Paper 1996/012

Proactive RSA

Yair Frankel, Peter Gemmell, Philip D. MacKenzie, and Moti Yung


We consider a "mobile adversary" which may corrupt all participants throughout the lifetime of the system in a non-monotonic fashion (i.e. recoveries are possible) but the adversary is unable to corrupt too many participants during any short time period. Schemes resiliant to such adverasry are called proactive. We present a proactive RSA system in which a threshold of servers applies the RSA signature (or decryption) function in a distributed manner. Employing new combinatorial and elementary number theoretic techniques, our protocol enables the dynamic updating of the servers (which hold the RSA key distributively); it is secure even when a linear number of the servers are corrupted during any time period; it efficiently "self-maintains" the security of the function and its messages (ciphertexts or signatures); and it enables continuous availability, namely, correct function application using the shared key is possible at any time.

Available format(s)
Publication info
Published elsewhere. Appeared in the THEORY OF CRYPTOGRAPHY LIBRARY and has been included in the ePrint Archive.
Contact author(s)
yair @ cs sandia gov
1996-08-05: received
Short URL
Creative Commons Attribution


      author = {Yair Frankel and Peter Gemmell and Philip D.  MacKenzie and Moti Yung},
      title = {Proactive RSA},
      howpublished = {Cryptology ePrint Archive, Paper 1996/012},
      year = {1996},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.