We present two efficient protocols which implement robust threshold RSA signature schemes, where the power to sign is shared by N players such that any subset of T or more signers can collaborate to produce a valid RSA signature on any given message, but no subset of fewer than T corrupted players can forge a signature. Our protocols are robust in the sense that the correct signature is computed even if up to T − 1 players behave in arbitrarily malicious way during the signature protocol. This in particular includes the cases of players that refuse to participate or that generate incorrect partial signatures. Our robust protocols achieve optimal resiliency as they can tolerate up to (N − 1)/2 faults, and their efficiency is comparable to the efficiency of the underlying threshold RSA signature scheme. Robust threshold signature schemes have very important applications, since they provide increased security and availability for a signing server (e.g. a certification authority or an electronic cash provider). Solutions for the case of the RSA signature scheme are especially important because of its widespread use. In addition, these techniques apply to shared RSA decryption as well, thus leading to efficient key escrow schemes for RSA. Our schemes are based on some interesting extensions that we devised for the information checking protocol of T. Rabin and Ben-Or [Rab94], [RB89], and the undeniable signature work initiated by Chaum and van Antwerpen [CA90]. These extensions have some attractive properties, and hence are of independent interest.
CITATION STYLE
Gennaro, R., Jarecki, S., Krawczyk, H., & Rabin, T. (1996). Robust and efficient sharing of RSA functions. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 1109, pp. 157–172). Springer Verlag. https://doi.org/10.1007/3-540-68697-5_13
Mendeley helps you to discover research relevant for your work.