On the Decentralized Generation of the RSA Moduli in MultiParty Settings
Abstract
RSA cryptography is still widely used. Some of its applications (e.g., distributed signature schemes, cryptosystems) do not allow the RSA modulus to be generated by a centralized trusted entity. Instead, the factorization must remain unknown to all the network participants. To this date, the existing algorithms are either computationally expensive, or limited to twoparty settings. In this work, we design a decentralized multiparty computation algorithm able to generate efficiently the RSA modulus.
References
1 Introduction
RivestShamirAdleman (RSA) [Rivest] is one of the first public key encryption systems, and it is still widely used. RSA uses the product of two large prime numbers and to compute a public modulus . The security of RSA is guaranteed by the difficulty of the integer factorization of the public modulus: its factorization would provide the prime numbers and and, thus, the corresponding private key.
The simplest technique to generate RSA keys is by using an agent trusted by the parties who does not disclose the factorization. However, many applications using RSA (e.g., distributed signature schemes [Preneel2000], threshold cryptosystems [Hazay], multi party computations [Cramer]) require to generate the RSA keys in a distributed way. In other contexts, for instance when using verifiable delay functions [Boneh2018] for spam prevention in distributed ledger technologies [CoordicieTeam2019], the private key does not have to be computed, and the algorithm require the decentralized generation of the public modulus only.
In this document, we propose a multiparty protocol generating a public RSA modulus, which extends the stateoftheart twoparty algorithm discussed in [Frederiksen].
The rest of the paper is organized as follows: in Section 2, we present the previous work on RSA key generation, and in Section 3 we review in detail the fastest algorithm to date [Frederiksen]; then, in Section 4, we describe our algorithm working in a multiparty setting; after that, we conclude our paper with a discussion about network overhead and algorithm complexity in Section 5.
2 State of the art
Fiat and Shamir seminal paper on signature schemes [Fiat1986] has paved the way to the research on usnig public modulus with unknown factorization. Later, Boneh and Franklin designed a distributed modulus generation algorithm including a biprimality testing algorithm in a multiparty setting [Boneh1997]. The algorithm works with semihonest adversaries^{1}^{1}1Semihonest nodes precisely follow the protocol (like honest nodes) but try to collect information for malicious purposes during their communications. They are also called honest but curious. in a honest majority.
Another direction was taken by Algesheimer [Algesheimer2002] and by Damgard and Mikkelsen [Damgard2010]. The authors suggested to compute a full primality test of the factors while keeping them secret instead of a biprimality test by executing a distributed MillerRabin test [Rabin1980]. Gilbo presented a secure version of the protocol based on the Boneh and Franklin technique [Boneh1997].
The first work on twoparties protocol with one of the party being semihonest has began with [Cocks] but was found to be insecure by [Blackburn1999]
More recently, Frederiksen [Frederiksen] proposed an algorithm using a new distributed product routine running in a twoparty setting both in a semihonest and in a malicious environment by using modern techniques such as Oblivious Transfer extensions [Asharov2017]; this solution runs in 40 seconds, compared to 15 minutes of the previous fastest protocol. In this paper, we propose a multi party algorithm for multiparty RSA modulus generation by extending the Frederiksen’s protocol [Frederiksen] to more than two parties. We start by reviewing the original protocol in the next section.
3 Frederiksen’s protocol
3.1 Algorithm set up
3.1.1 Objective
The algorithm aims to generate two large prime random numbers and of the same order (i.e., having the same bitlength) and the distributed computation of their product . The numbers and are bit numbers, i.e., . A fundamental requirement is that none of the party involved in the computation can be able to retrieve either or .
3.1.2 System model
Consider a network made of a set of two nodes which decide to collaborate to run the protocol. The protocol makes the following additional assumptions:

[label=A.0]

Semihonest participants. Both nodes follow the protocol. However, one of them could try to guess the secret shares of the other one to retrieve the factorization of the public modulus.

Reliable networking layer. Every message is received in the same way it has been sent with probability one and in finite time.
3.1.3 Protocol outline
At a high level, the proposed algorithm involves the following steps:

[label=P.0]

Random number generation. The two active nodes and respectively generate the numbers , and , .

Fast trial divisions. The active nodes run fast trial divisions by small primes numbers on both and to quickly discard wrong candidates. If or fail the test, the algorithm restarts from P.1.

RSA modulus computation. The two parties compute in a distributed way without revealing information on key’s parts.

Biprimality test. A biprimality test verifies whether is a product of two prime numbers whp. If the biprimality test fails, the algorithm restarts from P.1.
In the next subsection, we will describe rigorously each part of the protocol.
3.2 Detailed protocol
3.2.1 Random number generation
The goal of this step, is for node (resp. ) to pick two numbers , (resp. , ). Let and be the sum of the number generated by the two nodes. However the biprimality test (step P.4 of the protocol) requires
(1) 
Hence, the protocol enforces that (resp. ) randomly picks two numbers , (resp. , ). After that, node (resp. node ) concatenates two zeros (resp. two ones) to satisfy Eq. (1), i.e., and (resp. and ).
3.2.2 Fast trial divisions
As a protocol optimization, we can discard some trivial nonprime candidates to reduce the number of the algorithm iterations. The idea is to divide the candidates with small prime numbers.
Let be a certain threshold, which indicates the number of prime numbers that we want to test. For each prime , and run a divisibility test for and . The divisibility test consists in computing the remainder of while keeping secret and . The above is described in algorithm 1. The parties test if or, equivalently, . We use the outof Oblivious Transfer (OT) algorithm^{2}^{2}2We refer the interested reader to Appendix outof Oblivious Transfer for further information on the algorithm. to hide the rest of the modulus of to . The same test has to be ran for .
In the algorithm, inputs to the OT, while requests from the OT and send it to . Then, can check if : if yes, then and the protocol has to be restarted.
Finally, one can note that this step is parallelizable by running different divisibility tests simultaneously with different values of .
3.2.3 RSA modulus computation
This step aims to compute the product between and , i.e.,
While the terms and can be computed locally by and , the two remaining terms must be computed in a distributed way. To this end, the protocol defines the procedure distr_product.
Let us assume knows and knows , and the two nodes want to compute without disclosing their number to the other party. Moreover, let
be the minimum number of bits necessary to represent and . Then, given an input , for bit , we can define the function
Note that we count bits from the least significant digit.
For each bit of , generates
and the instantiates an OT with as an input. Then, requests . Finally, computes
and computes
Hence,
To calculate without information leakage, will compute (resp. ) and will compute (resp. ) by running distr_product(, ) (resp. distr_product(, )). Finally, will share with and will share such as
Importantly, the algorithm allows each party to only have partial information of the output, while their sum is the exact output. In order to dissimulate information, the parties only share the sum of all the partial product they compute.
3.2.4 Biprimality test
This test, inspired by [Boneh1997], is composed of two parts, and requires to perform times a random filtering test.
Then the parties verify in a distributed way that .
4 Generalization to n participants
The aforementioned twoparty protocol is proven to work securely in a semihonest environment. Here, we will present our generalization to parties while keeping the same highlevel structure. Also, we make sure that the computational complexity and the network overhead are reasonably low, to keep the efficiency of the algorithm similar to the one in [Frederiksen].
4.1 System model
We consider a set of nodes which participates to the protocol. We refer to node as . For the sake of simplicity, we assume the number of participants to be , where .
We keep the assumption of a perfect networking layer and semihonest participants. However, we also consider the scenario where some of them can collude and communicate their private information in order to derive the private key. From the point of view of an honest node, it is not possible to detect such a behaviour as all nodes actually follow the protocol.
4.2 Key’s parts generation
Each node has to generate a pair . Moreover, we define and . Since, the biprimality test requires that and (see Eq. (1)), the protocol enforces that:

randomly picks two numbers , and concatenates two ones to satisfy Eq. (1), i.e., and

all the other nodes , where , randomly picks two numbers , , and concatenates two zeros, i.e., and .
Node can be selected through leader election (potentially based on some node characteristics, such as reputation or hash). We note that the selection of this node does not influence the outcome of the protocol, as it only affects the generation of the two last bits of its secret numbers.
4.3 Fast trial divisions
Generalizing the division to parties is complicated as the original algorithm was specifically designed for two parties. We unstress the constraint of using OTs to communicate the secret shares remainder modulus . Our division works in turns. We set and during the first turn, there is a consensus on a selection of a subset and a bijection
between and the set of nonselected nodes. Each nonselected node will send its secret share to its associated node in which will sum it with its own secret share modulus . In the second turn, we will again select a subset of half of the nodes in and a bijection
between the selected and nonselected nodes such that the nonselected nodes will send the sum of the private share modulus they know. And the algorithm will iteratively divide the selected sets until only which contains only one node that will be able to output if . The algorithm 6 shows a pseudocode of this procedure.
The major issue in this algorithm is how to construct in a decentralized way such that everybody have the same and with a minimum amount of communications. We propose in algorithm 7 a way to solve this problem using a deterministic attribution of the associations using a hashing function preventing malicious parties to manipulate this part of the protocol. We assume the parties agree before the fast trials part on a seed and a certain hashing function such that we can construct for .The way this seed and are generated depends on the network’s goals and policies but they can agree to use the SHA256 hashing function and generate the seed using a distributed number generator. This technique allows to have no communication for finding consensus during the protocol.
The input of the hashing function in this algorithm contains , seed, and .

is here to change the output of the function at each division trial to prevent people from getting information from the same parties each time without having to agree on a new seed each time.

plays the same role be between each turn of one division

is here to make sure that is a permutation of and does not contain twice the same number while allowing people to compute on their own without communicating.
4.4 Distributed multiplication
In this subsection, we want to compute in a similar way to the Frederiksen’s algorithm. First, note that
(2) 
The first term of the left hand side of Equation 2 can be computed solely by every party. As for the second term, for each pair with , the nodes and have to compute in a distributed way without disclosing their secret shares. We then suggest that and run the distr_product routine and compute for and for for computing and respectively they would compute and while computing .
Finally, we have for each party , computes
and broadcast it to everyone so that everybody can compute . At that point, N is a public information to everyone.
4.5 Biprimality test
First part
In this section we keep the same idea of testing for a certain randomly generated if . This part can be easily done in a decentralized way with properties offered by the exponentiation. The parties elect a leader that will generate a number with Jacobi symbol over equal to and shares it with everybody. Then each party will compute and send it to . Once received all the , it will compute . Finally, if , broadcasts otherwise it broadcasts . The algorithm 10 gives the details of this procedure. This test returns if is composite of two prime numbers but have a probability of to return otherwise. Therefore, in order to increase the reliability of this algorithm, the parties should run it time with such that is a probability low enough to return for a wrong modulus.
We can see it is important for to be in in order to be able to compute negative exponents by using . The way of electing . A way that can be done is using the hashing function and the seed defined in the fast trial divisions in order to elect implicitly the leading party at each trial without requiring further communications.
Second part
In this part, we want compute where is a number generated by a node . Let . In the same idea as for the distributed multiplication, we can rewrite as
(3) 
The have the same schema as for the distributed multiplication whith the first term of the left hand of Equation 3 which can be computed solely by a node and the other term has to be computed using distr_product. Finally they share all the sum of their parts of computation similarly to in the distributed multiplication and they compute . Finally each node can verify on its own wether . If so, the modulus can be used, otherwise, the protocol has to be restarted.
5 Network overhead
Here we present a theoretical analysis of the amount of communications necessary for a successful try. We use br as an abbreviation for “broadcast”.
5.1 Fast trial divisions
Considering a single division, if we consider for simplicity we have participants, we have steps where for the th step, parties send their values to someone else. In the worst case, which is the node which will return the value, it makes communications to receive the data plus one communication to return the result. In the best case, which is a node communicating it’s private share modulus the small prime at the first round, it only makes on connection to give and one to receive the output.
So we have for different fast trial divisions, each party operates the following amount of communications:

WorstCase :

BestCase :
5.2 Distributed multiplication
Let us count for a single multiplication of with two bits numbers. For each bit the two parties instantiate an OT and either input or receives a value from it which makes communications per party. Then as each party computes two product with the other parties, they operate communications plus OT instantiations. Finally we have a question of how sharing the final values in order to add everything to get . We can suppose everyone broadcasts their final value .
Finally we get communications per party for the distributed multiplication plus oblivious transfer initializations.
5.3 Biprimality test  First part
In this part, the chosen party to generate only broadcasts the value of , then the other parties communicate their exponentiation with a single communication and finally the first party communicates the output with a broadcast.
Then we have for each party according to the role during the trials

WorstCase :

BestCase :
5.4 Biprimality test  Second part
Here we have something really similar to the distributed multiplication part except the multiplications ar bits longs here. Then each party operates communications plus OT instantiations.
We can see the theoretical amount of communication is linear with the growth of and so we have a quadratic growth of the global amount of communications. Furthermore, we can parallelize a great part of the steps. For example we can run various fast trial divisions in parallel with a different prime number and massively parallelize the multiplications.
outof Oblivious Transfer
A outof Oblivious Transfer (OT) is a cryptosystem which allows a sender to propose messages and a receiver to chose one of them without the sender knowing which one. We can also consider a random 1outof OT which sends the messages to the sender instead of receiving an input. This cryptosystem allows two people to share information without disclosing knowledge on the choice of the receiver and the other options he could have chosen. This will be used as a way to compute distributed multiplications and in other situations in the protocol. The behaviour of this mechanism is specified in algorithm 12.