Multiparty Generation of an RSA Modulus

Megan Chen; Jack Doerner; Yashvanth Kondi; Eysa Lee; Schuyler Rosefield; Abhi Shelat; Ran Cohen

doi:10.1007/s00145-021-09395-y

Multiparty Generation of an RSA Modulus

Megan Chen, Jack Doerner, Yashvanth Kondi, Eysa Lee, Schuyler Rosefield, Abhi Shelat, Ran Cohen

Research output: Contribution to journal › Article › peer-review

3 Scopus citations

Abstract

We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring. Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto’18) and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt’19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.

Original language	English
Article number	12
Journal	Journal of Cryptology
Volume	35
Issue number	2
DOIs	https://doi.org/10.1007/s00145-021-09395-y
State	Published - Apr 2022
Externally published	Yes

Bibliographical note

Publisher Copyright:
© 2022, International Association for Cryptologic Research.

Keywords

Biprime sampling
Concrete efficiency
Multiparty computation
RSA
Threshold cryptography

Access to Document

10.1007/s00145-021-09395-y

Cite this

@article{bbc049600676488cae8df0c1770b9056,

title = "Multiparty Generation of an RSA Modulus",

abstract = "We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring. Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto{\textquoteright}18) and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt{\textquoteright}19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.",

keywords = "Biprime sampling, Concrete efficiency, Multiparty computation, RSA, Threshold cryptography",

author = "Megan Chen and Jack Doerner and Yashvanth Kondi and Eysa Lee and Schuyler Rosefield and Abhi Shelat and Ran Cohen",

note = "Publisher Copyright: {\textcopyright} 2022, International Association for Cryptologic Research.",

year = "2022",

month = apr,

doi = "10.1007/s00145-021-09395-y",

language = "אנגלית",

volume = "35",

journal = "Journal of Cryptology",

issn = "0933-2790",

publisher = "Springer New York",

number = "2",

}

TY - JOUR

T1 - Multiparty Generation of an RSA Modulus

AU - Chen, Megan

AU - Doerner, Jack

AU - Kondi, Yashvanth

AU - Lee, Eysa

AU - Rosefield, Schuyler

AU - Shelat, Abhi

AU - Cohen, Ran

PY - 2022/4

Y1 - 2022/4

N2 - We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring. Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto’18) and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt’19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.

AB - We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring. Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto’18) and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt’19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.

KW - Biprime sampling

KW - Concrete efficiency

KW - Multiparty computation

KW - RSA

KW - Threshold cryptography

UR - http://www.scopus.com/inward/record.url?scp=85126347142&partnerID=8YFLogxK

U2 - 10.1007/s00145-021-09395-y

DO - 10.1007/s00145-021-09395-y

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:85126347142

SN - 0933-2790

VL - 35

JO - Journal of Cryptology

JF - Journal of Cryptology

IS - 2

M1 - 12

ER -

Multiparty Generation of an RSA Modulus

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this