## Computing inverses over a shared secret modulus (2000)

### Cached

### Download Links

- [www.iacr.org]
- [www.research.ibm.com]
- [www.research.ibm.com]
- [mathmagic.cn]
- DBLP

### Other Repositories/Bibliography

Citations: | 26 - 0 self |

### BibTeX

@INPROCEEDINGS{Catalano00computinginverses,

author = {Dario Catalano and Rosario Gennaro and Shai Halevi},

title = {Computing inverses over a shared secret modulus},

booktitle = {},

year = {2000},

pages = {190--206},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We discuss the following problem: Given an integer φ shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e −1 mod φ. The most interesting case is when φ is the Euler function of a known RSA modulus N, φ = φ(N). The problem has several applications, among which the construction of threshold variants for two recent signature schemes proposed by Gennaro-Halevi-Rabin and Cramer-Shoup. We present new and efficient protocols to solve this problem, improving over previous solutions by Boneh-Franklin and Frankel et al. Our basic protocol (secure against honest but curious players) requires only two rounds of communication and a single GCD computation. The robust protocol (secure against malicious players) adds only a couple of rounds and a few modular exponentiations to the computation. 1

### Citations

2899 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Sharnir, et al.
- 1978
(Show Context)
Citation Context ...g of e −1 mod φ, without revealing anything about φ. The most interesting case is when φ is the Euler function of a known RSA modulus φ = φ(N), since in this case the security of the RSA cryptosystem =-=[22]-=- is based on the assumption that φ(N) remains secret. The most important applications of distributed modular inversion over a shared modulus are distributed RSA key generation, and distributing the ne... |

1457 | Theory of linear and integer programming - Schrijver - 1986 |

670 |
Completeness Theorems for NonCryptographic Fault-Tolerant Distributed Corn putation (extended abstract
- Goldwasser, Wigderson
- 1988
(Show Context)
Citation Context ...chniques developed to prove the security of the protocols may be of independent interest. Previous work. Although our problem can in principle be solved using generic multiparty computation protocols =-=[19, 3, 8]-=-, the resulting solutions would hardly be practical. Boneh-Franklin. The first to address the issue of an efficient solution for this problem were Boneh and Franklin, who in a breakthrough result show... |

429 |
How to Play ANY Mental Game
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...chniques developed to prove the security of the protocols may be of independent interest. Previous work. Although our problem can in principle be solved using generic multiparty computation protocols =-=[19, 3, 8]-=-, the resulting solutions would hardly be practical. Boneh-Franklin. The first to address the issue of an efficient solution for this problem were Boneh and Franklin, who in a breakthrough result show... |

372 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1991
(Show Context)
Citation Context ...t players and make them behave in any arbitrary manner. We use some standard techniques like: – Replace the simple secret-sharing of the first round with Verifiable Secret Sharing (VSS) a-la-Pedersen =-=[20]-=-, to make sure that the players perform correct sharings;sComputing Inverses over a Shared Secret Modulus 197 Inversion Protocol for Honest-but-Curious players Private inputs: Sharing of Lφ using a t-... |

163 | Collision-free accumulators and fail-stop signature schemes without trees
- Barić, Pfitzmann
- 1997
(Show Context)
Citation Context ...ate the squares subgroup and we assume that nobody knows the discrete log of H with respect to G. The protocol is spelled out in Figure 2. The Strong-RSA Assumption. This assumption was introduced in =-=[1]-=- and subsequently used in several other works [15, 17, 9]. It conjectures that given a random square G ∈ Z∗ M there exists no polynomial time algorithm that can compute H ∈ Z ∗ M and an integer x �= 1... |

150 | Signature schemes based on the strong RSA assumption
- Cramer, Shoup
- 1999
(Show Context)
Citation Context ...ortant applications of distributed modular inversion over a shared modulus are distributed RSA key generation, and distributing the new signature schemes of Gennaro-Halevi-Rabin [17] and Cramer-Shoup =-=[9]-=-. In particular, in the latter applications it is very important to have an efficient inversion ⋆ Extended Abstract. A more complete version is available from http://www.research.ibm.com/security/dist... |

132 |
Statistical Zero Knowledge Protocols to Prove Modular
- Fujisaki, Okamoto
- 1997
(Show Context)
Citation Context ...(z) in Round 2. A few technical complications arise from the fact that we use secret sharing over the integers. Some are solved using known techniques that were developed for robust and proactive RSA =-=[15, 12, 21, 7]-=-, others require some new machinery. 5.1 Pedersen’s VSS revisited The problems that we need to tackle is how to ensure that the secrets are shared correctly in Round 1 and recovered correctly in Round... |

124 | Efficient generation of shared rsa keys
- Boneh, Franklin
- 1997
(Show Context)
Citation Context ...st to address the issue of an efficient solution for this problem were Boneh and Franklin, who in a breakthrough result show how n > 3 parties can jointly generate an RSA key without a trusted dealer =-=[5]-=-. In particular, as part of their solution they show how the parties jointly compute d = e −1 mod φ(N), where N, e are the RSA modulus and public exponent, respectively, and φ(N) is shared among the p... |

121 | Secure hash-and-sign signatures without the random oracle
- Gennaro, Halevi, et al.
- 1999
(Show Context)
Citation Context ...s secret. The most important applications of distributed modular inversion over a shared modulus are distributed RSA key generation, and distributing the new signature schemes of Gennaro-Halevi-Rabin =-=[17]-=- and Cramer-Shoup [9]. In particular, in the latter applications it is very important to have an efficient inversion ⋆ Extended Abstract. A more complete version is available from http://www.research.... |

115 |
D.: Non-Cryptographic Fault-Tolerant Computing in a Constant Number of Rounds of Interaction
- Bar-Ilan, Beaver
- 1989
(Show Context)
Citation Context ...ulty of computing modulo an unknown integer was used in several previous papers [13, 18, 12, 21]. Finally, the “dual” problem of computing x −1 mod p where p is known and x is shared was discussed in =-=[2]-=-. 2 Preliminaries The network model. We consider a network of n players, that are connected by point-to-point private channels and by a broadcast channel. 2 We model failures in the network by an adve... |

107 |
Error correction of algebraic block codes
- Welch, Berlekamp
- 1986
(Show Context)
Citation Context ... this description we distinguish between two cases: n > 4t or 3t < n ≤ 4t. When n > 4t we can use error-correcting codes to interpolate the polynomial F (z) (e.g., using the Berlekamp-Welch algorithm =-=[4]-=- or see for example the appendix in [24]). For the case of 3t < n ≤ 4t we do not have enough points to do errorcorrection, so we identify and sieve out the bad shares by having each player Pi proves i... |

98 | Society and group oriented cryptography: a new concept - Desmedt - 1987 |

93 |
Threshold cryptography
- Desmedt
- 1994
(Show Context)
Citation Context ...ly in a communication protocol which outputs the signature. A large body of research has been done on threshold signature schemes: for lack of space we refer the reader only to two literature surveys =-=[11, 16]-=-.s202 Dario Catalano, Rosario Gennaro, and Shai Halevi Robust Protocol Private inputs: Sharing of the number Lφ using a t-degree polynomial over the integers. Player Pi has private input fi = f(i), wh... |

79 | Robust and efficient sharing of rsa functions - Gennaro, Jarecki, et al. - 1996 |

68 | Efficient checking of polynomials and proofs and the hardness of approximation problems
- Sudan
- 1992
(Show Context)
Citation Context ...n two cases: n > 4t or 3t < n ≤ 4t. When n > 4t we can use error-correcting codes to interpolate the polynomial F (z) (e.g., using the Berlekamp-Welch algorithm [4] or see for example the appendix in =-=[24]-=-). For the case of 3t < n ≤ 4t we do not have enough points to do errorcorrection, so we identify and sieve out the bad shares by having each player Pi proves in zero knowledge that its value F (i) is... |

55 | M.: Robust Efficient Distributed RSA-Key Generation
- Frankel, MacKenzie, et al.
- 1998
(Show Context)
Citation Context ... a strong, statistical, sense. (This requires some increase in the size of the shares, though.) Frankel-McKenzie-Yung. Building on the Boneh-Franklin solution, Frankel, Mc Kenzie and Yung describe in =-=[14]-=- a way to add robustness to the protocols in [5], and in particular how to add robustness to the inversion protocol. The FMY protocol follows the structure of [5], so it also needs two invocations of ... |

47 |
Optimal resilience proactive public-key cryptosystems
- Frankel, Gemmell, et al.
- 1997
(Show Context)
Citation Context ...inated in papers over robust and proactive RSA. In particular, working over the integers in order to overcome the difficulty of computing modulo an unknown integer was used in several previous papers =-=[13, 18, 12, 21]-=-. Finally, the “dual” problem of computing x −1 mod p where p is known and x is shared was discussed in [2]. 2 Preliminaries The network model. We consider a network of n players, that are connected b... |

41 | Adaptive security for threshold cryptosystems - Canetti, Gennaro, et al. - 1999 |

37 |
An introduction to threshold cryptography
- Gemmell
- 1997
(Show Context)
Citation Context ...ly in a communication protocol which outputs the signature. A large body of research has been done on threshold signature schemes: for lack of space we refer the reader only to two literature surveys =-=[11, 16]-=-.s202 Dario Catalano, Rosario Gennaro, and Shai Halevi Robust Protocol Private inputs: Sharing of the number Lφ using a t-degree polynomial over the integers. Player Pi has private input fi = f(i), wh... |

26 | Witness-based cryptographic program checking and robust function sharing
- Frankel, Gemmell, et al.
- 1996
(Show Context)
Citation Context ...inated in papers over robust and proactive RSA. In particular, working over the integers in order to overcome the difficulty of computing modulo an unknown integer was used in several previous papers =-=[13, 18, 12, 21]-=-. Finally, the “dual” problem of computing x −1 mod p where p is known and x is shared was discussed in [2]. 2 Preliminaries The network model. We consider a network of n players, that are connected b... |

13 | New efficient and secure protocols for verifiable signature and other applications
- Catalano, Gennaro
- 1998
(Show Context)
Citation Context ...(z) in Round 2. A few technical complications arise from the fact that we use secret sharing over the integers. Some are solved using known techniques that were developed for robust and proactive RSA =-=[15, 12, 21, 7]-=-, others require some new machinery. 5.1 Pedersen’s VSS revisited The problems that we need to tackle is how to ensure that the secrets are shared correctly in Round 1 and recovered correctly in Round... |

6 |
A Simplified Approach to Threshold and
- Rabin
- 1998
(Show Context)
Citation Context ... protocol is based on an n-out-of-n solution where a single crash could prevent the protocol from completing. 1 To obtain a tout-of-n solution, they suggest using the “share-backup” approach of Rabin =-=[21]-=-, but this approach has some known problems. For one thing, it incurs the overhead of multiple layers of (verifiable) secret-sharing. Moreover, it requires that the “good parties” recover the secret i... |

1 |
chooses a random τ ∈ [−M 2
- unknown authors
(Show Context)
Citation Context ...ate the squares subgroup and we assume that nobody knows the discrete log of H with respect to G. The protocol is spelled out in Figure 2. The Strong-RSA Assumption. This assumption was introduced in =-=[1]-=- and subsequently used in several other works [15, 17, 9]. It conjectures that given a random square G ∈ Z∗ M there exists no polynomial time algorithm that can compute H ∈ Z ∗ M and an integer x �= 1... |

1 |
proves in zero-knowledge (to a verifier V ) that D is correct w.r.t. A, B as follows (a) P chooses α, ˆα, β, ˆ β, ˆγ at random in [−M 6 , M 6 ], and send to V the values M1 = G α H ˆα , M2 = G β H ˆ β , M3 = B α H ˆγ . (b) V chooses a random d in [0, M] a
- unknown authors
(Show Context)
Citation Context ...ulty of computing modulo an unknown integer was used in several previous papers [13, 18, 12, 21]. Finally, the “dual” problem of computing x −1 mod p where p is known and x is shared was discussed in =-=[2]-=-. 2 Preliminaries The network model. We consider a network of n players, that are connected by point-to-point private channels and by a broadcast channel. 2 We model failures in the network by an adve... |

1 |
reveals f = ab + ec and ˆ f = τ + eĉ. The value is accepted if and only if G f H ˆ f = DC e mod M
- unknown authors
(Show Context)
Citation Context ...chniques developed to prove the security of the protocols may be of independent interest. Previous work. Although our problem can in principle be solved using generic multiparty computation protocols =-=[19, 3, 8]-=-, the resulting solutions would hardly be practical. Boneh-Franklin. The first to address the issue of an efficient solution for this problem were Boneh and Franklin, who in a breakthrough result show... |

1 |
chooses a random τ
- unknown authors
(Show Context)
Citation Context ...ate the squares subgroup and we assume that nobody knows the discrete log of H with respect to G. The protocol is spelled out in Figure 2. The Strong-RSA Assumption. This assumption was introduced in =-=[1]-=- and subsequently used in several other works [15,17,9]. It conjectures that given a random square G ∈ Z∗ M there exists no polynomial time algorithm that can compute H ∈ Z∗ M and an integer x �= 1suc... |

1 |
proves in zero-knowledge (to a verifier V )thatD is correct w.r.t. A, B as follows (a) P chooses α, ˆα, β, ˆ β, ˆγ at random in [−M 6 ,M 6 ],andsendtoV the values M1 = G α H ˆα , M2 = G β H ˆ β , M3 = B α H ˆγ . (b) V chooses a random d in [0,M] and sends
- unknown authors
(Show Context)
Citation Context ...fficulty of computing modulo an unknown integer was used in several previous papers [13,18,12,21]. Finally, the “dual” problem of computing x−1 mod p where p is known and x is shared was discussed in =-=[2]-=-. 2 Preliminaries The Network Model. We consider a network of n players, that are connected by point-to-point private channels and by a broadcast channel. 2 We model failures in the network by an adve... |

1 |
reveals f = ab + ec and ˆf = τ + eĉ. The value is accepted if and only if G f H ˆ f = DC e mod M
- unknown authors
(Show Context)
Citation Context ...chniques developed to prove the security of the protocols may be of independent interest. Previous Work. Although our problem can in principle be solved using generic multiparty computation protocols =-=[19,3,8]-=-, the resulting solutions would hardly be practical. Boneh-Franklin. The first to address the issue of an efficient solution for this problem were Boneh and Franklin, who in a breakthrough result show... |