Results 1 
5 of
5
Experimenting with Shared Generation of RSA keys
, 1999
"... We describe an implementation of a distributed algorithm to generate a shared RSA key. At the end of the computation, an RSA modulus N = pq is publicly known. All servers involved in the computation are convinced that N is a product of two large primes, however none of them know the factorization of ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
We describe an implementation of a distributed algorithm to generate a shared RSA key. At the end of the computation, an RSA modulus N = pq is publicly known. All servers involved in the computation are convinced that N is a product of two large primes, however none of them know the factorization of N . In addition, a public encryption exponentispublicly known and each server holds a share of the private exponent. Such a sharing of an RSA key has many applications and can be used to secure sensitive private keys. Previously, the only known method to generate a shared RSA key was through a trusted dealer. Our implementation demonstrates the e#ectiveness of shared RSA key generation, eliminating the need for a trusted dealer. 1 Introduction To protect an RSA private key, one may break it into a number of pieces #shares# and store each piece at a separate location. Sensitive private keys, such as Certi#cation Authority #CA# keys, can be protected in this way. Fortunately, for the RSA cr...
Fully distributed threshold RSA under standard assumptions
 ADVANCES IN CRYPTOLOGY — ASIACRYPT 2001, VOLUME ??? OF LNCS
, 2001
"... The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup propo ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup proposed a practical RSA threshold signature scheme that allows to share the ability to sign between a set of players. This scheme can be used for decryption as well. However, Shoup’s protocol assumes a trusted dealer to generate and distribute the keys. This comes from the fact that the scheme needs a special assumption on the RSA modulus and this kind of RSA moduli cannot be easily generated in an efficient way with many players. Of course, it is still possible to call theoretical results on multiparty computation, but we cannot hope to design efficient protocols. The only practical result to generate RSA moduli in a distributive manner is Boneh and Franklin’s protocol but it seems difficult to modify it in order to generate the kind of RSA moduli that Shoup’s protocol requires. The present work takes a different path by proposing a method to enhance the key generation with some additional properties and revisits Shoup’s protocol to work with the resulting RSA moduli. Both of these enhancements decrease the performance of the basic protocols. However, we think that in the applications we target, these enhancements provide practical solutions. Indeed, the key generation protocol is usually run only once and the number of players used to sign or decrypt is not very large. Moreover, these players have time to perform their task so that the communication or time complexity are not overly important.
Generating RSA Keys on a Handheld Using an Untrusted Server
 In RSA 2000
, 2000
"... We show how to efficiently generate RSA keys on a low power handheld device with the help of an untrusted server. Most of the key generation work is offloaded onto the server. However, the server learns no information about the key it helped generate. We experiment with our techniques and show they ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
We show how to efficiently generate RSA keys on a low power handheld device with the help of an untrusted server. Most of the key generation work is offloaded onto the server. However, the server learns no information about the key it helped generate. We experiment with our techniques and show they result in up to a factor of 5 improvement in key generation time. The resulting RSA key looks like an RSA key for paranoids. It can be used for encryption and key exchange, but cannot be used for signatures.
On using Carmichael numbers for public key encryption systems
, 1997
"... We show that the inadvertent use of a Carmichael number instead of a prime factor in the modulus of an RSA cryptosystem is likely to make the system fatally vulnerable, but that such numbers may be detected. ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We show that the inadvertent use of a Carmichael number instead of a prime factor in the modulus of an RSA cryptosystem is likely to make the system fatally vulnerable, but that such numbers may be detected.
Secure Computations on Handheld Devices with the Help of an Untrusted Server
 SERVER. THE 7TH WORLD MULTICONFERENCE ON SYSTEMICS, CYBERNETICS AND INFORMATICS (SCI 2003
, 2003
"... Recently, handheld devices have become one of the most popular computing tools. Although handheld devices are able to perform anything that a PC can do, their lack of computing power makes it next to impossible to perform some heavy calculations. Hence it appears very useful to have a combination of ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Recently, handheld devices have become one of the most popular computing tools. Although handheld devices are able to perform anything that a PC can do, their lack of computing power makes it next to impossible to perform some heavy calculations. Hence it appears very useful to have a combination of a handheld with a PC, where the PC can perform heavy calculations to assist the handheld. However, we must be assured that the PC will not have learnt anything from the interaction. In this paper, we show two schemes which involve some serveraided computation where the server has not learnt anything from the interaction with the handheld device. The first scheme is to generate a strong prime number in a handheld, which can be used as a candidate for the RSA algorithm. The second scheme is to allow the server to behave as an authentication oracle on behalf of the handheld. The handheld will prepare a message that needs to be authenticated by sending it to the server in a blinded form, so that the server will not learn about the message. On the other hand, the handheld will not learn about the server's secret.