## Fully distributed threshold RSA under standard assumptions (2001)

### Cached

### Download Links

- [www.di.ens.fr]
- [www.di.ens.fr]
- [www.mathmagic.cn]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | ADVANCES IN CRYPTOLOGY — ASIACRYPT 2001, VOLUME ??? OF LNCS |

Citations: | 23 - 3 self |

### BibTeX

@INPROCEEDINGS{Fouque01fullydistributed,

author = {Pierre-Alain Fouque and Jacques Stern},

title = {Fully distributed threshold RSA under standard assumptions},

booktitle = {ADVANCES IN CRYPTOLOGY — ASIACRYPT 2001, VOLUME ??? OF LNCS},

year = {2001},

pages = {310--330},

publisher = {Springer Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

The aim of this article is to propose a fully distributed environment for the RSA scheme. What we have in mind is highly sensitive applications and even if we are ready to pay a price in terms of efficiency, we do not want any compromise of the security assumptions that we make. Recently Shoup proposed a practical RSA threshold signature scheme that allows to share the ability to sign between a set of players. This scheme can be used for decryption as well. However, Shoup’s protocol assumes a trusted dealer to generate and distribute the keys. This comes from the fact that the scheme needs a special assumption on the RSA modulus and this kind of RSA moduli cannot be easily generated in an efficient way with many players. Of course, it is still possible to call theoretical results on multiparty computation, but we cannot hope to design efficient protocols. The only practical result to generate RSA moduli in a distributive manner is Boneh and Franklin’s protocol but it seems difficult to modify it in order to generate the kind of RSA moduli that Shoup’s protocol requires. The present work takes a different path by proposing a method to enhance the key generation with some additional properties and revisits Shoup’s protocol to work with the resulting RSA moduli. Both of these enhancements decrease the performance of the basic protocols. However, we think that in the applications we target, these enhancements provide practical solutions. Indeed, the key generation protocol is usually run only once and the number of players used to sign or decrypt is not very large. Moreover, these players have time to perform their task so that the communication or time complexity are not overly important.

### Citations

3136 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...players have time to perform their task so that the communication or time complexity are not overly important. Keywords: Threshold RSA key generation and signature 1 Introduction The cryptosystem RSA =-=[34]-=- is widely used in today practical systems. For instance,a lot of PKI products are based on it. In such systems,the protection of the root key needs strong security requirements. Therefore,threshold p... |

1897 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...lled a safe prime modulus if p and q are both safe primes. 2 The Problem As we will see in the following,safe primes are used in the key generation in order to prove that Shamir secret sharing scheme =-=[36]-=- is secure in the ring ZM , and not in a finite field,and in the proof of correctness. Let us explain the second problem as it is less obvious.sFully Distributed Threshold RSA under Standard Assumptio... |

713 |
Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (extended abstract
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ... servers check whether gcd(p − 1, 4P ) ? = 2 and whether gcd(4P, q − 1) ? = 2,where P = � 2<pi<B pi and B is the sieving bound using the GCD algorithm that we describe below. 2. Then the BGW protocol =-=[2,4]-=- is run to compute the product N of p1+...+pℓ and q1 + ...+ qℓ. They also compute the product ϕ(N) =(p−1)(q − 1) and check whether gcd(ϕ(N),N − 1) ? = 1 using the GCD algorithm. 3. Next,the parties pe... |

214 | Practical Threshold Signatures
- Shoup
- 2000
(Show Context)
Citation Context ...to fully distribute RSA. This solves an open problem where one needs to cope with requirements that do not match. On one hand,at Eurocrypt’00,Shoup describes a practical threshold signature scheme in =-=[37]-=- where the primes of the RSA modulus should be safe. On the other hand,Boneh and Franklin at Crypto ’97 [4] describe a protocol to share the key generation of an RSA modulus. However,the generation of... |

204 |
A practical zero-knowledge protocol fitted to security processor minimizing both transmission and memory
- Guillou, Quisquater
(Show Context)
Citation Context ...his problem. Shoup in [37] and Miyazaki,Sakurai and Yung in [26] solve this problem by using a well-known lemma to extract an e-root of w modulo a composite number from a e-root of a known power of w =-=[24]-=- without any secret. The solution is to multiply Lagrange coefficients by ∆ such that they are integers : λS i,j = ∆ × λ′Si,j ∈ Z and ∆d = � i∈S λS0,idi,if we denote by S a subset of t +1 elements. Th... |

198 |
A Threshold Cryptosystem without a Trusted Party
- Pedersen
- 1991
(Show Context)
Citation Context ...f discrete-log based cryptosystems,known solutions exist to distribute DSS,El Gamal,Cramer-Shoup [20,38,7]. Moreover,a protocol to distribute a discrete-log key has been first proposed by Pedersen in =-=[27]-=-. This protocol has been further revisited to solve a security flaw [21,15]. Therefore, discretelog cryptosystems are fully distributed. However,a fully distributed version of RSA is a more challengin... |

166 | A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system
- Damg̊ard, Jurik
- 1992
(Show Context)
Citation Context ... schemes. Therefore,we prefer to use protocols based on standard assumptions. We believe that standard assumptions and security proofs are needed to build secure protocols. Several electronic schemes =-=[14,11,1]-=- have been based on Paillier cryptosystem which is related to RSA. The techniques developed in the paper can be used to fully share this cryptosystem. 2.2 Our Results We prove that Shoup’s protocol ca... |

140 | Secure Distributed Key Generation for DiscreteLog Based Cryptosystems
- Gennaro, Krawczyk
- 1999
(Show Context)
Citation Context ...SS,El Gamal,Cramer-Shoup [20,38,7]. Moreover,a protocol to distribute a discrete-log key has been first proposed by Pedersen in [27]. This protocol has been further revisited to solve a security flaw =-=[21,15]-=-. Therefore, discretelog cryptosystems are fully distributed. However,a fully distributed version of RSA is a more challenging and important task. In this paper we propose new techniques to fully dist... |

131 | Efficient Generation of Shared RSA Keys
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...atch. On one hand,at Eurocrypt’00,Shoup describes a practical threshold signature scheme in [37] where the primes of the RSA modulus should be safe. On the other hand,Boneh and Franklin at Crypto ’97 =-=[4]-=- describe a protocol to share the key generation of an RSA modulus. However,the generation of safe modulus seems to be hard with this protocol. The present work takes a different path by proposing a m... |

131 | Robust Threshold DSS Signatures
- Gennaro, Stanislaw, et al.
- 1996
(Show Context)
Citation Context ...ibuted if it is distributed from the key generation to the signature or decryption phase. In the case of discrete-log based cryptosystems,known solutions exist to distribute DSS,El Gamal,Cramer-Shoup =-=[20,38,7]-=-. Moreover,a protocol to distribute a discrete-log key has been first proposed by Pedersen in [27]. This protocol has been further revisited to solve a security flaw [21,15]. Therefore, discretelog cr... |

111 | Securing threshold cryptosystems against chosen ciphertext attack
- Shoup, Gennaro
(Show Context)
Citation Context ...ibuted if it is distributed from the key generation to the signature or decryption phase. In the case of discrete-log based cryptosystems,known solutions exist to distribute DSS,El Gamal,Cramer-Shoup =-=[20,38,7]-=-. Moreover,a protocol to distribute a discrete-log key has been first proposed by Pedersen in [27]. This protocol has been further revisited to solve a security flaw [21,15]. Therefore, discretelog cr... |

109 |
Frankel.Y, ”Shared generation of authenticators and signatures
- Desmedt
(Show Context)
Citation Context ...the bad signature shares in the presence of active (malicious) players. In [16],the authors proposed the first proven scheme based on polynomial sharing,which is based on Desmedt and Frankel’s scheme =-=[13]-=-. However in the case of active adversaries,which are allowed to send bad shares,the protocol has to be rewind at most t times,to remove the bad servers as the signature shares depend on the subgroup ... |

85 | Practical multi-candidate election system
- Baudron, Fouque, et al.
- 2001
(Show Context)
Citation Context ... schemes. Therefore,we prefer to use protocols based on standard assumptions. We believe that standard assumptions and security proofs are needed to build secure protocols. Several electronic schemes =-=[14,11,1]-=- have been based on Paillier cryptosystem which is related to RSA. The techniques developed in the paper can be used to fully share this cryptosystem. 2.2 Our Results We prove that Shoup’s protocol ca... |

84 | A simplified approach to threshold and proactive RSA
- Rabin
(Show Context)
Citation Context ...s the t + 1 related signature shares to generate the signature s. Efficient communication model against active adversary. The main characteristic of Shoup’s protocol in relation to previous proposals =-=[17,16,32]-=- is thes312 P.-A. Fouque and J. Stern following. In the discrete-log case,it is easy to compute inverses mod q,if we note q the order of the group G generated by g,because q is public. With RSA, we ca... |

83 | Robust and efficient sharing of RSA functions - Gennaro, Jarecki, et al. - 1996 |

80 | Sharing decryption in the context of voting or lotteries
- Fouque, Poupard, et al.
- 2001
(Show Context)
Citation Context ... schemes. Therefore,we prefer to use protocols based on standard assumptions. We believe that standard assumptions and security proofs are needed to build secure protocols. Several electronic schemes =-=[14,11,1]-=- have been based on Paillier cryptosystem which is related to RSA. The techniques developed in the paper can be used to fully share this cryptosystem. 2.2 Our Results We prove that Shoup’s protocol ca... |

67 |
How to share a function securely
- Santis, Desmedt, et al.
- 1994
(Show Context)
Citation Context ...d by g,because q is public. With RSA, we cannot disclose inverses of a known value mod ϕ(N) without revealing the factorization of N unless we use a special algebraic structure,called a module, as in =-=[35,19]-=-. We can note that computations in such structure can be done efficiently if we consider [25]. If we do not want to use a module,we face the problem of computing inverses when we use polynomial sharin... |

65 | An Efficient Threshold Public-Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack
- Canetti, Goldwasser
- 1999
(Show Context)
Citation Context ...ibuted if it is distributed from the key generation to the signature or decryption phase. In the case of discrete-log based cryptosystems,known solutions exist to distribute DSS,El Gamal,Cramer-Shoup =-=[20,38,7]-=-. Moreover,a protocol to distribute a discrete-log key has been first proposed by Pedersen in [27]. This protocol has been further revisited to solve a security flaw [21,15]. Therefore, discretelog cr... |

58 | Proactive security: Long-term protection against break-ins
- Canetti, Gennaro, et al.
- 1997
(Show Context)
Citation Context ...Fully Distributed Threshold RSA under Standard Assumptions 311 Indeed,threshold cryptography can cope with break-ins adversaries that have the ability to corrupt people and read the memory of servers =-=[6]-=-. These adversaries are stronger than “normal” adversaries that can only read exchanged messages. In a “centralized” cryptosystem,if one break-ins adversary attacks the memory,he then knows all the ke... |

56 | Robust Efficient Distributed RSA-key Generation
- Frankel, MacKenzie, et al.
- 1998
(Show Context)
Citation Context ... e-root of x∆ with the previous formula and can recover a e-root of x using the well-known lemma. Consequently,if we use Shoup’s scheme,there is no need to generate di such that ∆|di as it is done in =-=[18,12]-=-. Even if the protocol of Frankel et al. in [16] proposed a fully distributed version of RSA,it is less elegant than Shoup’s one and it will be nice to share this protocol. Moreover,this scheme propos... |

53 | Practical Threshold RSA Signatures without a Trusted Dealer
- Damg̊ard, Koprowski
- 2001
(Show Context)
Citation Context ... e-root of x∆ with the previous formula and can recover a e-root of x using the well-known lemma. Consequently,if we use Shoup’s scheme,there is no need to generate di such that ∆|di as it is done in =-=[18,12]-=-. Even if the protocol of Frankel et al. in [16] proposed a fully distributed version of RSA,it is less elegant than Shoup’s one and it will be nice to share this protocol. Moreover,this scheme propos... |

52 |
Optimal Resilience Proactive Public-Key Cryptosystems
- Frankel, Gemmell, et al.
- 1997
(Show Context)
Citation Context ...s the t + 1 related signature shares to generate the signature s. Efficient communication model against active adversary. The main characteristic of Shoup’s protocol in relation to previous proposals =-=[17,16,32]-=- is thes312 P.-A. Fouque and J. Stern following. In the discrete-log case,it is easy to compute inverses mod q,if we note q the order of the group G generated by g,because q is public. With RSA, we ca... |

41 |
A generalization, a simplification and some applications of paillier’s probabilistic public-key system
- Damg̊ard, Jurik
- 1992
(Show Context)
Citation Context |

37 | D.: Experimenting with Shared Generation of RSA keys - Malkin, Wu, et al. - 1999 |

28 | Two party rsa key generation
- Gilboa
- 1999
(Show Context)
Citation Context ...d Generation ofRSA Keys. This raises the question of generating RSA moduli for Shoup’s threshold scheme without a trusted dealer. There exist protocols that generate RSA keys in a distributive manner =-=[4,18,9,10,3,30,23]-=-. Boneh and Franklin in [4] designed such protocol for the generation of an RSA modulus in the honest-but-curious model. Later,Frankel,MacKenzie and Yung in [18] made this algorithm robust against mal... |

26 | Computing Inverses over a Shared Secret Modulus. Eurocrypt 2000
- Catalano, Gennaro, et al.
(Show Context)
Citation Context ...nd a precise treatment has been given by Poupard and Stern in [31]. Moreover,using a nice trick of Gennaro et al. which first appeared in [22] and the protocol recently proposed by Catalano et al. in =-=[8]-=-,the calculation of gcd(p − 1,q− 1) can be performed in a distributed way. These methods allow to keep key generation and signature efficient. In this paper,we show how to jointly construct RSA moduli... |

25 | An Efficient Non-Interactive Statistical ZeroKnowledge Proof System for Quasi-Safe Prime Products
- Gennaro, Micciancio, et al.
- 1998
(Show Context)
Citation Context ... techniques have already been used by Frankel et al. in [18] and a precise treatment has been given by Poupard and Stern in [31]. Moreover,using a nice trick of Gennaro et al. which first appeared in =-=[22]-=- and the protocol recently proposed by Catalano et al. in [8],the calculation of gcd(p − 1,q− 1) can be performed in a distributed way. These methods allow to keep key generation and signature efficie... |

21 |
On the distribution of pseudoprimes
- Pomerance
- 1981
(Show Context)
Citation Context ... algorithm is first performed,the MillerRabin primality test is not needed as pseudoprimes are rare according tosFully Distributed Threshold RSA under Standard Assumptions 319 Pomerance’s conjectures =-=[28,29]-=-. Moreover, carmichael numbers are avoided due to a trick similar to Soloway-Strassen primality test. We set p = p1 + ...+ pℓ and q = q1 + ...+ qℓ. 4.2 Computing the gcd ofa Public Value and a Shared ... |

20 | Generation of shared rsa keys by two parties
- Poupard, Stern
- 1998
(Show Context)
Citation Context ...d Generation ofRSA Keys. This raises the question of generating RSA moduli for Shoup’s threshold scheme without a trusted dealer. There exist protocols that generate RSA keys in a distributive manner =-=[4,18,9,10,3,30,23]-=-. Boneh and Franklin in [4] designed such protocol for the generation of an RSA modulus in the honest-but-curious model. Later,Frankel,MacKenzie and Yung in [18] made this algorithm robust against mal... |

13 | Split knowledge generation of RSA parameters
- Cocks
- 1997
(Show Context)
Citation Context ...d Generation ofRSA Keys. This raises the question of generating RSA moduli for Shoup’s threshold scheme without a trusted dealer. There exist protocols that generate RSA keys in a distributive manner =-=[4,18,9,10,3,30,23]-=-. Boneh and Franklin in [4] designed such protocol for the generation of an RSA modulus in the honest-but-curious model. Later,Frankel,MacKenzie and Yung in [18] made this algorithm robust against mal... |

13 | Short proofs of knowledge of factoring, in
- Poupard, Stern
- 2000
(Show Context)
Citation Context ...the group generated by 〈g1,... ,gk〉 is all of QN with high probability. Such techniques have already been used by Frankel et al. in [18] and a precise treatment has been given by Poupard and Stern in =-=[31]-=-. Moreover,using a nice trick of Gennaro et al. which first appeared in [22] and the protocol recently proposed by Catalano et al. in [8],the calculation of gcd(p − 1,q− 1) can be performed in a distr... |

12 | One round threshold discrete-log key generation without private channels
- FOUQUE, STERN
(Show Context)
Citation Context ...SS,El Gamal,Cramer-Shoup [20,38,7]. Moreover,a protocol to distribute a discrete-log key has been first proposed by Pedersen in [27]. This protocol has been further revisited to solve a security flaw =-=[21,15]-=-. Therefore, discretelog cryptosystems are fully distributed. However,a fully distributed version of RSA is a more challenging and important task. In this paper we propose new techniques to fully dist... |

11 | Split Generation of RSA Parameters with Multiple Participants
- Cocks
(Show Context)
Citation Context |

11 |
Two methods in elementary analytic number theory
- Pomerance
- 1989
(Show Context)
Citation Context ... algorithm is first performed,the MillerRabin primality test is not needed as pseudoprimes are rare according tosFully Distributed Threshold RSA under Standard Assumptions 319 Pomerance’s conjectures =-=[28,29]-=-. Moreover, carmichael numbers are avoided due to a trick similar to Soloway-Strassen primality test. We set p = p1 + ...+ pℓ and q = q1 + ...+ qℓ. 4.2 Computing the gcd ofa Public Value and a Shared ... |

7 | Shared generation of shared RSA keys
- Blackburn, Blake-Wilson, et al.
- 1998
(Show Context)
Citation Context |

5 | Finding four million large random primes
- Rivest
- 1991
(Show Context)
Citation Context ...her gcd(ϕ(N),N − 1) ? = 1 using the GCD algorithm. 3. Next,the parties perform a primality test similar to the Fermat test modulo N. The practicality of this test is based on the empirical results of =-=[33]-=- where Rivest showed that if a sieving algorithm is first performed,the MillerRabin primality test is not needed as pseudoprimes are rare according tosFully Distributed Threshold RSA under Standard As... |

2 | Improved Methods to Perform Threshold RSA
- King
- 2000
(Show Context)
Citation Context ...out revealing the factorization of N unless we use a special algebraic structure,called a module, as in [35,19]. We can note that computations in such structure can be done efficiently if we consider =-=[25]-=-. If we do not want to use a module,we face the problem of computing inverses when we use polynomial sharing in order to compute the Lagrange coefficients. Consequently some authors in [17,32] have pr... |

2 |
On Threshold RSA-signing with no dealer
- Miyazaki, Sakurai, et al.
- 1999
(Show Context)
Citation Context ...will be correct. However,this redefinition of the subgroup does not seem very nice and Shoup and others have proposed a new trick to avoid this problem. Shoup in [37] and Miyazaki,Sakurai and Yung in =-=[26]-=- solve this problem by using a well-known lemma to extract an e-root of w modulo a composite number from a e-root of a known power of w [24] without any secret. The solution is to multiply Lagrange co... |

1 |
Fast Generation of Random
- Silverman
- 1997
(Show Context)
Citation Context ... shared RSA modulus. We describe this protocol here with our adaptation. 1. In the first step,each server picks at random two values pi and qi in the interval [⌊2 (n−1)/2⌋, ⌊ 2n/2−1 ℓ ⌋[ according to =-=[39]-=-,where n is the size in bits of the modulus N. Then,we use a sieving algorithm in order to discard p1+...+pℓ and q1+...+qℓ that have small prime factors and if p1+...+pℓ−1 or q1 + ... + qℓ − 1 have sm... |

1 | the extended version for the Journal of Cryptology, available at http://www.shoup.net/papers - cf |