Results 1 
8 of
8
Efficient generation of shared RSA keys
 Advances in Cryptology  CRYPTO 97
, 1997
"... We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the ..."
Abstract

Cited by 132 (5 self)
 Add to MetaCart
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).
Mix and Match: Secure Function Evaluation via Ciphertexts (Extended Abstract)
 In Proceedings of Asiacrypt00
, 2000
"... We introduce a novel approach to general secure multiparty computation that avoids the intensive use of verifiable secret sharing characterizing nearly all previous protocols in the literature. Instead, our scheme involves manipulation of ciphertexts for which the underlying private key is shared by ..."
Abstract

Cited by 87 (5 self)
 Add to MetaCart
(Show Context)
We introduce a novel approach to general secure multiparty computation that avoids the intensive use of verifiable secret sharing characterizing nearly all previous protocols in the literature. Instead, our scheme involves manipulation of ciphertexts for which the underlying private key is shared by participants in the computation. The benefits of this protocol include a high degree of conceptual and structural simplicity, low message complexity, and substantial flexibility with respect to input and output value formats. We refer to this new approach as mix and match. While the atomic operations in mix and match are logical operations, rather than full field operations as in previous approaches, the techniques we introduce are nonetheless highly practical for computations involving intensive bitwise manipulation. One application for which mix and match is particularly well suited is that of sealedbid auctions. Thus, as another contribution in this paper, we present a practical, mixandmatchbased auction protocol that is fully private and noninteractive and may be readily adapted to a wide range of auction strategies.
Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared SafePrime Products
, 2002
"... We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where th ..."
Abstract

Cited by 58 (0 self)
 Add to MetaCart
We present a new protocol for ecient distributed computation modulo a shared secret. We further present a protocol to distributively generate a random shared prime or safe prime that is much more efficient than previously known methods. This allows to distributively compute shared RSA keys, where the modulus is the product of two safe primes, much more efficiently than was previously known.
On Securely Scheduling A Meeting
 In Proc. of IFIP SEC
, 2001
"... When people want to schedule a meeting, their agendas must be compared to find a time suitable for all participants. At the same time, people want to keep their agendas private. This paper presents several approaches which intend to solve this contradiction. A custommade protocol for secure meeting ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
When people want to schedule a meeting, their agendas must be compared to find a time suitable for all participants. At the same time, people want to keep their agendas private. This paper presents several approaches which intend to solve this contradiction. A custommade protocol for secure meeting scheduling and a protocol based on secure distributed computing are discussed. The security properties and complexity of these protocols are compared. A tradeoff between trust and bandwidth requirements is shown to be possible by implementing the protocols using mobile agents. Keywords: mobile agents, secure distributed computation, meeting scheduling 1.
On Symmetrically Private Information Retrieval
, 2000
"... In today's age of information it is very important that, information about the information which you are seeking should not be leaked even to the server who is going to provide you the desired information. On the other hand, considering information as commodity, it is age old wisdom that one sh ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
In today's age of information it is very important that, information about the information which you are seeking should not be leaked even to the server who is going to provide you the desired information. On the other hand, considering information as commodity, it is age old wisdom that one should get only as much as he pays. In this paper we essentially consider this problem and provide suitable solutions. Under a new number theoretic assumption, XOR Assumption, we give singleround symmetrically private information retrieval (SPIR) scheme for bit retrieval with communication complexity O(n...
On the Practical Feasibility of Secure Distributed Computing: a Case Study
, 2000
"... Secure Distributed Computing addresses the problem of performing a computation with a number of mutually distrustful participants, in such a way that each of the participants has only limited access to the information needed for doing the computation. Over the past decade, a number of solutions for ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
Secure Distributed Computing addresses the problem of performing a computation with a number of mutually distrustful participants, in such a way that each of the participants has only limited access to the information needed for doing the computation. Over the past decade, a number of solutions for this problem have been developed. The various proposed solutions dier in the cryptographic primitives that are used, and in the class of computations that can be performed. However, all su ciently general solutions have one thing in common: the communication overhead between the involved parties seems to be prohibitive. In this paper, we consider a concrete instance (with considerable practical interest) of the general problem of secure distributed computing, and we investigate how bad the communication overhead really is. This involves tailoring the dierent general solutions to the specic problem at hand, optimizing them for minimal communication overhead, and evaluating the resulting ...
Threshold cryptosystems based on factoring
 In Asiacrypt 2002
, 2002
"... 3 Work done while at Columbia University and Telcordia Technologies Abstract. We consider threshold cryptosystems over a composite modulus N where the factors of N are shared among the participants as the secret key. This is a new paradigm for threshold cryptosystems based on a composite modulus, di ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
3 Work done while at Columbia University and Telcordia Technologies Abstract. We consider threshold cryptosystems over a composite modulus N where the factors of N are shared among the participants as the secret key. This is a new paradigm for threshold cryptosystems based on a composite modulus, differing from the typical treatment of RSAbased systems where a “decryption exponent ” is shared among the participants. Our approach yields solutions to some open problems in threshold cryptography; in particular, we obtain the following: 1. Threshold Homomorphic Encryption. A number of applications (e.g., electronic voting or efficient multiparty computation) require threshold homomorphic encryption schemes. We present a protocol for threshold decryption of the homomorphic GoldwasserMicali encryption scheme [34], answering an open question of [21]. 2. Threshold Cryptosystems as Secure as Factoring. We describe a threshold version of a variant of the signature standards ISO 97962 and PKCS#1 v1.5 (cf. [39, Section 11.3.4]), thus giving the first threshold signature scheme whose security (in the random oracle model) is equivalent to the hardness of factoring [12]. Our techniques may be adapted to distribute the Rabin encryption scheme [44] whose semantic security may be reduced to the hardness of factoring. 3. Efficient Threshold Schemes without a Trusted Dealer. Because our schemes only require sharing of N – which furthermore need not be a product of strong primes – our schemes are very efficient (compared to previous schemes) when a trusted dealer is not assumed and key generation is done in a distributed manner. Extensions to achieve robustness and proactivation are also possible with our schemes. 1
Second Price Auctions  A Case Study of Secure Distributed Computing
, 2001
"... Secure distributed computing addresses the problem of performing a computation with a number of mutually distrustful participants, in such a way that each of the participants has only limited access to the information needed for doing the computation. Over the past two decades, a number of solutions ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Secure distributed computing addresses the problem of performing a computation with a number of mutually distrustful participants, in such a way that each of the participants has only limited access to the information needed for doing the computation. Over the past two decades, a number of solutions requiring no trusted third party have been developed using cryptographic techniques. The disadvantage of these cryptographic solutions is the excessive communication overhead they incur. In this paper, we use one of the SDC protocols for one particular application: second price auctions, in which the highest bidder acquires the item for sale at the price of the second highest bidder. The protocol assures that only the name of the highest bidder and the amount of the second highest bid are revealed. All other information is kept secret (the amount of the highest bid, the name of the second highest bidder, ...). Although second price auctions may not seem very important, small variations on this theme are used by many public institutions: e.g., a 1 2 call for tenders, where contract is given to the lowest oer (or the second lowest). The case study serves two purposes: we show that SDC protocols can be used for these kind of applications, and secondly, we assess the network overhead and how well these applications scale. To overcome the communication overhead, we use mobile agents and semitrusted hosts. Keywords: Secure distributed computing, SDC, mobile agents, second price auction, agents, semitrusted execution platform 1.