 So another implementation of RSA involves what's known as multi-party RSA. And the idea here is that we may have a group of people that want to collaborate on some document. So for example, we might have a group that's trying to write a document. And one of the things we can do is we can keep the encrypted document on a server. And when they want to make changes on it, they can check it out, edit it, and upload the new version. However, the collaboration poses some new cryptographic challenges. One is that maybe our group size isn't fixed and we may want to add some people to the group later on. So how can we add somebody to the group easily? Well, we could just give them the keys, but the problem is at some point we may decide that a person does not belong in the group anymore. We need a good way of being able to revoke their privileges. Now, in the real world, what happens is if we give somebody keys and then we want to remove their privileges, what we have to do is we can't just take away their key because we don't know that they've made copies of them or not. We have to take away everybody's keys and reissue a set of keys. And this is something that it would be nice to avoid having to do. So Jesse Lipson, founder of Sharefile Incorporated, which he sold in 2011 to Citrix for $93 million. Pocket change for a cryptographic application, I know, but invented the following approach to this problem of collaboration. And the idea is that, well, what we're going to do is we're going to set up a whole bunch of individual RSA systems. So let's take our initial collaborators and what they're going to do is they're going to use a standard RSA approach and they'll set up their own public moduli, N1, N2, N3, and so on. One important thing is they have to verify that these are all co-prime because otherwise the entire system is insecure. And again, as a group, they choose some suitable public exponent E and compute their respective, these are the secret, decryption exponents, D1, D2, and so on. So as a group, they choose the public exponent. Individually, they choose their public moduli and find their individual decryption exponents. Now, let's say Alice then wants to encrypt a message and upload it to the server. So as with standard RSA, Alice is going to compute P to power E mod whatever the individual moduli are. And this is going to give her a set of ciphertext values. Well, rather than uploading each of these individually so that Bob can go and find his ciphertext value and Charlie can go and find his ciphertext value and so on, what she's going to then do is she's going to use the Chinese remainder algorithm and solve the congruent. She's going to find a number that satisfies, that gives c1 when taken mod N1, c2 when taken mod N2, and so on. And she's going to upload this common value x to the server. And so when somebody with modulus N2 comes in, they upload this value x, they reduce it mod there N2, and they get the proper value for the ciphertext. And somebody else N3 comes in, they download x, they reduce x mod N3, and they get the proper ciphertext to use. So this way, there's only a single value that has to be uploaded for the server and then everybody interprets it in their own way. Well, let's take a look at how this works. If I want to add people, so all I have to do is go through a similar process. So the public exponent has already been chosen, so they need to then choose their own public modulus and find their corresponding private exponent. Now, here's where somebody has to take charge. There has to be an existing group member and administrator, for example. They need to download, decrypt, and then re-encrypt all of the files that this new person has access to, except this time they're going to incorporate the new modulus. So they're going to extend that Chinese remainder theorem algorithm one more congruence. And what's important to hear to notice is that nobody in the group has to change anything. They can still use the same public modulus they had. They can still use the same private decryption exponent. The only work that has to be done is by the administrator if the person who gives this new person access to the group files. And so this is a significant advantage. On the other hand, suppose somebody leaves the group. Well, if we want to keep the group information, if we want to deny this person access to the group information, we need to eliminate their modulus and their private exponent. Well, we don't need their private exponent anyway. And then we're going to go through the same process. The administrator downloads, decrypts, and re-encrypts all the files, but this time without the modulus of the former group member. And again, nobody in the group has to change anything that they're doing. The only thing that has to happen is the person responsible for adding or removing collaborators has to update all of the files. So for example, let's say Alice, Bob, and Charlie collaborate, and they're going to use 629, 2173, and 1159 as their respective public moduli. And together they choose E equals 23 as the public exponent. A propose of the hostile attack E equals 23 is far too small for this to be useful. The risk that we run with this type of system is that a small public exponent allows us to mount a very successful hostile attack. So we need to, in practice, choose a very large public exponent. We'll ignore that refinement for right now. So Alice has the number 157 she wants to upload, and so she goes through the computational process. So she calculates 157 to the 23, that's 404 mod 629, or 157 to the 23, that's 179 mod 2173, and so on. The way to look at this is if she wants to send this number to the person with modulus 629, she would send the number 404. If she wants to send this number to the person with modulus 2173, she would send the number 179, and so on. So she computes the number she would have had to send to the other collaborators, but rather than sending those individual numbers, she then tries to solve the following Chinese remainder theorem problem. She wants to find a number that's congruent to 404 mod 629 and also 179 mod 2173 and also 750 mod 1159. And she does so, she finds the lowest such number, and that works out to be this. This is the number that's uploaded to the server. So now, suppose Charlie wants to access the file. So he goes to the server, and it turns out that he is public modulus 1159, and for the exponent 23, he knows that his decryption exponent is going to be 47. Nobody else knows this information. Charlie is the only one who knows it. But he goes to the server, and he downloads this value that Alice has uploaded, and he reduces that mod 1159, and he finds that this is congruent to 750. And in effect, if Alice was sending the file directly to him, Alice would have sent the number 750. Because she's sending it to the group, she sends it this number, and this number, when reduced, gives Charlie the correct number. And then he uses his private exponent, 47, to decrypt the message 157. Well, suppose there is a difference of opinion, and Charlie leaves the group. We don't want Charlie walking away with all the proprietary information, so we need to deny Charlie access to this information. And so what we have to do is we have to replace the uploaded value with a new value that will not allow Charlie to decrypt it. So Alice, or really anybody else who can decrypt the number, any of the remaining group members, or again, if we want to put this responsibility on a single administrator, whoever the administrator is, needs to calculate, well, there's our old value, still using the same public exponent, still using the same public exponent. And actually, these values are the same as we calculated beforehand. We're just going to omit Charlie's value because he's not there anymore. We then solve the congruence. Again, we've dropped out Charlie's number, so now we have a congruence of two congruences and a solution 1277903, and this is the new upload value. So Charlie tries to sneak back in. So the numbers have been changed. He tries to access the file. He downloads this number, reduces it by his modules. He gets 683, but the problem is that when he uses his private exponent to try and decrypt the number, he gets this, which is not what the correct value is. Well, he knows everybody else's group, he knows everybody else's public modules, so can he make use of that? Well, he might try. So he takes, for example, Bob's modulus, and so he downloads the number. He uses Bob's modulus and finds that Bob is getting the number 179. Except this doesn't help him because in order to decrypt 179 using Bob's modulus, he has to know Bob's secret exponent and he doesn't know that. In effect, Charlie has to solve a RSA problem to find this information. And so Charlie has been effectively denied access at this point.