Efficient generation of shared RSA keys

We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious scenario (passive adversary).

[1]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[2]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[3]  Volker Strassen,et al.  A Fast Monte-Carlo Test for Primality , 1977, SIAM J. Comput..

[4]  Jacques Stern,et al.  Generation of Shared RSA Keys by Two Parties , 1998, ASIACRYPT.

[5]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[6]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[7]  Clifford C. Cocks Split Knowledge Generation of RSA Parameters , 1997, IMACC.

[8]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[9]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[10]  M. Rabin Probabilistic algorithm for testing primality , 1980 .

[11]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, EUROCRYPT.

[12]  Matthew K. Franklin,et al.  Joint Encryption and Message-Efficient Secure Computation , 1993, CRYPTO.

[13]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[14]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[15]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[16]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[17]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[18]  Dan Boneh,et al.  Generating a Product of Three Primes with an Unknown Factorization , 1998, ANTS.

[19]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[20]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[21]  John Gordon,et al.  Strong Primes are Easy to Find , 1985, EUROCRYPT.

[22]  Kazuo Ohta,et al.  A Modification of the Fiat-Shamir Scheme , 1988, CRYPTO.

[23]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[24]  Noga Alon,et al.  Efficient Dynamic-Resharing "Verifiable Secret Sharing" Against Mobile Adversary , 1995, ESA.

[25]  Michael Rabin,et al.  Security, fault tolerance, and communication complexity in distributed systems , 1990 .

[26]  Josh Benaloh,et al.  Secret Sharing Homomorphisms: Keeping Shares of A Secret Sharing , 1986, CRYPTO.

[27]  Claus-Peter Schnorr,et al.  Fast Signature Generation With a Fiat Shamir-Like Scheme , 1991, EUROCRYPT.

[28]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[29]  Moti Yung,et al.  Optimal-resilience proactive public-key cryptosystems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[30]  Shai Halevi,et al.  Computing Inverses over a Shared Secret Modulus , 2000, EUROCRYPT.

[31]  Judit Bar-Ilan,et al.  Non-cryptographic fault-tolerant computing in constant number of rounds of interaction , 1989, PODC '89.

[32]  Moti Yung,et al.  Robust efficient distributed RSA-key generation , 1998, STOC '98.

[33]  Yair Frankel,et al.  A Practical Protocol for Large Group Oriented Networks , 1990, EUROCRYPT.

[34]  Niv Gilboa,et al.  Two Party RSA Key Generation , 1999, CRYPTO.

[35]  Tal Rabin,et al.  A Simplified Approach to Threshold and Proactive RSA , 1998, CRYPTO.

[36]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[37]  Yvo Desmedt,et al.  Threshold cryptography , 1994, Eur. Trans. Telecommun..

[38]  de Ng Dick Bruijn On the number of uncancelled elements in the sieve of Eratosthenes , 1950 .