Results 1  10
of
26
Efficient generation of shared RSA keys
 Advances in Cryptology  CRYPTO 97
, 1997
"... We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the ..."
Abstract

Cited by 132 (5 self)
 Add to MetaCart
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).
Robust Threshold DSS Signatures
, 1996
"... . We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forg ..."
Abstract

Cited by 131 (12 self)
 Add to MetaCart
. We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t ! n=2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forge a signature (in particular, cannot learn the signature key). In addition, we present a robust threshold DSS scheme that can also tolerate n=3 players who refuse to participate in the signature protocol. We can also endure n=4 maliciously faulty players that generate incorrect partial signatures at the time of signature computation. This results in a highly secure and resilient DSS signature system applicable to the protection of the secret signature key, the prevention of forgery, and increased system availability. Our results significantly improve over a recent result by Langford from CRYPTO'95 that presents threshold DSS signatures which can stand much smaller subsets of corrupted player...
A Simplified Approach to Threshold and Proactive RSA
 In Proceedings of CRYPTO
"... We present a solution to both the robust threshold RSA and proactive RSA problems. Our solutions are conceptually simple, and allow for an easy design of the system. The signing key, in our solution, is shared at all times in additive form, which allows for simple signing and for a particularly ..."
Abstract

Cited by 84 (1 self)
 Add to MetaCart
We present a solution to both the robust threshold RSA and proactive RSA problems. Our solutions are conceptually simple, and allow for an easy design of the system. The signing key, in our solution, is shared at all times in additive form, which allows for simple signing and for a particularly efficient and straightforward refreshing process for proactivization. The key size is (up to a very small constant) the size of the RSA modulus, and the protocol runs in constant time, even when faults occur, unlike previous protocols where either the size of the key has a linear blowup (at best) in the number of players or the run time of the protocol is linear in the number of faults. The protocol is optimal in its resilience as it can tolerate a minority of faulty players.
Robust and Efficient Sharing of RSA Functions
, 1996
"... We present two efficient protocols which implement robust threshold RSA signature schemes, where the power to sign is shared by N players such that any subset of more then T signers can collaborate to produce a valid RSA signature on any given message, but no subset of fewer than T corrupted players ..."
Abstract

Cited by 83 (11 self)
 Add to MetaCart
We present two efficient protocols which implement robust threshold RSA signature schemes, where the power to sign is shared by N players such that any subset of more then T signers can collaborate to produce a valid RSA signature on any given message, but no subset of fewer than T corrupted players can forge a signature. Our protocols are robust in the sense that the correct signature is computed even if up to T players behave in arbitrarily malicious way during the signature protocol. This in particular includes the cases of players that refuse to participate or that generate incorrect partial signatures. Our protocols achieve fault tolerance T of N=2, which is optimal. Our protocols are also very efficient, as the computation performed by each player is comparable to the computation cost of a single RSA signature. Robust threshold signature schemes have very important applications, since they provide increased security and availability for a signing server (e.g. a certification auth...
Proactive RSA
, 1996
"... The notion of "proactive security" of basic primitives and cryptosystems that are distributed amongst various servers, was introduced in order to tolerate a very strong "mobile adversary." This adversary may corrupt all participants throughout the lifetime of the system in a non ..."
Abstract

Cited by 45 (0 self)
 Add to MetaCart
The notion of "proactive security" of basic primitives and cryptosystems that are distributed amongst various servers, was introduced in order to tolerate a very strong "mobile adversary." This adversary may corrupt all participants throughout the lifetime of the system in a nonmonotonic fashion (i.e. recoveries are possible) but the adversary is unable to corrupt too many participants during any short time period [OstrovskyYung]. The notion assures increased security and availability of the cryptographic primitive. We present a proactive RSA system in which a threshold of servers applies the RSA signature (or decryption) function in a distributed manner; RSA is perhaps the most important trapdoor function in use. Employing new combinatorial and elementary number theoretic techniques, our protocol enables the dynamic updating of the servers (which hold the RSA key distributively); it is secure even when a linear number of the servers are corrupted during any time period (linear redund...
Secure distributed storage and retrieval
, 2000
"... In his wellknown Information Dispersal Algorithm paper, Rabin showed a way to distribute information in n pieces among n servers in such a way that recovery of the information is possible in the presence of up to t inactive servers. An enhanced mechanism to enable construction in the presence of ma ..."
Abstract

Cited by 45 (1 self)
 Add to MetaCart
In his wellknown Information Dispersal Algorithm paper, Rabin showed a way to distribute information in n pieces among n servers in such a way that recovery of the information is possible in the presence of up to t inactive servers. An enhanced mechanism to enable construction in the presence of malicious faults, which can intentionally modify their pieces of the information, was later presented by Krawczyk. Yet, these methods assume that the malicious faults occur only at reconstruction time. In this paper we address the more general problem of secure storage and retrieval of information (SSRI), and guarantee that also the process of storing the information is correct even when some of the servers fail. Our protocols achieve this while maintaining the (asymptotical) space optimality of the above methods. We also consider SSRI with the added requirement of con dentiality, by which no party except for the rightful owner of the information is able to learn anything about it. This is achieved through novel applications of cryptographic techniques, such as the distributed generation of receipts, distributed key management via threshold cryptography, and “blinding”. An
Adaptively secure threshold cryptography: Introducing concurrency, removing erasures
, 2000
"... Abstract. We put forward two new measures of security for threshold schemes secure in the adaptive adversary model: security under concurrent composition; and security without the assumption of reliable erasure. Using novel constructions and analytical tools, in both these settings, we exhibit effic ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
Abstract. We put forward two new measures of security for threshold schemes secure in the adaptive adversary model: security under concurrent composition; and security without the assumption of reliable erasure. Using novel constructions and analytical tools, in both these settings, we exhibit efficient secure threshold protocols for a variety of cryptographic applications. In particular, based on the recent scheme by CramerShoup, we construct adaptively secure threshold cryptosystems secure against adaptive chosen ciphertext attack under the DDH intractability assumption. Our techniques are also applicable to other cryptosystems and signature schemes, like RSA, DSS, and ElGamal. Our techniques include the first efficient implementation, for a wide but special class of protocols, of secure channels in erasurefree adaptive model. Of independent interest, we present the notion of a committed proof. 1
Computing inverses over a shared secret modulus
, 2000
"... Abstract. We discuss the following problem: Given an integer φ shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e −1 mod φ. The most interesting case is when φ is the Euler function of a known RSA modulus N, φ = φ(N). The problem has several ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
Abstract. We discuss the following problem: Given an integer φ shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e −1 mod φ. The most interesting case is when φ is the Euler function of a known RSA modulus N, φ = φ(N). The problem has several applications, among which the construction of threshold variants for two recent signature schemes proposed by GennaroHaleviRabin and CramerShoup. We present new and efficient protocols to solve this problem, improving over previous solutions by BonehFranklin and Frankel et al. Our basic protocol (secure against honest but curious players) requires only two rounds of communication and a single GCD computation. The robust protocol (secure against malicious players) adds only a couple of rounds and a few modular exponentiations to the computation. 1
Chosen ciphertext secure public key threshold encryption without random oracles
 in Proceedings of RSACT 2006
, 2006
"... Abstract. We present a noninteractive chosen ciphertext secure threshold encryption system. The proof of security is set in the standard model and does not use random oracles. Our construction uses the recent identity based encryption system of Boneh and Boyen and the chosen ciphertext secure const ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
Abstract. We present a noninteractive chosen ciphertext secure threshold encryption system. The proof of security is set in the standard model and does not use random oracles. Our construction uses the recent identity based encryption system of Boneh and Boyen and the chosen ciphertext secure construction of Canetti, Halevi, and Katz.