RSA Key Generation with Verifiable Randomness

  • Ari Juels
  • Jorge Guajardo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2274)


We consider the problem of proving that a user has selected and correctly employed a truly random seed in the generation of her RSA key pair. This task is related to the problem of key validation, the process whereby a user proves to another party that her key pair has been generated securely. The aim of key validation is to pursuade the verifying party that the user has not intentionally weakened or reused her key or unintentionally made use of bad software. Previous approaches to this problem have been ad hoc, aiming to prove that a private key is secure against specific types of attacks, e.g., that an RSA modulus is resistant to elliptic-curve-based factoring attacks. This approach results in a rather unsatisfying laundry list of security tests for keys.

We propose a new approach that we refer to as key generation with verifiable randomness (KEGVER). Our aim is to show in zero knowledge that a private key has been generated at random according to a prescribed process, and is therefore likely to benefit from the full strength of the underlying cryptosystem. Our proposal may be viewed as a kind of distributed key generation protocol involving the user and verifying party. Because the resulting private key is held solely by the user, however, we are able to propose a protocol much more practical than conventional distributed key generation. We focus here on a KEGVER protocol for RSA key generation.

Key words

certificate authority key generation non-repudiation publickey infrastructure verifiable randomness zero knowledge 


  1. 1.
    IEEE Std. 1363-2000. Standard Specifications for Public-Key Cryptography. The Institute of Electrical and Electronics Engineers, 2000.Google Scholar
  2. 2.
    ANSI X9.31 2001. Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (X9.31). American National Standards Institute (ANSI), 2001.Google Scholar
  3. 3.
    M. Bellare, J.A. Garay, and T. Rabin. Fast batch verification for modular exponentiation and digital signatures. In K. Nyberg, editor, Advances in Cryptology —EUROCRYPT’ 98. Springer-Verlag, 1998. LNCS no. 1403.Google Scholar
  4. 4.
    D. Bleichenbacher. Addition chains for large sets, 1999. Unpublished manuscript.Google Scholar
  5. 5.
    D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In B. Kaliski, editor, Advances in Cryptology — CRYPTO’ 97, pages 425–439. Springer-Verlag, 1997. LNCS no. 1294.CrossRefGoogle Scholar
  6. 6.
    F. Boudot. Efficient proofs that a committed number lies in an interval. In B. Preneel, editor, Advances in Cryptology — EUROCRYPT’ 00, pages 431–444, 2000. LNCS no. 1807.CrossRefGoogle Scholar
  7. 7.
    J. Boyar, K. Friedl, and C. Lund. Practical zero-knowledge proofs: Giving hints and using deficiencies. Journal of Cryptology, 4(3):185–206, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    J. Camenisch and M. Michels. Proving that a number is the product of two safe primes. In J. Stern, editor, Advances in Cryptology —EUROCRYPT’ 99, pages 107–122. Springer-Verlag, 1999. LNCS no. 1592.Google Scholar
  9. 9.
    J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In B. Kaliski, editor, Advances in Cryptology — CRYPTO’ 97, pages 410–424. Springer-Verlag, 1997. LNCS no. 1294.CrossRefGoogle Scholar
  10. 10.
    D. Catalano, R. Gennaro, and S. Halevi. Computing inverses over a shared secret modulus. In B. Preneel, editor, Advances in Cryptology — EUROCRYPT’ 00, pages 445–452. Springer-Verlag, 2000. LNCS no. 1807.CrossRefGoogle Scholar
  11. 11.
    A. Chan, Y. Frankel, and Y. Tsiounis. Easy come-easy go divisible cash. In K. Nyberg, editor, Advances in Cryptology —EUROCRYPT’ 98, pages 561–575. Springer-Verlag, 1998. LNCS no. 1403. Revised version available as GTE tech. report.CrossRefGoogle Scholar
  12. 12.
    L. Chen, I. Damgård, and T.P. Pedersen. Parallel divertibility of proofs of knowledge (extended abstract). In A. De Santis, editor, Advances in Cryptology — EUROCRYPT’ 94, pages 140–155. Springer-Verlag, 1994. LNCS no. 950.CrossRefGoogle Scholar
  13. 13.
    R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. In Y.G. Desmedt, editor, Advances in Cryptology — CRYPTO’ 94, pages 174–187. Springer-Verlag, 1994. LNCS no. 839.Google Scholar
  14. 14.
    A. de Santis, G. di Crescenzo, G. Persiano, and M. Yung. On monotone formula closure of SZK. In 35th Annual Symposium on Foundations of Computer Science (FOCS), pages 454–465. IEEE Press, 1994.Google Scholar
  15. 15.
    E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In B. Kaliski, editor, Advances in Cryptology — CRYPTO’ 97, pages 16–30. Springer-Verlag, 1997. LNCS no. 1294.CrossRefGoogle Scholar
  16. 16.
    E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In N. Koblitz, editor, Advances in Cryptology — CRYPTO’ 98, pages 32–46. Springer-Verlag, 1998.Google Scholar
  17. 17.
    P.X. Gallagher. On the distribution of primes in short intervals. Mathematika, 23:4–9, 1976.MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31:469–472, 1985.CrossRefzbMATHGoogle Scholar
  19. 19.
    R. Gennaro, D. Micciancio, and T. Rabin. An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In Proceedings of the Fifth ACM Conference on Computer and Communications Security, pages 67–72, 1998.Google Scholar
  20. 20.
    N. Gilboa. Two party RSA key generation. In M. Wiener, editor, Advances in Cryptology — CRYPTO’ 99, pages 116–129. Springer-Verlag, 1999. LNCS no. 1666.Google Scholar
  21. 21.
    O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In STOC’ 87, pages 218–229. ACM Press, 1987.Google Scholar
  22. 22.
    A. Juels. SZKrange+: Efficient and accurate range proofs. Technical report, RSA Laboratories, 1999.Google Scholar
  23. 23.
    M. Liskov and B. Silverman. A statistical-limited knowledge proof for secure RSA keys, 1998. Manuscript.Google Scholar
  24. 24.
    M. Malkin, T. Wu, and D. Boneh. Experimenting with shared generation of RSA keys. In 1999 Symposium on Network and Distributed System Security (SNDSS), pages 43–56, 1999.Google Scholar
  25. 25.
    W. Mao. Verifiable partial sharing of integer factors. In Selected Areas in Cryptography (SAC’ 98). Springer-Verlag, 1998. LNCS no. 1556.Google Scholar
  26. 26.
    W. Mao and C.H. Lim. Cryptanalysis in prime order subgroups of Zn. In K. Ohta and D. Pei, editors, Advances in Cryptology — ASIACRYPT’ 98, pages 214–226. Springer-Verlag, 1998. LNCS no. 1514.CrossRefGoogle Scholar
  27. 27.
    A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.Google Scholar
  28. 28.
    T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In J. Feigenbaum, editor, Advances in Cryptology-CRYPTO’ 91, pages 129–140. Springer-Verlag, 1991. LNCS no. 576.CrossRefGoogle Scholar
  29. 29.
    D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, editor, Advances in Cryptology — EUROCRYPT’ 96, pages 287–398. Springer-Verlag, 1996. LNCS 1070.Google Scholar
  30. 30.
    I. Damgård and E. Fujisaki. An integer commitment scheme based on groups with hidden order, 2001. IACR eArchive.Google Scholar
  31. 31.
    C.P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4:161–174, 1991.zbMATHCrossRefGoogle Scholar
  32. 32.
    A. Shamir. How to share a secret. Communications of the ACM, 22:612–613, 1979.zbMATHCrossRefMathSciNetGoogle Scholar
  33. 33.
    J. van de Graaf and R. Peralta. A simple and secure way to show the validity of your public key. In C. Pomerance, editor, Advances in Cryptology-CRYPTO’ 87, pages 128–134. Springer-Verlag, 1987. LNCS no. 293.Google Scholar
  34. 34.
    M. Wiener. Performance comparison of public-key cryptosystems. Cryptobytes, 4(1), 1998.Google Scholar
  35. 35.
    A.C. Yao. Protocols for secure computations (extended abstract). In FOCS’ 82, pages 160–164, 1982.Google Scholar
  36. 36.
    A. Young and M. Yung. Kleptography: Using cryptography against cryptography. In W. Fumy, editor, Advances in Cryptology-EUROCRYPT’ 97, pages 62–74. Springer-Verlag, 1997. LNCS no. 1233.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Ari Juels
    • 1
  • Jorge Guajardo
    • 2
  1. 1.RSA LaboratoriesBedfordUSA
  2. 2.Department of Electrical Engineering and Information SciencesRuhr-Universität BochumGermany

Personalised recommendations