A simplified approach to threshold and proactive RSA

  • Tal Rabin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


We present a solution to both the robust threshold RSA and proactive RSA problems. Our solutions are conceptually simple, and allow for an easy design of the system. The signing key, in our solution, is shared at all times in additive form, which allows for simple signing and for a particularly efficient and straightforward refreshing process for proactivization. The key size is (up to a very small constant) the size of the RSA modulus, and the protocol runs in constant time, even when faults occur, unlike previous protocols where either the size of the key has a linear blow-up (at best) in the number of players or the run time of the protocol is linear in the number of faults. The protocol is optimal in its resilience as it can tolerate a minority of faulty players. Furthermore, unlike previous solutions, the existence and availability of the key throughout the lifetime of the system, is guaranteed without probability of error.

These results are derived from a new general technique for transforming distributed computations for which there is a known n-out-n solution into threshold and robust computations.


RSA threshold signatures proactive signatures threshold and proactive RSA 


  1. [BF97]
    D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In Crypto '97, pages 425–439, 1997. Springer-Verlag. LNCS No. 1294.Google Scholar
  2. [BGW88]
    M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations. In Proc. 20th Annual Symp. on the Theory of Computing, pages 1–10. ACM, 1988.Google Scholar
  3. [Boy89]
    C. Boyd. Digital Multisignatures. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 241–246. Claredon Press, 1989.Google Scholar
  4. [CGHN97]
    R. Canetti, R. Gennaro, A. Herzberg, and D. Naor. Proactive Security: Long-term Protextion Against Break-ins. CryptoBytes, 3(1):1–8, 1997.Google Scholar
  5. [CH89]
    R. A. Croft and S. P. Harris. Public-key cryptography and re-usable shared secrets. In H. Baker and F. Piper, editors, Cryptography and Coding, pages 189–201. Claredon Press, 1989.Google Scholar
  6. [CH94]
    R. Canetti and Amir Herzberg. Maintaining security in the presence of transient faults. Crypto '94, pages 425–438, 1994. Springer-Verlag. LNCS No. 839.Google Scholar
  7. [CMI93]
    M. Cerecedo, T. Matsumoto, and H. Imai. Efficient and secure multiparty generation of digital signatures based on discrete logarithms. IEIGE Trans. Fundamentals, E76-A(4):532–545, 1993.Google Scholar
  8. [DDFY94]
    Alfredo De Santis, Yvo Desmedt, Yair Frankel, and Moti Yung. How to share a function securely. In Proc. 26th Annual Symp. on the Theory of Computing, pages 522–533. ACM, 1994.Google Scholar
  9. [Des87]
    Yvo Desmedt. Society and group oriented cryptography: A new concept. In Crypto '87, pages 120–127, Berlin, 1987. Springer-Verlag. LNCS No. 293.Google Scholar
  10. [Des94]
    Yvo G. Desmedt. Threshold cryptography. European Transactions on Telecommunications, 5(4):449–457, July 1994.MathSciNetGoogle Scholar
  11. [DF89]
    Yvo Desmedt and Yair Frankel. Threshold cryptosystems. In G. Brassard, editor, Advances in Cryptology — Crypto '89, pages 307–315, Berlin, 1989. Springer-Verlag. LNCS No. 435.Google Scholar
  12. [DF91]
    Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology — Crypto '91, pages 457–469, Berlin, 1991. Springer-Verlag. LNCS No. 576.Google Scholar
  13. [DJ97]
    Y. Desmedt and S. Jajodia. Redistributing secret shares to new access structures and its applications. Tech. Report ISSE-TR-97-01, George Mason University, July 1997. Scholar
  14. [FD92]
    Yair Frankel and Yvo Desmedt. Parallel reliable threshold multisignature. TR-92-04-02, April, Dept. of EE and CS, U of Wisconsin, 1992.Google Scholar
  15. [Fel87]
    P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In Proc. 28th Annual FOCS, pages 427–437. IEEE, 1987.Google Scholar
  16. [FGMY97a]
    Yair Frankel, P. Gemmell, P. Mackenzie, and M. Yung. Proactive RSA. In Crypto '97, pages 440–454, 1997. Springer-Verlag. LNCS No. 1294.Google Scholar
  17. [FGMY97b]
    Y. Frankel, P. Gemmell, P. Mackenzie, and M. Yung. Optimal resilience proactive public-key cryptosystems. In Proc. 38th FOCS, pages 384–393. IEEE, 1997.Google Scholar
  18. [FGY96]
    Y. Frankel, P. Gemmell, and M. Yung. Witness-based Cryptographic Program Checking and Robust Function Sharing. In Proc. 28th STOC, pages 499–508. ACM, 1996.Google Scholar
  19. [FM88]
    P. Feldman and S. Micali. An Optimal Algorithm for Synchronous Byzantine Agreement. In Proc. 20th STOC, pages 148–161. ACM, 1988.Google Scholar
  20. [Fra89]
    Y. Frankel. A practical protocol for large group oriented networks. In Eurocrypt '89, pages 56–61, 1989. Springer-Verlag. LNCS No. 434.Google Scholar
  21. [GHY87]
    Z. Galil, S. Haber, and M. Yung. Cryptographic computation: Secure faut-tolerant protocols and the public-key model. In Crypto '87, pages 135–155, 1987. Springer-Verlag. LNCS No. 293.Google Scholar
  22. [GJKR96a]
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In Eurocrypt '96, pages 354–371, 1996. Springer-Verlag. LNCS No. 1070.Google Scholar
  23. [GJKR96b]
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of RSA functions. In Crypto '96, pages 157–172, 1996. Springer-Verlag. LNCS No. 1109.Google Scholar
  24. [Har94]
    L. Harn. Group oriented (t,n) digital signature scheme. IEE Proc.-Comput.Digit.Tech, 141(5):307–313, Sept 1994.zbMATHCrossRefGoogle Scholar
  25. [HJJ+97]
    [HJJ+97] Amir Herzberg, M. Jakobsson, Stanislaw Jarecki, Hugo Krawczyk, and Moti Yung. Proactive public key and signature systems. In 1997 ACM Conference on Computers and Communication Security, 1997.Google Scholar
  26. [JJKY95]
    M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive RSA for Constant-Size Thresholds. Upublished manuscript, 1995.Google Scholar
  27. [OY91]
    R. Ostrovsky and M. Yung. How to withstand mobile virus attacks. In Proc. 10th PODC, pages 51–59. ACM, 1991.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Tal Rabin
    • 1
  1. 1.IBM T.J. Watson Research CenterYorktown Heights

Personalised recommendations