## Cryptology ePrint Archive: Report 2018/577

Fast Distributed RSA Key Generation for Semi-Honest and Malicious Adversaries

Tore Kasper Frederiksen and Yehuda Lindell and Valery Osheter and Benny Pinkas

Abstract: We present two new, highly efficient, protocols for securely generating a distributed RSA key pair in the two-party setting. One protocol is semi-honestly secure and the other maliciously secure. Both are constant round and do not rely on any specific number-theoretic assumptions and improve significantly over the state-of-the-art by allowing a slight leakage (which we show to not affect security).

For our maliciously secure protocol our most significant improvement comes from executing most of the protocol in a strong'' semi-honest manner and then doing a single, light, zero-knowledge argument of correct execution. We introduce other significant improvements as well. One such improvement arrives in showing that certain, limited leakage does not compromise security, which allows us to use lightweight subprotocols. Another improvement, which may be of independent interest, comes in our approach for multiplying two large integers using OT, in the malicious setting, without being susceptible to a selective-failure attack. Finally, we implement our malicious protocol and show that its performance is an order of magnitude better than the best previous protocol, which provided only semi-honest security.

Category / Keywords: cryptographic protocols / RSA, Distributed Cryptography

Original Publication (with major differences): IACR-CRYPTO-2018
DOI:
10.1007/978-3-319-96881-0\_12

Date: received 5 Jun 2018, last revised 3 Oct 2019

Contact author: lindell at biu ac il, tore frederiksen at alexandra dk

Available format(s): PDF | BibTeX Citation

Note: This revision is the full version of the paper and includes a bug fix of step 2 of the biprimality test (present in the proceedings version) which we were kindly informed about by Muthuramakrishnan Venkitasubramaniam and Samuel Ranellucci.

Short URL: ia.cr/2018/577

[ Cryptology ePrint archive ]