Tore Kasper Frederiksen
  • Yehuda LindellEmail author
  • Valery Osheter
  • Benny Pinkas
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10992)


We present two new, highly efficient, protocols for securely generating a distributed RSA key pair in the two-party setting. One protocol is semi-honestly secure and the other maliciously secure. Both are constant round and do not rely on any specific number-theoretic assumptions and improve significantly over the state-of-the-art by allowing a slight leakage (which we show to not affect security).

For our maliciously secure protocol our most significant improvement comes from executing most of the protocol in a “strong” semi-honest manner and then doing a single, light, zero-knowledge argument of correct execution. We introduce other significant improvements as well. One such improvement arrives in showing that certain, limited leakage does not compromise security, which allows us to use lightweight subprotocols. Another improvement, which may be of independent interest, comes in our approach for multiplying two large integers using OT, in the malicious setting, without being susceptible to a selective-failure attack.

Finally, we implement our malicious protocol and show that its performance is an order of magnitude better than the best previous protocol, which provided only semi-honest security.


  1. [ACS02]
    Algesheimer, J., Camenisch, J., Shoup, V.: Efficient computation modulo a shared secret with application to the generation of shared safe-prime products. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 417–432. Springer, Heidelberg (2002). Scholar
  2. [BF01]
    Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)MathSciNetCrossRefGoogle Scholar
  3. [BHKR13]
    Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixed-key blockcipher. In: IEEE Symposium on Security and Privacy, pp. 478–492. IEEE Computer Society (2013)Google Scholar
  4. [CDN01]
    Cramer, R., Damgård, I., Nielsen, J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–300. Springer, Heidelberg (2001). Scholar
  5. [DM10]
    Damgård, I., Mikkelsen, G.L.: Efficient, robust and constant-round distributed RSA key generation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 183–200. Springer, Heidelberg (2010). Scholar
  6. [FMY98]
    Frankel, Y., MacKenzie, P.D., Yung, M.: Robust efficient distributed RSA-key generation. In: STOC, pp. 663–672 (1998)Google Scholar
  7. [Gav12]
    Gavin, G.: RSA modulus generation in the two-party case. IACR Cryptology ePrint Archive 2012:336 (2012)Google Scholar
  8. [Gil99]
    Gilboa, N.: Two party RSA key generation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 116–129. Springer, Heidelberg (1999). Scholar
  9. [GMO16]
    Giacomelli, I., Madsen, J., Orlandi, C.: ZKBoo: faster zero-knowledge for boolean circuits. In: Holz, T., Savage, S. (eds.) USENIX Security Symposium, pp. 1069–1083. USENIX Association (2016)Google Scholar
  10. [HMRT12]
    Hazay, C., Mikkelsen, G.L., Rabin, T., Toft, T.: Efficient RSA key generation and threshold paillier in the two-party setting. In: CT-RSA, pp. 313–331 (2012)zbMATHGoogle Scholar
  11. [IPS09]
    Ishai, Y., Prabhakaran, M., Sahai, A.: Secure arithmetic computation with no honest majority. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 294–314. Springer, Heidelberg (2009). Scholar
  12. [JKO13]
    Jawurek, M., Kerschbaum, F., Orlandi, C.: Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM SIGSAC, pp. 955–966. ACM (2013)Google Scholar
  13. [KOS15]
    Keller, M., Orsini, E., Scholl, P.: Actively secure OT extension with optimal overhead. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 724–741. Springer, Heidelberg (2015). Scholar
  14. [KOS16]
    Keller, M., Orsini, E., Scholl, P.: MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM SIGSAC, pp. 830–842. ACM (2016)Google Scholar
  15. [KS06]
    Kiraz, M.S., Schoenmakers, B.: A protocol issue for the malicious case of Yao’s garbled circuit construction. In: Proceedings of 27th Symposium on Information Theory in the Benelux, pp. 283–290 (2006)Google Scholar
  16. [Lin16]
    Lindell, Y.: Fast cut-and-choose-based protocols for malicious and covert adversaries. J. Cryptology 29(2), 456–490 (2016)MathSciNetCrossRefGoogle Scholar
  17. [MF06]
    Mohassel, P., Franklin, M.: Efficiency tradeoffs for malicious two-party computation. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 458–473. Springer, Heidelberg (2006). Scholar
  18. [NP99]
    Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In: Vitter, J.S., Larmore, L.L., Leighton, F.T. (eds.) STOC, pp. 245–254. ACM (1999)Google Scholar
  19. [OOS17]
    Orrù, M., Orsini, E., Scholl, P.: Actively secure 1-out-of-n OT extension with application to private set intersection. In: CT-RSA, pp. 381–396 (2017)CrossRefGoogle Scholar
  20. [PS98]
    Poupard, G., Stern, J.: Generation of shared RSA keys by two parties. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 11–24. Springer, Heidelberg (1998). Scholar
  21. [PVW08]
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). Scholar
  22. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  23. [Sch12]
    Schneider, T.: Engineering Secure Two-Party Computation Protocols: Design, Optimization, and Applications of Efficient Secure Function Evaluation. Springer, Heidelberg (2012). Scholar
  24. [Sho00]
    Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). Scholar
  25. [SHS+15]
    Songhori, E.M., Hussain, S.U., Sadeghi, A.-R., Schneider, T., Koushanfar, F.: TinyGarble: highly compressed and scalable sequential garbled circuits. In: IEEE Symposium on Security and Privacy, pp. 411–428. IEEE Computer Society (2015)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Tore Kasper Frederiksen
    • 1
  • Yehuda Lindell
    • 2
    • 3
    Email author
  • Valery Osheter
    • 3
  • Benny Pinkas
    • 2
  1. 1.Security LabAlexandra InstituteAarhusDenmark
  2. 2.Department of Computer ScienceBar-Ilan UniversityRamat GanIsrael
  3. 3.Unbound Tech Ltd.Petach TikvaIsrael

Personalised recommendations