Results 1 
8 of
8
Efficient generation of shared RSA keys
 Advances in Cryptology  CRYPTO 97
, 1997
"... We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the ..."
Abstract

Cited by 124 (4 self)
 Add to MetaCart
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).
Building Intrusion Tolerant Applications
 In Proceedings of the 8th USENIX Security Symposium
, 1999
"... The ITTC project (Intrusion Tolerance via Threshold Cryptography) provides tools and an infrastructure for building intrusion tolerant applications. Rather than prevent intrusions or detect them after the fact, the ITTC system ensures that the compromise of a few system components does not compromis ..."
Abstract

Cited by 61 (0 self)
 Add to MetaCart
The ITTC project (Intrusion Tolerance via Threshold Cryptography) provides tools and an infrastructure for building intrusion tolerant applications. Rather than prevent intrusions or detect them after the fact, the ITTC system ensures that the compromise of a few system components does not compromise sensitive security information. To do so we protect cryptographic keys by distributing them across a few servers. The keys are never reconstructed at a single location. Our designs are intended to simplify the integration of ITTC into existing applications. We give examples of embedding ITTC into the Apache web server and into a Certication Authority (CA). Performance measurements on both the modied web server and the modied CA show that the architecture works and performs well. 1 Introduction To combat intrusions into a networked system one often installs intrusion detection software to monitor system behavior. Whenever an \irregular" behavior is observed the software noties an admi...
Optimal BlackBox Secret Sharing over Arbitrary Abelian Groups
 In Proc. of CRYPTO '02, LNCS 2442
, 2002
"... Abstract. A blackbox secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vector ..."
Abstract

Cited by 25 (7 self)
 Add to MetaCart
Abstract. A blackbox secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the blackbox secret sharing problem as the problem of devising, for an arbitrary given Tt,n, a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players n is minimal. Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multiparty computation over blackbox rings. In 1994 Desmedt and Frankel have proposed an elegant approach to the blackbox secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given Tt,n with 0 < t < n − 1, the expansion factor of their scheme is O(n). This is the best previous general approach to the problem. Using certain low degree integral extensions of Z over which there exist pairs of sufficiently large Vandermonde matrices with coprime determinants, we construct, for arbitrary given Tt,n with 0 < t < n − 1, a blackbox secret sharing scheme with expansion factor O(log n), which we show is minimal. 1
Equitable key escrow with limited time span (or, How to enforce time expiration cryptographically)
 ADVANCES IN CRYPTOLOGY, ASIACRYPT 98, LNCS 1514
, 1998
"... With equitable key escrow the control of society over the individual and the control of the individual over society are shared fairly. In particular, the control is limited to specified time periods. We consider two applications: time controlled key escrow and time controlled auctions with closed b ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
With equitable key escrow the control of society over the individual and the control of the individual over society are shared fairly. In particular, the control is limited to specified time periods. We consider two applications: time controlled key escrow and time controlled auctions with closed bids. In the rst the individual cannot be targeted outside the period authorized by the court. In the second the individual cannot withhold his closed bid beyond the bidding period. We propose two protocols, one for each application. We do not require the use of temperproof devices.
A comment on the efficiency of secret sharing scheme over any finite Abelian group
, 1998
"... . In this paper, we show an efficient (k; n) threshold secret sharing scheme over any finite Abelian group such that the size of share is q=2 (where q is a prime satisfying n q ! 2n), which is a half of that of Desmedt and Frankel's scheme. Consequently, we can obtain a threshold RSA signature sche ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
. In this paper, we show an efficient (k; n) threshold secret sharing scheme over any finite Abelian group such that the size of share is q=2 (where q is a prime satisfying n q ! 2n), which is a half of that of Desmedt and Frankel's scheme. Consequently, we can obtain a threshold RSA signature scheme in which the size of shares of each signer is only a half. 1 Introduction Secret sharing schemes [1, 2] are a useful tool not only in the key management but also in multiparty protocols. Especially, threshold cryptosystems [3] which are very important, where the power to sign or decrypt messages is distributed to several agents. For example, in (k; n) threshold signature schemes, the power to sign messages is shared by n signers P 1 ; \Delta \Delta \Delta ; Pn in such a way that any subset of k or more signers can collaborate to produce a valid signature on any given message, but no subset of fewer than k signers can forge a signature even after the system has produced many signatures fo...
Homomorphisms of Secret Sharing Schemes: A Tool for Verifiable Signature Sharing
 Eurocrypt'96, pp.96106. Lecture Notes in Computer Science vol.1070
"... Yranklin and Reiter introduced at Eurocrypt '95 verifiable signature sharing, a primitive for a fault tolerant distribution of signature verification. They proposed various practical protocols. For RSA signatures with exponent e  3 and n processors their protocol allows for up to (n  1)/5 fau ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Yranklin and Reiter introduced at Eurocrypt '95 verifiable signature sharing, a primitive for a fault tolerant distribution of signature verification. They proposed various practical protocols. For RSA signatures with exponent e  3 and n processors their protocol allows for up to (n  1)/5 faulty processors (in general (n  1)/(2 + e)).
On Ideal NonPerfect Secret Sharing Schemes
, 1998
"... This paper first extends the result of Blakley and Kabatianski [3] to general nonperfect SSS using informationtheoretic arguments. Furthermore, we ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
This paper first extends the result of Blakley and Kabatianski [3] to general nonperfect SSS using informationtheoretic arguments. Furthermore, we
General Secret Sharing Based on the Chinese Remainder Theorem
, 2006
"... In this paper we extend the threshold secret sharing schemes based on the Chinese remainder theorem in order to deal with more general access structures. Aspects like ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
In this paper we extend the threshold secret sharing schemes based on the Chinese remainder theorem in order to deal with more general access structures. Aspects like