Generate private key in distributed fashion

[osresearch]

There are lots of papers on using oblivious transfer or other mechanisms to generate the private key so that it never lives in one place. An example protocol: https://medium.com/@benny.pinkas/fast-distributed-rsa-key-generation-against-malicious-adversaries-faaaab96821d

Alice learns shares p1 and q1, and Bob learns shares p2 and q2, such that p=p1+p2 and q=q1+q2 are primes, and N=pq. None of the parties has any other information about the shares of the other party. Alice and Bob then run a short protocol for computing shares d1, d2 of the decryption exponent.

If the protocol is not extensible to more than two parties, Alice and Bob can further split their d1 and d2 such that the additional parties have parts from each Alice and Bob, but neither Alice nor Bob know any of the private shares.

[osresearch]

Looks like the authors of that particular paper have a company selling distributed HSM products, which is why they didn't publish any source code to go with it. Boo.