In the generation method for RSA-moduli proposed by Boneh and Franklin in [BF97] the partial signing servers generate random shares pi, qi and compute as candidate for an RSA-modulus n = pq where p = ( ∑ pi) and q = ( ∑ qi). Then they perform a time-consuming distributed primality test which simultaneously checks the primality both of p and q by computing g(p−1)(q−1) = 1 mod n. The primality test proposed in [BF97] cannot be generalized to products of more than two primes. A more complicated one for products of three primes was presented in [BH98]. In this paper we propose a new distributed primality test, which can independently prove the primality of p or q for the public modulus n = pq and can be easily generalized to products of arbitrarily many factors, i.e., the Multi-Prime RSA of PKCS #1 v2.0 Amendment 1.0 [PKCS]. The proposed scheme can be applied in parallel for each factor p and q. We use properties of the group Cl(−8n2), which is the class group of the quadratic field with discriminant −8n2. As it is the case with the Boneh-Franklin protocol our protocol is k−1 2 -private, i.e. less than k−1 2 colluding servers cannot learn any information about the primes of the generated modulus. The security of the proposed scheme is based on the intractability of the discrete logarithm problem in Cl(−8n2) and on the intractability of a new number theoretic problem which seems to be intractable too.
[1]
Joseph H. Silverman,et al.
The arithmetic of elliptic curves
,
1986,
Graduate texts in mathematics.
[2]
Yuliang Zheng.
Improved Public Key Cryptosystems Secure against Chosen Ciphertext Attacks
,
1994
.
[3]
Mihir Bellare,et al.
Optimal Asymmetric Encryption-How to Encrypt with RSA
,
1995
.
[4]
Taher El Gamal.
A public key cryptosystem and a signature scheme based on discrete logarithms
,
1984,
IEEE Trans. Inf. Theory.
[5]
Moti Yung,et al.
On the Security of ElGamal based
,
1998
.
[6]
P. Lockhart.
On the discriminant of a hyperelliptic curve
,
1994
.
[7]
Dan Boneh,et al.
The Decision Diffie-Hellman Problem
,
1998,
ANTS.
[8]
Victor S. Miller,et al.
Use of Elliptic Curves in Cryptography
,
1985,
CRYPTO.
[9]
Mihir Bellare,et al.
Relations among Notions of Security for Public-Key Encryption Schemes
,
1998,
IACR Cryptol. ePrint Arch..
[10]
Ronald Cramer,et al.
A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack
,
1998,
CRYPTO.
[11]
Victor Shoup,et al.
Using Hash Functions as a Hedge against Chosen Ciphertext Attack
,
2000,
EUROCRYPT.
[12]
Alfred Menezes,et al.
Elliptic curve public key cryptosystems
,
1993,
The Kluwer international series in engineering and computer science.