Fast Fully-Distributed and Threshold RSA Function Sharing Maged H. Ibrahim
I. I. Ibrahim
A. H. El-Sawy
Telecommunications Department, Faculty of Engineering, Helwan University Helwan, Cairo; Egypt E-mail:
[email protected],
[email protected],
[email protected] Abstract
RSA keys without the help of the dealer over other signature schemes which only require large public primes such as DSS [2, 3, 4].
Distributed primality tests for the purpose of testing the factors of the jointly generated RSA modulus were always considered as a nightmare due to the large amount of time required for these tests to succeed. Enormous number of trials must be performed before a suitable RSA modulus is established. In the honest-but-curious scenario, in this paper we propose an efficient extention to the three-party protocol of [31] to allow n parties to share the generation of a RSA modulus N and to share the secret key d. The protocol enjoys the following properties:
2
In the shared RSA key generation protocols proposed so far [7, 8, 9, 10, 11, 12, 21], due to the way the modulus is generated –as a product of two `-bit random numbers chosen simultaneously– the probability that such generated modulus is a product of exactly two primes is (ln 2.`)−2 according to the prime number theorm requiring a number of trials in the order of O(`2 ). The method of Boneh and Horwitz [24] is a b k−1 2 cprivate test to check if a candidate modulus is a product of three primes. Yet picking three `-bit numbers simultaneously would result in an O(`3 ) running time. Confining itself to the three party setting, a variant of the algorithm achieves an O(`) running time. In the recent two-party protocol of Straub [25], the two parties Alice and Bob construct a 3`-bit modulus of the form (pa + pb )qa qb where pa , pb are arbitrary ` − 1-bit random numbers and qa , qb are `-bit primes. Alice holds pa , qa while Bob holds pb , qb . A suitable modulus is found after an expected time of O(`) using distributed sieving. In the protocol of [31], pa and pb are distributed via a third party in order to ensure that pa + pb is a prime, this attempt completely eliminates the need for distributed primality tests after the modulus is computed and hence it is a fast one-trial protocol.
• The protocol is very fast compared to previous protocols since there is no need for any distributed primality tests after the RSA modulus is generated. A suitable RSA modulus is generated from the first trial. • The protocol can generate a RSA modulus which is a composite of safe primes. • The protocol is t-private where t is a small threshold. This small threshold is suitable since the protocol is extremely fast giving no chance for an eveasdropping adversary to exceed a small threshold. • The protocol is able to tolerate crashes of at most n− (2t + 1) players.
1
Related Work
Introduction
3
In threshold cryptography [1, 6, 23], when collective signature protocols are considered, the problem with the RSA signature scheme is that the RSA public modulus N is a composite of two or more large primes, these primes must be kept secret from the players. The players need to agree on a modulus N and be convinced that N is a product of large primes with no information revealed to them about the full factorization of N . The nature of the modulus N of the RSA function increased the difficulties to share the
Motivations and Contributions
The protocol in [31] represents an efficient and extremely fast RSA key generation protocol which allows three parties to generate a suitable RSA modulus in less than a minute and to generate shares of the RSA secret key using the GCD algorithm of [22]. However, the protocol is limited to the three-party case where direct extension is inefficient. The work in this paper is an attempt to efficiently 1
Pt
ai xi . He sets a0 = Ls where L = n! and each other coefficient aj6=0 ∈R [−L2 K...L2 K]. ∀i = (1, ..., n), the dealer computes and secretly delivers f (i) to player Pi . In the reconstruction phase, the players broadcast their shares, the secret s can be computed from any t+1 shares using Lagrange interpolation. The players must not forget to divide the interpolation result by L.
extend the fast three-party RSA key generation protocol of [31] for n > 3 players in the honest-but-curious scenario.
4
i=0
The Model
In the communication model, the n players are fully connected such that any player can communicate with any other player through a private and authenticated channel. Also the players have access to a broadcast channel. In the adversary model, we assume a passive adversary, which means that this adversary can see and learn all information sent to or from the corrupted player without compromising the correct behavior of this player. The players follow the execution steps of the protocol word for word. This commonly used security model is well-known as the honest-but-curious scenario. The adversary is also a static one which means that the players chosen by the adversary are decided upon once prior to the execution of the protocol and do not change during the execution of the protocol. The protocol is t-private, an adversary that successfully eavesdrops no more than t players cannot factor N . Due to the high speed of our protocol, there is not enough time for an adversary to exceed a small threshold t.
5 5.1
5.4
Let a, b ∈ Zp be two secrets that are shared using the t-degree polynomials A(x) and B(x) respectively. To compute a + b, each player Pi holding A(i) and B(i) computes C(i) = A(i) + B(i) which is a share (point) on the t-degree polynomial C(X) = A(X) + B(X), notice that the free term of C(X) is a + b. In order to compute ca where c is a public constant, each player Pi computes C(i) = cA(i), now each C(i) is a point on a t-degree polynomial C(x) which has a free term ca. In the multiplication scenario, the number of players n > 2t, notic that the free coefficient of the polynomial M (x) = A(X)B(X) is ab. However, there are two problems to be considered: The first is that the degree of M (X) is 2t requiring at least 2t + 1 shares to interpolate the polynomial. The second is that M (x) is not random. It is required to randomize the coefficients of M (x) and then to reduce its degree back to t. The reduction step is very important when successive multiplications are to be performed in order to avoid a large increase in the degree of the resulting polynomial since in this case there may not be enough players (shares) to interpolate the polynomial. To randomize M (x) each player Pi simply selects a random 2t-degree polynomial ri (x) subject to the condition that its free coefficient is 0 and distributes shares of this polynomial among the players. Each Pn player Pi sums what he has to compute M (i) + j=1 rj (i) which represents a share of the Pn 2t-degree polynomial M 0 (x) = M (x) + i=1 ri (x) satisfying M 0 (0) = M (0) = ab. The players finally redistribute their shares of M 0 (x) in order to reduce the degree back to t [30].
Preliminaries RSA Cryptosystem
A valid RSA modulus N is a product of distinct odd Pk primes or safe primes, N = i=1 qi , k ≥ 2. A safe prime q is on the form q = 2q 0 + 1 where q 0 is also a prime. In case k = 2, the cryptosystem is spoken off as standard RSA, otherwise, it is a multi-prime RSA. e is the public exponent while d is the private exponent satisfying ed = 1modφ(N ).
5.2
Shamir’s Secret Sharing Over a Prime Field
Let s ∈ Zp be a secret held by the dealer where Zp is a prime field. In order to share this secret among n > t players , P {P1 , ...Pn } [29], the dealer defines a polynomial t i f (x) = i=0 ai x modp, he sets a0 = s and each other coefficient aj6=0 ∈R Zp . ∀i = (1, ..., n), the dealer secretly delivers f (i) to player Pi . In the reconstruction phase, each player Pi broadcasts f (i), the players are able to compute s from any t + 1 shares using Lagrange interpolation formula.
5.3
Secure Distributed Computations
5.5
Joint Random-Secret Sharing
The purpose of this scheme is to allow a set of n players to jointly agree on a random secret value r with no information revealed to any of them about r, also no coalition of at most t players knows any information about r. We describe the scheme over a prime field Zp . Each player Pi picks (i) (i) t + 1 values ri = a0 , ..., at ∈R Zp , he constructs the Pt (i) j polynomial Ri (x) = j=0 aj x . ∀j = (1, ..., n), each player Pi computes and secretly delivers Ri (j) to player Pj . Each player Pi sumsPwhat he receives from the other n players to compute σi = j=1 Rj (i). each σi is a point on
Shamir’s Secret Sharing Over the Integers
Let s ∈ [0, ..., K] be a secret where K is an approximate upper bound on s. In order to share the secret s over the integers (i.e. not modulo anything) among n > t players [10, 22], the dealer defines the polynomial f (x) = 2
a t-degree polynomial σ(x), that the free coefficient Pnotice n of this polynomial is r = i=1 ri . A special case of this scheme is the Joint zero-secret sharing in which the players distribute shares of a zero secret, r = 0 among themselves. The only difference is that each player constructs a t-degree polynomial with its free coefficient equal zero.
5.6
of lemma 2. The players then join to perform a secure multiparty distributed computations so that each player holds a valid share of N over a t-degree polynomial. During such computations the players perform successive polynomial degree reduction to avoid the increase in the degree of the polynomial over which they share N . If such reductions are not successively performed during the computations, the degree of the polynomial over which N is shared will rise to t2 + 2t requiring at least t2 + 2t + 1 players to interpolate the polynomial and compute N , therefore, the overheads due to polynomial degree reduction can be avoided only if we have such plenty of players. Each player broadcasts his share of N , any of the n players is able to compute N from the broadcasted shares. Since the players initially picked the factors of N as primes, there is no need to perform any distributed primality tests after computing N , such primality tests were always considered as an extensive task due to the enormous number of trials required before a suitable modulus is generated. Once N is computed, the players proceed Qt+2 to compute shares of the secret Euler totient, φ = i=1 (qi − 1) in a similar fashion. At the end, each player holds a share of φ over a polynomial of degree t. Finally, we recall an efficient GCD algorithm from [22] to distribute shares of the secret key d.
Switching Structures
In this sub-section we show how a set P of n players switch from a (t, n) secret sharing structure to a (t0 , n) secret sharing structure with t 6= t0 . The idea is simple, let A(x) be the t-degree polynomial over which the players share a secret a. Each player Pi ∈ P holds a share A(i) of a.PLet B ⊂ P be a subset of t + 1 players, therefore, a = i∈B λi A(i) where λi is Lagrange coefficient . Each player Pi ∈ B simply shares the quantity A0i = λi A(i) 0 among the n players P using0 a t - degree polynomial, pi (x). Notice Pn that, a = i∈B Ai . Each player Pi ∈ P computes j=1 pj (i) which is a share of the secret a over a polynomial of degree t0 .
5.7
The GCD Algorithm
The GCD algorithm [22] is an algorithm to compute inverses over a shared secret modulus. Assume that a multiple of the RSA Euler totient φ is shared additively among a set of players, that is, each player Pi holds a share αi such that P i αi = λφ. each player Pi picks a randomizing integer ri of order O(N 3 ) and broadcastsPγi = αiP + ri e. All the players are able to compute γ = γ = i i i αi + ri e = P λφ + Re where R = i ri . Assume that gcd(γ, e) = 1, there exist a, b such that aγ +be = 1 and thus d = aR+b = e−1 modφ. Player P1 sets d1 = ar1 +b and each P other player Pi6=1 sets di = ari . It is obvious that d = i di . A warning has been given in [] not to use the same value of λ for different values of e since this attempt reveals λφ via the Chinese remainder theorem.
6
7
The Protocol
Let P = {P1 , ..., Pn } be a set of n players where n ≥ 2t+1. Let P∗ ⊂ P where P∗ = {P1 , ..., Pt+2 }. Each player Pi ∈ P∗ picks a random secret `-bit prime qi .
7.1
Shared Generation of the RSA Modulus N
The t-private protocol to jointly generate an RSA modulus N = q1 q2 ...q(t+2) is as follows: 1. Sharing the prime factors: Each player Pi ∈ P∗ simply shares his qi using Shamir’s secret sharing over the integers as follows:
Outlines of our Protocol
(i)
(i)
(i)
• Defines t + 1 values, a0 , ..., at . He sets a0 = Lqi , (i) and sets each aj6=0 ∈R [−L2 2` , L2 2` ] where 2` is an approximate upper bound on qi .
The idea of our protocol is that a subset of t + 2 players from the n players are selected (at least three players (t = 1)) so that each player picks a random prime (or a safe prime if needed).QThe n players join to generate the t+2 RSA-modulus, N = i=1 qi where each of the qi ’s is a prime or a safe prime. Each of the t + 2 players shares his prime factor among the n players using (t, n)-Shamir’s secret sharing over the integers (or over a prime field Zp where p > N ) so that each player has a share of each prime factor of N . We will use Shamir’s secret sharing over the integers for efficiency considerations and to allow the prove
• Constructs the t-degree polynomial, Pt (i) fi (x) = j=0 aj xj . • ∀j = (1, ..., n), computes fi (j) and secretely delivers fi (j) to player Pj . Now, each player Pi ∈ P holds the t + 2 shares, f1 (i), ..., ft+2 (i). 3
qt+2 = N/(q1 ...qt+1 ) and consequently knows the full factorization of N . The adversary that successfully corrupts at most t players {P1 , ...Pt } knows at most t prime factors of the RSA modulus N and at most t shares for each of the remaining two primes qt+1 , qt+2 . Assumption (2) implies that the adversary cannot gain any information about these two primes from only t shares. The adversary will try to factorize N 0 = qt+1 qt+2 , in this case assumption (3) implies that the adversary is not able to factorize N 0 and hence the protocol is t-private.
2. Multiplication using Successive polynomial degree reduction (sharing N ): Each player Pi ∈ P initializes his local accumulator Gi = f1 (i) and sets G1 (x) = f1 (x). For k = 2 to t + 2, each player Pi ∈ P: • computes Gi ← Gi fk (i). • Picks 2t random integers, (i) bj ∈R [−L2 22(t+2)` , L2 22(t+2)` ].
7.2
Sharing the RSA Secret Totient φ
Each player Pi ∈ P∗ is able to compute qi −1. The Euler Q(t+2) totient is on the form φ = i=1 (qi − 1). In order to share the secret totient φ among the n players, the players proceed in a similar fashion. The protocol is the same as that of sharing N . The only difference is that each player Pi ∈ P∗ sets (i) a0 = L(qi − 1). At the end, each player Pi ∈ P holds a share φi of Lt+2 φ this share is a point on a t-degree polynomial Φ(x), namely, φi = Φ(i) and Lt+2 φ = Φ(0).
• Constructs the 2t-degree randomizing polynomial P2t (i) j ri (x) = j=1 bj x . Notice that the free term of ri (x) is 0. • ∀j = (1, ..., n), Computes and secretly delivers ri (j) to player Pj . • Now, Pi holds n shares, r1 (i), ..., rn (i) of the polynomialsP r1 (x), ..., rn (x) respectively. He computes n Ri = which represents a share of the j=1 rj (i) P n polynomial r(x) = j=1 rj (x).
Lemma 2. An adversary that successfully eavesdrops no more than t players has no information about φ.
• Computes G0i = Gi + Ri which is a point on the 2t-degree polynomial G0k (x) = fk (x)Gk−1 (x) + P n j=1 rj (x).
Proof. Let G(x) be the t-degree polynomial over which the players share N and let Φ(x) be the t-degree polynomial over which the players share φ. G(0) = Lt+2 N and Φ(0) = Lt+2 φ, Define δ(x) such that δ(0) = (φ − N )Lt+2 and δ(1) Pt = ... Qt = δ(t)x−j= 0. One may write, δ(x) = i=0 δ(i) j=0,j6=i i−j or δ(x) = Qt and the i-th coefficient of δ(x) (φ − N )Lt+2 j=1 x−j −j Q (−j) P is Lt+2 (φ − N ) |B|=i Q j∈B (−j) , this is bounded P j=1,...,t t+2 in absolute value by (φ − N ) ≤ (φ − |B|=i L t! 2(t+2) t+2 (φ − N ). The coefficients N )L i!(t−i)! ≤ L
• Joins with the rest of the players in order to perform a polynomial degree reduction from the 2t-degree G0k (x) to a t-degree Gk (x). He sets Gi as his share of Gk (x). 3. Final computation of N : Finally, in order to compute N = q1 q2 ...q(t+2) , each player Pi ∈ P broadcasts his share Gi . The players are able to compute N from any t+1 shares, these shares allow them to compute the free term of the t-degree polynomial Gt+2 (x) using Lagrange interpolation. The players must not forget to divide this free term by L(t+2) .
of G(x) are in the range [−L2(t+2) N − L2(t+2) (φ − N )...L2(t+2) N + L2(t+2) (φ − N )] hence the probability that the coefficients are outside the legal range is 2L2(t+2) (φ−N ) = t( φ−N t 2[L2(t+2) φ ) which is negligible. N +L2(t+2) (φ−N )] At this point, the players only keep the shares of the secret totient and erase all other parameters including the prime factors.
Lemma 1. Under the assumption that, 1) The players are honest but curious, 2) Shamir’s secret sharing scheme over the integers is secure, 3) Factoring a composite of two `-bit primes is infeasible, the above protocol is t-private.
7.3 Proof. We assume the weaker situation where the indices of the t + 2 players who are selected for picking the prime factors are known to the adversary. In this case, a wise adversary would try to perform her attack on these players. It is obvious that an adversary that eavesdrops t + 1 players immediately knows q1 , ..., qt+1 and is able to compute
Switching to a Higher Threshold
We reached the point where each player Pi ∈ P holds a share φi of Lt+2 φ, each share is a point on a t-degree polynomial Φ(x) where φi = Φ(i) and Lt+2 φ = Φ(0). The small value of the threshold may be not suitable for sharing the secret key d for a long period of time since in this 4
Each player Pi ∈ P:
case an adversary has enough time to eavesdrop more than t players and consequently knows the secret key d. In this section we introduce a technique by which the players can jointly increase the threshold t to a new higher threshold t0 , in other words, the players switch from a (t, n)-structure to a (t0 , n)-structure where t0 > t and n > 2t0 . Let B ⊂ P, |B| = t + 1 players. The players proceed as follows:
• Computes gi = Pn j=1 vj (i).
Pn
j=1
hj (i), vi =
(i)
2. Computing shares of the secret key d: • Using the GCD algorithm, find a, b such that aγ + be = 1. If such a, b do not exist (with very low probability), repeat from step 1.
(i)
• Sets a0 = Lλi φi where λi is the Lagrange coefficient of this player, and constructs the polynomial Pt0 (i) yi (x) = j=0 aj xj .
• each player Pi ∈ P computes his share of the secret key d as di = ah(i) + b.
• ∀j = (1, ..., n), privately sends yi (j) to player Pj . Each player Pi ∈ P sums what Pn he receives from the other players to compute φ0i = j=1 yj (i). Now, each player Pi ∈ P holds a shareP φ0i which is a point on a t0 -degree n 0 0 polynomial Φ0 (x) = j=1 yj (x) where φi = Φ (i) and t+3 0 L φ = Φ (0).
8
Conclusions
In the honest-but-curious scenario, in this paper we proposed an extension to the protocol in [31] to allow n players to share the generation of a RSA modulus N and to share the secret key d. The protocol is extremely fast compared to previous protocols since there is no need for any distributed primality tests after the RSA modulus is generated. A suitable RSA modulus is generated from the first trial. The protocol can generate a RSA modulus which is a composite of safe primes. Although the protocol starts with a small threshold t, this is accepted due to the high speed of the protocol giving no chance for an adversary to exceed a small threshold. In less than a minute, the players are able to switch to a higher threshold t0 soon after computing N and proceed normally in the protocol.
Computing Inverses Over the Shared φ.
We reached the point where each player Pi ∈ P holds a share φ0i of Lt+3 φ, each of these shares is a point on a t0 degree polynomial Φ0 (x). In this part of the protocol we follow the clever GCD scheme [22] in order to compute shares of the secret key d given a publicly know prime e. Let N be an approximate upper bound on φ, the players proceed as follows: 1. shared computation of γ = λφ + Re:
References
Each player Pi ∈ P: • Picks λi ∈R [0...N 2 ] and, (i) (i) b1 , ..., bt0 ∈R [−L2 N 3 ...L2 N 3 ].
[1] Desmedt, Y.: Threshold cryptography. European Transactions on Tele-communications and Related technologies. Vol.5 No.4 (July-august 1994) 35–43.
• Picks ri ∈R [0...N 3 ] and, (i) (i) c1 , ..., ct0 ∈R [−L2 N 4 ...L2 N 4 ]. (i)
hi =
Each player can compute γ = F (0) by interpolating the polynomial F (x) = Φ(x)g(x) + eh(x) + v(x) using any 2t0 + 1 broadcasted shares Fi .
• Picks a1 , ..., at0 ∈R [−Lt+4 N...Lt+4 N ] where L(t+2) N is an approximate bound on Φ(0).
7.4
j=1 gj (i),
• Broadcasts Fi = φi gi + ehi + vi .
Each player Pi ∈ B does the following: (i)
Pn
[2] Langford, S.: Threshold DSS Signatures without a Trusted Party. In CRYPTO’95 (1995) 397–409, LNCS 963, Springer-Verlag, (1995).
(i)
• Picks v1 , ..., vt0 ∈R [−L2 N 5 ...L2 N 5 ].
[3] Gennaro, R.: Theory and Practice of Verifiable Secret Sharing. PhD thesis, Massachusetts Institute of Technology (MIT) (May 1996).
(i)
• Constructs the polynomials gi (x) = Lλi + b1 x + (i) (i) 0 (i) 0 ... + bt0 xt , hi (x) = Lri + c1 x + ... + ct0 xt and (i) the randomizing polynomial vi (x) = 0 + v1 x + ... + 0 (i) vt0 xt .
[4] Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust Threshold DSS Signatures. Advances in Cryptology, Proc. Eurocrypt’96, Lecture Notes in Computer Science 1070, Springer, (1996) 354–371.
• ∀j = (1, ..., n), sends gi (j), hi (j) and vi (j) to player Pj . 5
[5] Frankel, Y., Desmedt, Y.: Parallel reliable threshold multisignature. Technical Report TR-92-04-02. Univ. of Wisconsin–Milwaukee (1992).
[19] Chor, B., Goldreich, O., Kushilevitz, E., Susdan, M.: Private information retrieval. Journal of the ACM 45(6) (1998) 965–982.
[6] Desmedt, Y., Frankel, Y.: Threshold Cryptosystem. In Crypto’89, Lecture Notes in Computer Science, LNCS 435, Springer Verlag (1990) 307–315.
[20] Noar, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In Proc. of stat. Stoc. (1999) 245–254.
[7] Boneh, D., Franklin, M.: Efficient generation of shared RSA keys. In Crypto’97 (1997) 425–439.
[21] Cocks, C.: Split generation of RSA parameters with multiple participants. Appears on the web at www.cesg.gov.uk/downlds/math/rsa2.pdf
[8] Cocks, C.: Split Knowledge Generation of RSA Parameters. In Cryptography and Coding 6th IMA Conference, LNCS 1355, Springer-Verlag (1997) 89–95.
[22] Catalano, D., Gennaro, R., Halevi, S.: Computing Inverses over a Shared Secret Modulus. In Eurocrypt’00, LNCS 1807, Springer-Verlag (2000) 190–207.
[9] Blackburn, S., Blake-Wilson, S., Burmester, M., Galbraith, S.: Shared generation of shared RSA keys. Technical Report CORR98-19, Department of Combinatorics and Optimization, University of Waterloo (1998).
[23] Desmedt, Y.: Society and group oriented cryptography: A new concept. In Advances in Cryptology, Proceedings of Crypto’87, Lecture Notes in Computer Science, Vol.293, Springer-Verlag (1988) 120–127. [24] D. Boneh, J. Horwitz: Generating a product of three primes with an unknown factorization, Proc. 3rd Algorithmic Number Theory Symposium (ANTS-III), Portland, USA, (1998), pp. 237–251.
[10] Frankel, Y., Mackenzie, P., Yung, M.: Robust efficient distributed rsa-key generation. In Proc. of 30th Stoc. (1998) 663-672.
[25] T. Straub: Efficient Two Party Multi-Prime RSA Key Generation. In (Hamza, M.H. Hrsg.): Proc. IASTED International Conference on Communication, Network, and Information Security, New York, 2003.
[11] Poupard, G., Stern, J.: Generation of shared rsa-keys by two parties. In ASIACRYPT’98 (1999) 245-254. [12] Gilboa, N.: Two Party RSA Key Generation. Proc. of Crypto’99, Lecture Notes in Computer Science, Vol. 1666, Springer-Verlag (1999) 116–129.
[26] Michael J. Wiener: Cryptanalysis of Short RSA Secret Exponents. IEEE Transactions on Information Theory, Vol. 36, No. 3, pp.553–558, May 1990.
[13] Rabin, M.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard Aiken Computation Laboratory (1981).
[27] A. K. Lenstra, H. W. Lenstra, Jr. (eds), The development of the number field sieve, Lecture Notes in Math. 1554, Springer-Verlag, Berlin, 1993.
[14] Gertner, Y.,Ishai, Y.,Kushilevitz, E., Malkin, T.: Protecting data privacy in information retrieval schemes. In Proc. of 30th Stoc. (1998).
[28] J. Grobschadl: The Chinese Remainder Theorem and its Application in a High-Speed RSA Crypto Chip,in Proceedings of the 16th Annual Computer Security Applications Conference, pp. 384393. IEEE Computer Society Press, ISBN 0-7695-0859-6.
[15] Stern, J.: A new and efficient all-or-nothing disclosure of secrets protocol. In ASIACRYPT’98, SpringerVerlag (1998) 357–371.
[29] A. Shamir. How to Share a Secret. Communications of the ACM, 22:612–613, 1979.
[16] Kushilevitz, E., Ostrovsky, R.: Single-database computationally private information retrieval. In Proc. of 38th FOCS. (1997) 364-373.
[30] M.Ben-Or, S.Goldwasser, A.Wigderson, ”Completeness Theorems for noncryptographic fault-tolerant distributed computation”, STOC’88, ACM Press, (1988), pp. 1–10.
[17] Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In Advances in Cryptography. EUROCRYPT’99 (1999).
[31] Maged H. Ibrahim, I. I. Ibrahim, A. H. El-Sawy, Fast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests, to appear, in Proceedings of the Informatin Systems: New Generations Conference (ISNG 2004, special Session on Smart Cards), Las Vegas, USA.
[18] Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic faulttolerant distributed computation. In Proc. of the 20th ACM symposium on the theory of computing (1988) 1–10. 6
