Weaknesses in Shared RSA Key Generation Protocols

  • Simon R. Blackburn⋆
  • Mike Burmester
  • StevenD. Galbraith⋆⋆⋆
  • Simon Blake-Wilson⋆⋆
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1746)


Cocks proposed a protocol for two parties to jointly generate a shared RSA key. His protocol was designed under the assumption that both parties follow the protocol. Cocks proposed a modification to the protocol to prevent certain attacks by an active adversary. The paper presents attacks that show that the Cocks protocols are not secure when one party deviates from the protocol.


Active Adversary Secret Information Passive Adversary 30th STOC Private Decryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Bellare and S. Goldwasser, Lecture Notes in Cryptography. 1996. Available at
  2. 2.
    S.R. Blackburn, S. Blake-Wilson, M. Burmester and S.D. Galbraith, ‘Shared generation of shared RSA keys’ Technical report CORR 98-19, University of Waterloo. Available from
  3. 3.
    D. Boneh and M. Franklin, ‘Efficient generation of shared RSA keys’, in B.S. Kaliski Jr., editor, Advances in Cryptology-CRYPTO ‘97, Lecture Notes in Computer Science Vol. 1294, Springer-Verlag, 1997, pp. 425–439.Google Scholar
  4. 4.
    C. Cocks, ‘Split knowledge generation of RSA parameters’, in M. Darnell, editor, Cryptography and Coding: 6th IMA Conference, Lecture Notes in Computer Science Volume 1355, Springer-Verlag, 1997, pp. 89–95.Google Scholar
  5. 5.
    C. Cocks, ‘Split generation of RSA parameters with multiple participants’, 1998. Available at
  6. 6.
    D.E. Denning and D.K. Branstad, ‘A taxonomy of key escrow encryption schemes’, Communications of the A.C.M., Vol. 39,No.1 (1996), pp. 24–40.Google Scholar
  7. 7.
    A. Fiat and A. Shamir, ‘How to prove yourself: Practical solutions to identification and signature problems’, in A.M. Odlyzko, editor, Advances in Cryptology-CRYPTO ‘86, Lecture Notes in Computer Science Vol. 263, Springer-Verlag, 1987, pp. 186–194.Google Scholar
  8. 8.
    Y. Frankel, P.D. MacKenzie, M. Yung, ‘Robust efficient distributed RSA key generation’, In Proc. of 30th STOC, 1998, pp. 663–672.Google Scholar
  9. 9.
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, ‘Robust and efficient sharing of RSA functions’, in N. Koblitz, editor, Advances in Cryptology-CRYPTO’ 96, Lecture Notes in Computer Science 1109, Springer-Verlag, 1996, pp. 157–172.CrossRefGoogle Scholar
  10. 10.
    N. Gilboa, ‘Two party RSA key generation’, in M. Weiner, editor, Advances in Cryptology-CRYPTO’ 99, Lecture Notes in Computer Science 1666, Springer-Verlag 1999, pp. 116–129.Google Scholar
  11. 11.
    G. Poupard, J. Stern, ‘Generation of shared RSA keys by two parties’, In ASI-ACRYPT’ 98, 1998, pp. 357–371.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1999

Authors and Affiliations

  • Simon R. Blackburn⋆
    • 1
  • Mike Burmester
    • 1
  • StevenD. Galbraith⋆⋆⋆
    • 1
  • Simon Blake-Wilson⋆⋆
    • 1
  1. 1.Department of MathematicsRoyal Holloway, University of LondonSurreyUK

Personalised recommendations