We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).

) Donald Beaver Harvard University Silvio Micali y MIT Phillip Rogaway y MIT Abstract In a network of n players, each player i having private input x i , we show how the players can collaboratively evaluate a function f(x 1 ; : : : ; xn ) in a way that does not compromise the privacy of the players' inputs, and yet requires only a constant number of rounds of interaction. The underlying model of computation is a complete network of private channels, with broadcast, and a majority of the players must behave honestly. Our solution assumes the existence of a one-way function. 1 Introduction Secure function evaluation. Assume we have n parties, 1; : : : ; n; each party i has a private input x i known only to him. The parties want to correctly evaluate a given function f on their inputs, that is to compute y = f(x 1 ; : : : ; xn ), while maintaining the privacy of their own inputs. That is, they do not want to reveal more than the value y implicitly reveals. Secure function evaluat...

Auctions are a fundamental electronic commerce technology. We describe a set of protocols for performing sealed-bid electronic auctions which preserve the privacy of the submitted bids using a form of secure distributedcomputation. Bids are never revealed to any party, even after the auction is completed. Both #rst-price and second-price #Vickrey# auctions are supported, and the computational costs of the methods are low enough to allow their use in many real-world auction situations. 1 Introduction Auctions are a fundamental technology for electronic commerce. They have been suggested as a technology for controlling allocation of bandwidth #5, 10# and are increasingly seen on the web. If we could have an ideal auction, what properties mightwe desire? Here are some desiderata #not a complete list# for an ideal auction: # Economic design ---wewant the auction to be designed on solid economic principles and for participants to have incentives to bid as they truly value the item --- t...

The recent surge in popularity of e-commerce prompted a lot of activity in the area of electronic payments. Solutions have been developed for cash, credit card and check-based electronic transactions. Much less attention has been paid to non-monetary commerce such as barter. In this paper we discuss the notion of "secure group barter" or multi-party fair exchange. We develop a classification of types of barter schemes and present new cryptographic protocols for multi-party exchange with fairness. These protocols assume the presence of a "semi-trusted neutral party". 1 Introduction This paper is concerned with the barter of digital goods among groups of participants in the electronic world. The kind of barter we envision is an instantaneous, one-time, discrete trade arrangement by an ad hoc group of participants. A crucial issue for this kind of barter situation is "fairness". This is a kind of atomicity property for the exchange, whereby no participant gives anything away unless she g...

Abstract not found

We describe efficient techniques for three (or more) parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N . In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication.

We present new protocols for two parties to exchange documents with fairness, i.e., such that no party can gain an advantage by quitting prematurely or otherwise misbehaving. We use a third party that is "semi-trusted", in the sense that it may misbehave on its own but will not conspire with either of the main parties. In our solutions, disruption by any one of the three parties will not allow the disrupter gain any useful new information about the documents. Our solutions are efficient and can be based on any of several cryptographic assumptions (e.g., factoring, discrete log, graph isomorphism). We also discuss the application of our techniques to electronic commerce protocols to achieve fair payment. 1 Introduction A fair exchange protocol is a protocol by which two parties swap secrets without allowing either party to gain an advantage by quitting prematurely or otherwise misbehaving. Though already a well-studied problem, fair exchange has recently experienced a resurgence of act...