We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).

The ITTC project (Intrusion Tolerance via Threshold Cryptography) provides tools and an infrastructure for building intrusion tolerant applications. Rather than prevent intrusions or detect them after the fact, the ITTC system ensures that the compromise of a few system components does not compromise sensitive security information. To do so we protect cryptographic keys by distributing them across a few servers. The keys are never reconstructed at a single location. Our designs are intended to simplify the integration of ITTC into existing applications. We give examples of embedding ITTC into the Apache web server and into a Certication Authority (CA). Performance measurements on both the modied web server and the modied CA show that the architecture works and performs well. 1 Introduction To combat intrusions into a networked system one often installs intrusion detection software to monitor system behavior. Whenever an \irregular" behavior is observed the software noties an admi...

Abstract not found

We describe an implementation of a distributed algorithm to generate a shared RSA key. At the end of the computation, an RSA modulus N = pq is publicly known. All servers involved in the computation are convinced that N is a product of two large primes, however none of them know the factorization of N . In addition, a public encryption exponentispublicly known and each server holds a share of the private exponent. Such a sharing of an RSA key has many applications and can be used to secure sensitive private keys. Previously, the only known method to generate a shared RSA key was through a trusted dealer. Our implementation demonstrates the e#ectiveness of shared RSA key generation, eliminating the need for a trusted dealer. 1 Introduction To protect an RSA private key, one may break it into a number of pieces #shares# and store each piece at a separate location. Sensitive private keys, such as Certi#cation Authority #CA# keys, can be protected in this way. Fortunately, for the RSA cr...

We describe protocols for three or more parties to jointly generate a composite N = pqr which is the product of three primes. After our protocols terminate N is publicly known, but neither party knows the factorization of N . Our protocols require the design of a new type of distributed primality test for testing that a given number is a product of three primes. We explain the cryptographic motivation and origin of this problem.