### Abstract

In the generation method for RSA-moduli proposed by Boneh and Franklin in [BF97] the partial signing servers generate random shares pi, qi and compute as candidate for an RSA-modulus n = pq where p = (Ʃ pi) and q = (Ʃ qi). Then they perform a time-consuming distributed primality test which simultaneously checks the primality both of p and q by computing g(p−1)(q−1) = 1 mod n. The primality test proposed in [BF97] cannot be generalized to products of more than two primes. A more complicated one for products of three primes was presented in [BH98]. In this paper we propose a new distributed primality test, which can independently prove the primality of p or q for the public modulus n = pq and can be easily generalized to products of arbitrarily many factors, i.e., the Multi-Prime RSA of PKCS #1 v2.0 Amendment 1.0 [PKCS]. The proposed scheme can be applied in parallel for each factor p and q. We use properties of the group Cl(−8n^{2}), which is the class group of the quadratic field with discriminant −8n^{2}. As it is the case with the Boneh-Franklin protocol our protocol is (formula presented)-private, i.e. less than (formula presented) colluding servers cannot learn any information about the primes of the generated modulus. The security of the proposed scheme is based on the intractability of the discrete logarithm problem in Cl(−8n^{2}) and on the intractability of a new number theoretic problem which seems to be intractable too.

Original language | English |
---|---|

Title of host publication | Information Security and Privacy - 7th Australasian Conference, ACISP 2002, Proceedings |

Editors | Lynn Batten, Jennifer Seberry |

Publisher | Springer Verlag |

Pages | 1-16 |

Number of pages | 16 |

ISBN (Print) | 3540438610, 9783540438618 |

Publication status | Published - Jan 1 2002 |

Event | 7th Australasian Conference on Information Security and Privacy, ACISP 2002 - Melbourne, Australia Duration: Jul 3 2002 → Jul 5 2002 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 2384 |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Other

Other | 7th Australasian Conference on Information Security and Privacy, ACISP 2002 |
---|---|

Country | Australia |

City | Melbourne |

Period | 7/3/02 → 7/5/02 |

### Fingerprint

### All Science Journal Classification (ASJC) codes

- Theoretical Computer Science
- Computer Science(all)

### Cite this

*Information Security and Privacy - 7th Australasian Conference, ACISP 2002, Proceedings*(pp. 1-16). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 2384). Springer Verlag.

**A new distributed primality test for shared RSA keys using quadratic fields.** / Biehl, Ingrid; Takagi, Tsuyoshi.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Information Security and Privacy - 7th Australasian Conference, ACISP 2002, Proceedings.*Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 2384, Springer Verlag, pp. 1-16, 7th Australasian Conference on Information Security and Privacy, ACISP 2002, Melbourne, Australia, 7/3/02.

}

TY - GEN

T1 - A new distributed primality test for shared RSA keys using quadratic fields

AU - Biehl, Ingrid

AU - Takagi, Tsuyoshi

PY - 2002/1/1

Y1 - 2002/1/1

N2 - In the generation method for RSA-moduli proposed by Boneh and Franklin in [BF97] the partial signing servers generate random shares pi, qi and compute as candidate for an RSA-modulus n = pq where p = (Ʃ pi) and q = (Ʃ qi). Then they perform a time-consuming distributed primality test which simultaneously checks the primality both of p and q by computing g(p−1)(q−1) = 1 mod n. The primality test proposed in [BF97] cannot be generalized to products of more than two primes. A more complicated one for products of three primes was presented in [BH98]. In this paper we propose a new distributed primality test, which can independently prove the primality of p or q for the public modulus n = pq and can be easily generalized to products of arbitrarily many factors, i.e., the Multi-Prime RSA of PKCS #1 v2.0 Amendment 1.0 [PKCS]. The proposed scheme can be applied in parallel for each factor p and q. We use properties of the group Cl(−8n2), which is the class group of the quadratic field with discriminant −8n2. As it is the case with the Boneh-Franklin protocol our protocol is (formula presented)-private, i.e. less than (formula presented) colluding servers cannot learn any information about the primes of the generated modulus. The security of the proposed scheme is based on the intractability of the discrete logarithm problem in Cl(−8n2) and on the intractability of a new number theoretic problem which seems to be intractable too.

AB - In the generation method for RSA-moduli proposed by Boneh and Franklin in [BF97] the partial signing servers generate random shares pi, qi and compute as candidate for an RSA-modulus n = pq where p = (Ʃ pi) and q = (Ʃ qi). Then they perform a time-consuming distributed primality test which simultaneously checks the primality both of p and q by computing g(p−1)(q−1) = 1 mod n. The primality test proposed in [BF97] cannot be generalized to products of more than two primes. A more complicated one for products of three primes was presented in [BH98]. In this paper we propose a new distributed primality test, which can independently prove the primality of p or q for the public modulus n = pq and can be easily generalized to products of arbitrarily many factors, i.e., the Multi-Prime RSA of PKCS #1 v2.0 Amendment 1.0 [PKCS]. The proposed scheme can be applied in parallel for each factor p and q. We use properties of the group Cl(−8n2), which is the class group of the quadratic field with discriminant −8n2. As it is the case with the Boneh-Franklin protocol our protocol is (formula presented)-private, i.e. less than (formula presented) colluding servers cannot learn any information about the primes of the generated modulus. The security of the proposed scheme is based on the intractability of the discrete logarithm problem in Cl(−8n2) and on the intractability of a new number theoretic problem which seems to be intractable too.

UR - http://www.scopus.com/inward/record.url?scp=84947417695&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84947417695&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84947417695

SN - 3540438610

SN - 9783540438618

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 1

EP - 16

BT - Information Security and Privacy - 7th Australasian Conference, ACISP 2002, Proceedings

A2 - Batten, Lynn

A2 - Seberry, Jennifer

PB - Springer Verlag

ER -