Abstract
Threshold RSA encryption and signing is a very useful tool to increase the security of the secret keys used. Key generation is, however, either done in a non-threshold way, or computationally inefficient protocols are used. This is not a big problem in a setup where one organization has a few high profile keys to secure, however, this does not scale well to systems with a lot of secret keys, like eID schemes where there exist one key pair per user, especially not if the we want the users’ personal devices like smart phones to participate in the threshold setup. In this paper we present novel approaches to distributed RSA key generation which are efficient enough to let smart phones participate. This is done by generating keys consisting of more than two primes instead of generating standard RSA keys.
We present a 2-party protocol based on the ideas of [BH98] which produces a 3-prime modulo. We demonstrate that the protocol is efficient enough to be used in practical scenarios even from a mobile device which has not been demonstrated before. Then we show the first 2-party distributed multiprime RSA key generation protocol that are as efficient as standard centralized key generation, even if security against malicious adversaries is desired. Further, we show that RSA keys based on moduli with more than two prime factors and where part of the factorization is leaked to the adversary are useful in practice by showing that commonly used schemes such as PSS-RSA and OAEP-RSA is secure even if the adversary knows a partial factorization of the multiprime moduli. From all other parties the generated keys cannot be distinguished from standard RSA keys, which is very important as this make these protocols compatible with existing infrastructure and standards.
Gert Læssøe Mikkelsen—Supported by the Danish Council of technology and Innovation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Security against adaptively chosen ciphertext attacks.
References
Algesheimer, J., Camenisch, J.L., Shoup, V.: Efficient computation modulo a shared secret with application to the generation of shared safe-prime products. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 417–432. Springer, Heidelberg (2002)
Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 425–439. Springer, Heidelberg (1997)
Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)
Boneh, D., Horwitz, J.: Generating a product of three primes with an unknown factorization. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 237–251. Springer, Heidelberg (1998)
Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 1. Springer, Heidelberg (1998)
Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)
Bellare, M., Rogaway, P.: The exact security of digital signatures - how to sign with RSA and rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)
Damgård, I.B., Koprowski, M.: Practical threshold RSA signatures without a trusted dealer. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 152. Springer, Heidelberg (2001)
Damgård, I., Mikkelsen, G.L.: On the theory and practice of personal digital signatures. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 277–296. Springer, Heidelberg (2009)
Damgård, I., Mikkelsen, G.L.: Efficient, robust and constant-round distributed rsa key generation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 183–200. Springer, Heidelberg (2010)
Damgård, I., Mikkelsen, G.L., Skeltved, T.: On the security of distributed multiprime RSA. IACR ePrint Archive (2014)
Frankel, Y., MacKenzie, P.D., Yung, M.: Robust efficient distributed RSA-key generation. In: Vitter, J.S. (ed.) STOC, pp. 663–672. ACM (1998)
Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. J. Cryptol. 17(2), 81–104 (2004)
Gilboa, N.: Two party RSA key generation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 116. Springer, Heidelberg (1999)
Girault, M.: Self-certified public keys. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 490–497. Springer, Heidelberg (1991)
Gennaro, R., Rabin, T., Jarecki, S., Krawczyk, H.: Robust and efficient sharing of RSA functions. J. Cryptol. 20(3), 393 (2007)
Hazay, C., Mikkelsen, G.L., Rabin, T., Toft, T.: Efficient RSA key generation and threshold paillier in the two-party setting. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 313–331. Springer, Heidelberg (2012)
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 223. Springer, Heidelberg (1999)
RSA Laboratories. PKCS #1 v2.1: RSA cryptography standard. Technical report (2002)
Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Shoup, V.: OAEP reconsidered. J. Cryptol. 15(4), 223–249 (2002)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Damgård, I., Mikkelsen, G.L., Skeltved, T. (2015). On the Security of Distributed Multiprime RSA. In: Lee, J., Kim, J. (eds) Information Security and Cryptology - ICISC 2014. ICISC 2014. Lecture Notes in Computer Science(), vol 8949. Springer, Cham. https://doi.org/10.1007/978-3-319-15943-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-15943-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15942-3
Online ISBN: 978-3-319-15943-0
eBook Packages: Computer ScienceComputer Science (R0)