What are the key challenges shared by both additive and multiplicative splitting of the secret exponent for double signatures?
Neither variant lets the customer verify that two distinct parties actually signed, and neither share can be generated without knowing $d$ — so both require a trusted third party to hand out the shares.
* Both start from a TTP splitting d: additive lets the partners sign in parallel; multiplicative forces a sequence and a coprimality condition on d1. *
Whichever way the secret exponent $d$ is split, the final signature is just a normal RSA signature, and that creates two practical problems.
The two ways to split $d$:
- Additive — $d \equiv d_1 + d_2 \pmod{\varphi(N)}$, signed as $s = m^{d_1} \cdot m^{d_2} = m^{d_1 + d_2} \bmod N$; the two partial signatures can be made independently and multiplied together.
- Multiplicative — $d \equiv d_1 \cdot d_2 \pmod{\varphi(N)}$, signed as $s = (m^{d_1})^{d_2} = m^{d_1 \cdot d_2} \bmod N$; here the parties must sign in sequence.
The first problem is verification: because the output is an ordinary RSA signature, a customer checking $m \equiv s^e \bmod N$ has no way to tell whether two separate institutions signed or one institution signed twice — the "two-party" property is invisible in the result. The second is key distribution: the shares are not independent, since recovering the second from the first needs the full secret ($d_2 \equiv d \cdot d_1^{-1} \bmod \varphi(N)$). So a trusted third party must generate $d$, split it, and deliver one share to each institution while keeping $d$ secret from both — and it must be trusted not to collude or sign on its own. Reassuringly, holding one share alone reveals nothing about $d$. For multiplicative splitting there is an extra constraint: $d_1$ must be coprime to $\varphi(N)$, otherwise its inverse — and hence $d_2$ — would not exist.
Go deeper:
Threshold cryptosystem — trust and key distribution — how real threshold schemes remove the single trusted dealer these RSA splits still need.