D. Boneh and M. Franklin. Efficient Generation of Shared RSA Keys. J. ACM, 48(4):702--722, 2001.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....resists the conspiracy attack because the revocation manager can trace all the corrupted members involved in a forged signature. 1 Introduction The threshold signature scheme is very important in practice on behalf of a group. Almost all of the threshold signatures are based on secret sharing [1, 12, 23, 25, 26] . These schemes usually have a common weakness that they cannot avoid of the conspiracy attack which is first described in [20] The conspiracy attack means that, if t or more members of the group conspire, the secret of the group will be retrieved. Once these members get the group secret, they ....

D. Boneh, M. Franklin, Efficient generation of the shared RSA keys, Proc. Of Crypto'97, Springer-Verlag LNCS 1233.

....protocols [19, 3, 8] the resulting solutions would hardly be practical. BONEH FRANKLIN. The first to address the issue of an efficient solution for this problem were Boneh and Franklin, who in a breakthrough result show how n 3 parties can jointly generate an RSA key without a trusted dealer [5]. In particular, as part of their solution they show how the parties jointly compute d = e mod (N ) where N; e are the RSA modulus and public exponent, respectively, and (N ) is shared among the parties. Our solution improves on some of the features of the Boneh Franklin protocol. In ....

....the parties. Our solution improves on some of the features of the Boneh Franklin protocol. In particular: 1. We only use a single invocation of the BGW [3] multiplication protocol, while their protocol needs two of them. Hence the round complexity of our protocol is half that of the protocol in [5]. 2. The Boneh Franklin protocol is based on an n out of n solution where a single crash could prevent the protocol from completing. To obtain a t out of n solution, they suggest using the share backup approach of Rabin [21] but this approach has some known problems. For one thing, it ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient Generation of Shared RSA Keys. In Advances in Cryptology - Crypto '97, LNCS vol. 1294, Springer, 1997, pages 425-439. Extended version available from http://crypto.stanford.edu/ dabo/pubs.html

....key. Improvements to the random generation of private keys for public key cryptography usually fall into two areas : the distribution of a secret for discrete log based cryptosystems and the distribution of RSA keys. The latter case is partially solved by the nice paper of Boneh and Franklin [4]. However, the protocol does not allow to efficiently share RSA modulus with strong primes and is not robust against cheaters. Following this paper, two articles provide robustness using different techniques. The first one by Frankel et al. 11] is based on the same methods as [4] and uses the ....

....and Franklin [4] However, the protocol does not allow to efficiently share RSA modulus with strong primes and is not robust against cheaters. Following this paper, two articles provide robustness using different techniques. The first one by Frankel et al. 11] is based on the same methods as [4] and uses the protocol of Ben Or, Goldwasser and Widgerson [2] with private channels between each pair of participants. Frankel et al. also propose protocols that make the scheme proactive in [11, 10, 12] In [22] Poupard and Stern present a protocol for two players which avoids private channels. ....

D. Boneh and M. Franklin. Efficient Generation of Shared RSA Keys. In Crypto '97, LNCS 1294, pages 425--439. Springer-Verlag, 1997. 11

....RSA. This solves an open problem where one needs to cope with requirements that do not match. On one hand, at Eurocrypt 00, Shoup describes a practical threshold signature scheme in [37] where the primes of the RSA modulus should be safe. On the other hand, Boneh and Franklin at Crypto 97 [4] describe a protocol to share the key generation of an RSA modulus. However, the generation of safe modulus seems to be hard with this protocol. The present work takes a different path by proposing a method to enhance the key generation with some additional properties and revisits Shoup s protocol ....

....the key generation protocol in order to guarantee the secrecy of Shamir s secret sharing. Shared Generation of RSA Keys. This raises the question of generating RSA moduli for Shoup s threshold scheme without a trusted dealer. There exist protocols that generate RSA keys in a distributive manner [4, 18, 9, 10, 3, 30, 23]. Boneh and Franklin in [4] designed such protocol for the generation of an RSA modulus in the honest but curious model. Later, Frankel, MacKenzie and Yung in [18] made this algorithm robust against malicious servers. In [30] Poupard and Stern also provided a protocol to compute a shared modulus ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient Generation of Shared RSA keys. In Crypto '97, LNCS 1233, pages 425--439. Springer-Verlag, 1997.

....increases as a larger is adopted. In military environments, the privilege for every node is inherently hierarchical and heterogeneous. For example, a lieutenant usually hold more confidential information than a private. This Though shared key generation schemes are available in literatures [12, 58], the result key pair is revealed to the key generation requester. Besides, it is an open question who has the authority to annul current signing key. implies that an asymmetric function sharing model is more reasonable. In UAV MBN networks, the MBN nodes could hold more shares of the backup DCA ....

D. Boneh and M. K. Franklin. Efficient Generation of Shared RSA Keys. In CRYPTO, pages 425--439, 1997.

....requirements in a repudiable manner. Case II: A shared public key for the coalition AA. In this case, the coalition AA has a shared public key whose corresponding private key is split among the member domains. That is, in Figure 1, employing the distributed shared key generation algorithm of [8], domains D1, D2, and D3 generate a public key for the coalition AA while retaining distributed shares of the corresponding private key such that no single domain has unilateral access to the For example, Anderson and Kuhn [3] and Bond [7] discuss protocol failures where the application of a ....

....for joint administration of access policies. 3. Using Shared Public Key Techniques In this section we discuss the use of shared public key techniques, which have recently been used for intrusiontolerant applications [27] We give a brief overview of the shared public key generation algorithm of [8] and discuss the costs of using shared key techniques and the usefulness of the m of n private key sharing scheme. 3.1. Shared RSA public key generation algorithm Here we review some of the features of the shared RSA public key generation algorithm of [8, 21] The algorithm enables n domains to ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin, "Efficient Generation of Shared RSA Keys", Advances in Cryptology - Crypto' 97, Lecture Notes in Computer Science, Vol. 1233, Springer-Verlag, 1997, pp. 425--439.

....is the product of quasi safe primes, i.e. primes p and q for which (p 1) 2 and (q 1) 2 is a prime power. However, their protocol can not guarantee that (p 1) 2 and (q 1) 2 are indeed primes which is what we are aiming for. Let us further mention the work of Boneh and Franklin [2], who provide a proof that a distributively generated number n indeed consists of two primes (without further showing that these primes are of special form) It should be noted that all these solutions assume that n is publicly known. 2 Tools 2.1 Commitment Schemes Our schemes build use ....

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In

....availability: In the infrastructureless mode, the communication overhead is minimal when a ground node has at least one hop partial CAs. Otherwise, any of the partial CA can serve as a proxy and use its own trust to bring in 2 Though shared key generation schemes are available in literatures [1, 25], the result key pair is revealed to the key generation requester. Besides, it is an open question who has the authority to annul current signing key. more partial CAs, though the communication overhead is increased in this scenario. False accusations: As described before, should be ....

D. Boneh and M. K. Franklin. Efficient Generation of Shared RSA Keys. In CRYPTO, pages 425--439, 1997.

....2 . Fortunately, proactive secret share update [16, 9, 8, 31] and selfinitialization [23, 19] allow the network to periodically update all the secret shares without compromising the shared secret. As long as there are less than 2 Though shared key generation schemes are available in literatures [1, 24], the result key pair is revealed to the key generation requester. Besides, it is an open question who has the authority to annul current signing key. K ground nodes broken between two consecutive secret share updates, the backup signing key SK 0 ff is protected against break ins and can remain ....

D. Boneh and M. K. Franklin. Efficient Generation of Shared RSA Keys. In CRYPTO, pages 425--439, 1997.

....are not very efficient. For example, in the [22] protocol, both the number of rounds and communication complexity are polynomial in the size of the circuit computing the functionality. Thus some research has focused on finding efficient protocols for specific problems of secure computation. See [7, 10, 13, 28] for just a few examples. This direction is not the focus of our work. Other research has considered the efficiency of generic solutions themselves and as such also addresses fundamental questions regarding efficiency considerations (e.g. the possibility of obtaining protocols with only a ....

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In Crypto97, SpringerVerlag LNCS Vol. 1233, pages 425--439, 1997.

....holds. Clearly with this scheme, to split the TA s key amongst a set of TAs we need to produce an RSA modulus N and a public exponent e such that no individual TA knows the factors of N and each TA has a share d i of the private exponent d. Protocols exist for this problem, see for example [1] [2] and [5] but they are usually relatively inefficient. For the identity based signature schemes described in this paper the situation is different as there is a natural, simple and elegant way to split the TAs master key into a set of shares. This is because our security is based on discrete ....

D. Boneh and M. Franklin. Efficient Generation of Shared RSA Keys. In Advances in Cryptology - CRYPTO '97, Springer-Verlag LNCS 1294, 425--439, 1997.

.... proactively secure protocols have been devised for the following problems: S Secret sharing [21,16] S Discrete log based digital signatures [15] and in particular DSA [13] S Secure end to end communication [5] S RSA [10,11,24] and in particular generation of the RSA shared key [3] S Pseudo random generation [6,8] S Key distribution center [20] This substantial set of known results in proactive security did not yet produce any practical security product or solution. In fact, there are only a few deployments of distributed security the most well known may be the SET ....

....is mandatory for the implementation of the proactive end to end communication. Our toolkit implements a DSS distributed key using the algorithms of [15,13] but it is also possible to use a distributed RSA key, based on the signature algorithm of [24,11] with the key generation algorithm of [3]. 5 The implementation of these functionalities are based on a number of algorithmic which, for completeness, are briefly outlined in the Appendix. 3. The Proactive Toolkit Architecture Recall that the proactive operating environment serves as a platform on which standard applications can be ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In Proc. Crypto `97, pp. 425-539.

....been proposed, which we now briefly discuss. No trusted dealer One can wonder who computes the share of a participant. In the first schemes a single trusted dealer was often used. It is clear that such an approach can best be avoided, however this is not always that easy. We refer the reader to [57, 42, 8, 16] and to Section 5.4 for some details. Proactive security and its generalizations One can wonder what should happen when a share is stolen or lost. Worse, what happens when an outsider collects more shares than the threshold As already observed in [26] it is a bad idea to change the public key ....

....i.e. that the shares the shareholders received will always recompute the same secret key. Pedersen s scheme also guarantees that this secret key corresponds to the public key that is made public. Note that the problem of avoiding a trusted dealer is much more complex in the context of RSA [8]. 5.5 Proactive We briefly explain how the use of homomorphic secret sharing is useful towards achieving proactive threshold cryptography. We assume that the secret sharing scheme is homomorphic. If (s 1 ; s 2 ; s l ) is a share assignment for the key k and (s 0 1 ; s 0 2 ; ....

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In B. S. Kaliski, editor, Advances in Cryptology --- Crypto '97, Proceedings (Lecture Notes in Computer Science 1294), pp. 425--439. Springer-Verlag, 1997. Santa Barbara, California, U.S.A., August 17--21.

....channels. After these fundamental results were published in the late eighties, multi party computation has seen a revival in the late nineties. Some results are mentioned briefly. Efficient protocols for concrete problems were developed, for instance for voting [24, 43] shared RSA key generation [12], and threshold public key cryptosystems and signature schemes (e.g. see [83] and the 12 references therein) Threshold adversaries were generalized to general adversary structures [41] and the efficiency of protocols that work for any function were improved from n 6 to n 3 per ....

D. Boneh and M. Franklin, Efficient generation of shared RSA keys, Advances in Cryptology - CRYPTO '97, Lecture Notes in Computer Science, vol. 1294, pp. 425--439, Springer-Verlag, 1997.

....easily generated in an efficient way with many players. Of course, it is still possible to call theoretical results on multiparty computation, but we cannot hope to design efficient protocols. The only practical result to generate RSA moduli in a distributive manner is Boneh and Franklin protocol [2] but this protocol cannot be easily modified to generate the kind of RSA moduli that Shoup s protocol requires. The present work takes a different path by proposing a method to enhance the key generation with some additional properties and revisits the proof of Shoup to work with the resulting RSA ....

....but in this scheme, the proof of correctness requires an RSA modulus built with safe primes. This raises the question of generating RSA moduli for use in Shoup s threshold scheme without a trusted dealer. There exist protocols that generate RSA keys in a distributive manner. Boneh and Franklin in [2] designed such protocol for the generation of an RSA modulus in the honest but curious model. Later, Frankel, MacKenzie and Yung in [7] made this algorithm robust against malicious servers. In [13] Poupard and Stern also provided a protocol to compute a shared modulus for two players only. ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient Generation of Shared RSA keys. In Crypto '97, LNCS 1233, pages 425--439. Springer-Verlag, 1997.

....above can be used in the second model of FSS signatures, that is without a trusted party [24] In our second model, there is no trusted party needed for setting up the system. The initialization step mentioned in section 3 is performed by the sender S and the receiver using the method described in [6]. In the initialization step, there are three parties involved, the sender S, the receiver R, and a helper. The steps are as follows [6] 1. Firstly, they perform a distributed computation of n (where n = pq, but no one knows the value of p and q) The result of this step is the value of n. 2. ....

....needed for setting up the system. The initialization step mentioned in section 3 is performed by the sender S and the receiver using the method described in [6] In the initialization step, there are three parties involved, the sender S, the receiver R, and a helper. The steps are as follows [6]. 1. Firstly, they perform a distributed computation of n (where n = pq, but no one knows the value of p and q) The result of this step is the value of n. 2. Then, they perform a distributed primality test of n. If the test fails, repeat step 1. 3. Next, S and R agree on a public value e D 1 ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient generation of shared rsa keys. CRYPTO '97, Lecture Notes in Computer Science 1294, pages 425--439, 1997.

.... for a specific problem is that of oblivious transfer [20, 8] which proved to be a very useful primitive for many applications as for circuit evaluation [14] A more recent example of the efficient secure computation of a much more complex function is the distributed generation of RSA keys [3, 11]. Another example is Private Information Retrieval (PIR) protocols [6] which enable one party to query a database held by another party, while keeping the queries private. The emphasis of PIR protocols is on the communication overhead, which must be smaller than the size of the database. The ....

D. Boneh and M. Franklin, Efficient generation of shared RSA keys, Proc. of Crypto' 97, LNCS, Vol. 1233, Springer-Verlag, pp. 425--439, 1997. 21

.... be found in Cerecedo et al. 3] Gennaro et al. 12] and Park and Kurosawa [18] However, efficient shared generation of RSA keys appears a considerably harder problem, and the need for proposals has been noted by Bellare and Goldwasser [1] and Gennaro et al. 13] Recently Boneh and Franklin [2] and Cocks [6] have independently suggested protocols to address this deficiency. Both these papers concentrate on the case in which parties only cheat passively , and do not actively deviate from the protocol. Cocks protocols enable two parties to generate a shared key as we require. Cocks [7] ....

....j=1 y i;j;a = p a q a p a q b p b q a p b q b = N mod M a : Since 0 N M a , Alice has determined N uniquely. 6. Alice sends N to Bob. Once N has been calculated, Alice and Bob determine whether N is the product of two primes by using, for example, the test due to Boneh and Franklin [2]. The above process is repeated until they generate a candidate N which is the product of two primes. Finally, Alice and Bob agree on a small value for e and respectively compute shares d a and d b of the corresponding d by exchanging the values of p a q a and p b q b modulo e as described by ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In B.S. Kaliski Jr., editor, Advances in Cryptology -- CRYPTO `97, volume 1294 of Lecture Notes in Computer Science, pages 425--439. Springer-Verlag. 1997. Shared Generation of Shared RSA Keys 22

....signature schemes can be used for auditing as follows. A user A, whose public key is KA , has one share of the corresponding private key K Gamma1 A . The auditor holds the other share. These shares can be generated by a trusted third party or can be generated by A and the auditor themselves [6, 2, 5]. Note that neither A nor the auditor learns the entire private key, but both learn the corresponding public key KA . Assuming neither of the shares of the private key nor the entire private key are compromised 1 , A cannot produce signed documents without the involvement of the auditor. ....

D. Boneh and M. Franklin, "Efficient generation of shared RSA keys," In Advances in Cryptology--- CRYPTO '97, Lecture Notes in Computer Science 1294, 424--439, Springer-Verlag, 1997.

....protocols [19, 3, 8] the resulting solutions would hardly be practical. Boneh Franklin. The first to address the issue of an efficient solution for this problem were Boneh and Franklin, who in a breakthrough result show how n 3 parties can jointly generate an RSA key without a trusted dealer [5]. In particular, as part of their solution they show how the parties jointly compute d = e Gamma1 mod OE(N ) where N; e are the RSA modulus and public exponent, respectively, and OE(N) is shared among the parties. Our solution improves on some of the features of the Boneh Franklin protocol. In ....

....the parties. Our solution improves on some of the features of the Boneh Franklin protocol. In particular: 1. We only use a single invocation of the BGW [3] multiplication protocol, while their protocol needs two of them. Hence the round complexity of our protocol is half that of the protocol in [5]. 2. The Boneh Franklin protocol is based on an n out of n solution where a single crash could prevent the protocol from completing. 1 To obtain a t out of n solution, they suggest using the share backup approach of Rabin [21] but this approach has some known problems. For one thing, it ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient Generation of Shared RSA Keys. In Advances in Cryptology - Crypto '97, LNCS vol. 1294, Springer, 1997, pages 425-439. Extended version available from http://crypto.stanford.edu/ ~ dabo/pubs.html

....circuit is quadratic in the size of its inputs) We stress that secure computation of small circuits with small inputs can be practical using the [21] protocol. 1 There is a major difference between the protocol described in this paper and other examples of multi party protocols (e.g. [3, 11, 6]) While previous protocols were efficient (polynomial) in the size of their inputs, this property does not suffice for data mining applications, as the input consists of huge databases. In the protocol presented here, most of the computation is done individually by each of the parties. They then ....

D. Boneh and M. Franklin, Efficient generation of shared RSA keys, Proc. of Crypto' 97, LNCS, Vol. 1233, Springer-Verlag, pp. 425--439, 1997.

....of such a group is a subgroup of Z n , where n is a large RSA modulus whose factors are unknown. Either this modulus is chosen by a trusted third party or by representatives of the group members and the membership manager (s) In the latter case, the parties can employ the protocols presented in [6, 24,42] to choose such a modulus jointly without the participants learning its factors. In the following we stick to the latter. These choices have the following consequences for the affected procedures of our group signature scheme. GKG S (commitment part) The representatives of the group members and ....

....the affected procedures of our group signature scheme. GKG S (commitment part) The representatives of the group members and the membership manager jointly choose an RSA modulus n S 2 S , such that the factors of n S are unknown, and a random element h S 2 Z nS (e.g. using techniques from [6, 24, 42]) Furthermore, they all choose a random exponent r i 2 f0; 1g S and commit to h i = h r i S (mod nS ) using some secure commitment scheme. If all commitments are published, they open the commitments, prove their knowledge of log hS h i , and compute gS = Q i h i . The parameters n S , GS ....

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In Advances in Cryptology --- CRYPTO '97, vol. 1296 of LNCS, pp. 425--439.

....by a dealer and subsequently distributed to the parties. The weakness of this model is that there is a single point of failure the dealer himself. Any adversary who compromises the dealer can learn all the necessary information and in particular forge signatures. Boneh and Franklin show in [4] how to generate the keys without a dealer s help. Therefore, an adversary has to subvert a large enough coalition of the participants in order to forge signatures. Several specific phases of the BonehFranklin protocol utilize reduced and optimized versions of information theoretically private ....

....are similar to the ideas of [20] but the emphasis is different. Poupard and Stern focus on maintaining robustness of the protocol, while we emphasize efficiency. In [13] Frankel, Mackenzie and Yung investigate a model of malicious adversaries as opposed to the passive adversaries considered in [4, 8, 9] and in our work. They show how to jointly generate the keys in the presence of any minority of misbehaving parties. The current work focuses on joint generation of RSA keys by two parties. We use the Boneh Franklin protocol and replace each three party sub protocol with a two party sub protocol. ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient generation of shared rsa keys. In Proc. of Crypto 97, pages 425--439. Springer-Verlag, 1997. THe full version appears on the web at theory.stanford.edu/ dabo/pubs.html.

....corrupted) Proactive public key systems were presented in [33, 24, 7, 23, 43] Furthermore, to initiate the above systems without a trusted key generator or dealer (whose presence provides a single source of failure) requires a distributed key generation procedure. Such protocols were given in [40, 5, 27]. The techniques in this paper for the DL based systems can be used to construct a proactive DL based system and also extend to key generation. We present protocols for these, but omit the proofs due to space considerations. Corollary 1. There exists an adaptively secure proactive DL based ....

D. Boneh and M. Franklin. Efficient generation of shared RSA keys (extended abstract). In CRYPTO'97 [14], pages 425--439.

....of this trapdoor of the accumulator translates directly into the ability to forge coins. Thus the factors P and Q should be chosen in an isolated process and be destroyed after system setup as in [10] Alternatively and more securely, a distributed generation of the RSA modulus is possible (see [4, 13]) Unlike in blind signature based payment systems where the sensitive secret signature key of the bank is needed in each withdrawal session, no secret information is needed during the operation of the payment system described in this paper. Thus if the trapdoor information is 3 reliably ....

Dan Boneh and Matthew Franklin. Efficient generation of shared RSA keys. In Burt Kaliski, editor, Advances in Cryptology: CRYPTO '97, volume 1233 of Lecture Notes in Computer Science, pages 425--439. Springer, 1997.

....completion even in the presence of a minority of arbitrarily misbehaving malicious parties. Our protocol is shown to be secure against any minority of malicious parties (which is optimal) The above problem was mentioned in various works in the last decade and most recently by Boneh and Franklin [BF97]. The solution is a crucial step in establishing sensitive distributed cryptographic function sharing services (certification authorities, signature schemes with distributed trust, and key escrow authorities) as well as other applications besides RSA (namely: composite ElGamal, identification ....

....motivation [Y86] in introducing general compiler protocols that compute circuits securely in communication was the issue of distributed generation of RSA keys. Indeed the results of [Y86, GMW] show the plausibility of this task. A major step forward was recently achieved by Boneh and Franklin [BF97] who showed how a set of participants can actually generate an RSA function efficiently, thus detouring the inefficient compiler. They developed many important new protocol techniques, and showed that their protocol was secure in the limited model of trusted but curious parties. They left open ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin, Efficient Generation of Shared RSA Keys, Crypto 97, pp. 425--439.

....integer because L divides s i . Hence, d Gamma P = X i2 s i Delta z i; X i2 s i Delta z i; X i2 ( X v2nfig sign(i Gamma v) Delta PRF oe i;v (m) 4 Throughout our discussions we assume a trusted dealer in order to simplify our discussion. However, we should note that using [BF97,FMY] one can employ a distributed dealer procedure among the shareholders to initiate the current protocol, hence not relying on any single entity (dealer) X i2 0 s i Delta z i; X v2nfig sign(i Gamma v) Delta PRF oe i;v (m) 1 A = X i2 s 0 i;m; since (sign(i Gamma v) ....

D. Boneh and M. Franklin, Efficient Generation of Shared RSA Keys, Crypto 97 proceedings.

....like the computation of the logical AND of two bits, at the cost of polynomial but unpractical solutions. Consequently, even if the problem of multi party computation is theoretically solved, the design of more specific but also more efficient protocols appears necessary. Boneh and Franklin [5] followed this application oriented approach to solve the problem of generating shared RSA keys. More precisely, some parties want to jointly generate an RSA modulus N = pq where p and q are prime in such a way that, at the end of the computation, the parties are convinced that N is indeed a ....

D. Boneh and M. Franklin. Efficient Generation of Shared RSA Keys. In Crypto '97, LNCS 1294, pages 425--439. Springer-Verlag, 1997.

....Cryptography and Coding, Cocks [3] described a protocol for two parties to generate an RSA modulus N = PQ where neither party has knowledge of the factorisation, but which enables the parties to collaborate to decipher a encrypted message. An alternative method is described by Boneh and Franklin [2]. His protocol allows two parties A and B to form an RSA modulus N = PQ in such a way that neither party has knowledge of the factorisation, but the two parties can combine later to decipher a encrypted message. In the proposal of Boneh and Franklin, A and B need the services of a trusted ....

Dan Boneh and Matthew Franklin, Efficient generation of shared RSA keys, Advances in Cryptology -- CRYPTO '97 (Burton S. Kaliski Jr., ed.), Lecture Notes in Computer Science, vol. 1294, Springer-Verlag, 1997, pp. 425--439.

....particular, many distributed protocols require the participants to have secret shares of an RSA modulus in order to perform distributed cryptographic computations. Until recently, a trusted party was required to generate and distributed these secret shares. Recently, however, Boneh and Franklin [2] showed the participants could generate the shares themselves. Boneh and Franklin s protocol allows a group of parties to determine an RSA modulus N = pq, a public encryption exponent e, and a private decryption exponent d, such that p and q are large primes, all parties know N and e, and each ....

....also what makes this task more difficult than might appear at first glance. Figure 1 gives an overview of the protocol Alice, Bob, and Henry use to generate an m bit modulus N . Depending on the way N is to be used, Alice and Bob may then continue with the key generation part of the protocol (see [2]) which we do not describe in this paper. The subprotocols for distributed trial division, distributed computation of N , and distributed primality testing are described subsequently. Note that in step 3b of the shared RSA modulus generation protocol described in Figure 1, Alice and Bob both know ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In Advances in Cryptology -- CRYPTO '97, volume 1294 of Lecture Notes in Computer Science, pages 424--439. SpringerVerlag, 1997.

....of this malicious (t1) restricted mobile adversary (static vs. mobile, and passive vs. malicious) Distributed RSA: An optimal robustness proactive RSA system (informally) has the following protocols: 1) an initialization protocol where shares are distributed (e.g. centrally or distributively [BF97]) 2) RSA function (signature) application protocol, where the servers act on a common authorized input and then the combining function generates the final RSA result efficiently; 3) an update phase operation which contains a share renewal protocol and a share loss detection and recovery ....

D. Boneh and M. Franklin, Efficient Generation of Shared RSA Keys, Crypto 97 proceedings.

....However, it still has a single point of attack, which is the party that generates the private key. So, if a hacker compromised the security of this party, he will have the private key. The Problem: This research paper describes a distributed protocol to generate shared RSA keys: N, e, and d [2]. At the end of the protocol, all parties involved in the computation know N which is a product of two large primes (N = pq. However, none of them knows the factorization of N. In addition, the public encryption exponent, e, is publicly known and each server has a share of the private exponent, ....

....with probability at least (over the random choice of g and h. Lemma 3: Suppose p and q are primes. Then any coalition of k 1 parties can simulate their view of the primality testing protocol. Consequently, the protocol is k 1 private. For the proofs of the above lemmas, the reader is referred to [2]. 5. Generation of Public Private Keys Once the parties successfully construct N and tested it to be a product of two primes, they wish to compute shares of ( N e d j mod 1 for a given exponent e. By the end of the computation, each party should have d i such that = i d d . ....

[Article contains additional citation context not shown here]

D. Boneh and M. Franklin, "Efficient Generation of Shared RSA Keys," Crypto'97, pp. 425-439.

....and d. Finally, the dealer splits d into four pieces and sends one piece to each of the sites. Unfortunately, a trusted dealer introduces a single point of attack: the dealer, or anyone who compromises the dealer, has the private key and can issue false certificates. Recently, Boneh and Franklin [4] showed how three (or more) servers can generate a shared RSA key without a trusted dealer. They describe an efficient distributed algorithm that enables a number of sites to jointly generate a shared key so that none of them know the private key d or the factorization of N . Once the key is ....

....6. 2 Overview Before describing our implementation and the practical optimizations we briefly describe the algorithm for generating shared RSA keys. The algorithm is somewhat complex and here we only give a high level description. For a detailed explanation along with proofs of security see [4]. The goal is to enable k servers to generate a modulus N = pq and exponents e and d. At the end of the computation all servers should be convinced that N is the product of two primes, however none of them should know the factorization. Furthermore, e should be public while d should be shared ....

[Article contains additional citation context not shown here]

D. Boneh, M. Franklin, "Efficient generation of shared RSA keys", in Proceedings Crypto' 97, pp. 425--439.

No context found.

D. Boneh and M. Franklin. Efficient Generation of Shared RSA Keys. J. ACM, 48(4):702--722, 2001.

No context found.

Boneh, D., Franklin, M.: Efficient generation of shared RSA keys. In Crypto'97 (1997) 425--439.

No context found.

Boneh, D., Franklin, M.: Efficient generation of shared RSA keys. In Crypto'97 (1997) 425--439.

No context found.

Boneh, D., Franklin, M.: Efficient generation of shared RSA keys. In Crypto'97 (1997) 425--439.

No context found.

Boneh D, Franklin MK. Efficient generation of shared RSA keys. In CRYPTO, 1997; pp. 425 -- 439.

No context found.

D.Boneh and M. Franklin. Efficient generation of shared RSA keys. In Journal of the ACM (JACM), Vol. 48, pp. 702 ---722, July 2001.

No context found.

D. Boneh and M. Franklin. Efficient generation of shared rsa keys. In CRYPTO, 1997.

No context found.

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. Crypto '97, Lecture Notes in Computer Science, Springer Verlag, 1233:425--439, 1997.

No context found.

D.Boneh,M.Franklin. "Efficient generation of shared RSA keys." Crypo'97, p425-439 LNCS 1294

No context found.

D. Boneh and M. Franklin, Efficient generation of shared RSA keys, Proc. Advances in Cryptology: CRYPTO'97, Santa Barbara, USA, 1997, 425--439.

No context found.

D. BONEH, M. FRANKLIN. Efficient generation of shared RSA keys. In Proceedings Crypo'97, pp. 425-439.

No context found.

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In Crypto '97, pages 425--439, 1997. Springer-Verlag. LNCS No. 1294.

No context found.

D. Boneh and M. Franklin. Efficient Generation of Shared RSA Keys. In Advances in Cryptology - CRYPTO '97, Springer-Verlag LNCS 1294, 425--439, 1997.

No context found.

Dan Boneh and Matthew Franklin, "Efficient Generation of Shared RSA Keys," Advances in Cryptology -CRYPTO'97, Springer-Verlag, 1997, pp. 425-439

No context found.

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In B. K. Jr., editor, Advances in Cryptology -- CRYPTO ' 97, volume 1294 of Lecture Notes in Computer Science, pages 425--439. Springer-Verlag, Berlin Germany, Aug. 1997.

No context found.

D. Boneh, M. Franklin, `Efficient generation of shared RSA keys', in B.S. Kaliski, Jr., editor, Advances in Cryptology -- CRYPTO '97, Lecture Notes in Computer Science Vol. 1294, Springer-Verlag, 1997, pp. 425-- 439.

No context found.

D. Boneh and M. Franklin. Efficient generation of shared RSA keys. Advances in Cryptology -- CRYPTO '97 Proceedings, pp. 425-439. Lecture notes in Computer Science #1294, Springer Verlag, Berlin, 1997.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC