2

New to site so this may have been asked before: Can multi-prime RSA, i.e. where N is product of three or more distinct primes, be used for secure communication while allowing distinct authoritative entities to decrypt the messages when under a proper court order to do so?

For instance, let $N=p\cdot q\cdot r$, let $(N,e)$ be the public key and let $(N,d)$ the private key as usual. But have the generating algorithm securely send $(N,e,p)$ to, say, the Supreme Court, $(N,e,q)$ to the Executive and $(N,e,r)$ to Congress. Then no one entity alone could decrypt, but any pair could. Can this or some variation work? Would this require that two-prime RSA be outlawed?

It is also known that multi-prime RSA has a narrower range of exponents vulnerable to the lattice-based reduction algorithm attack. See N. Ojha and S. Padhye "Cryptanalysis of Multi Prime RSA with Secret Key Greater than Public Key", IJNS, Jan. 2014.

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68
wjv3
  • 21
  • 2

1 Answers1

1

That sorts of works, but:

  • Whatever decrypts will need the full private key, and will be a potential single point of failure.
  • The system can be secure only if each of $pq$, $qr$, and $rp$ is wide enough to be hard to factor; so if you want to be as secure a 4096-bit RSA, you need a 6144-bit public modulus.
  • We can achieve the same functionality by using two-factors RSA (thus reducing the size of the public modulus at equivalent security), and Shamir's secret sharing for the private key (or the seed that was used to generate the private key, with the added bonus that the shared secrets can be short enough to be keyed-in).
  • We can achieve better functionality using two-factors RSA and a private/public key pair per entity, with each file encrypted with secret-key cryptography like AES and a random key, shared using Shamir's secret sharing, with the secret shares RSA-encrypted. That way, the number of autorities necessary to decipher, thresold... can be chosen on a per-file basis; and most importantly, the multiple private keys never need to be brought together.
fgrieu
  • 149,326
  • 13
  • 324
  • 622