Cocks (1997) has recently described a protocol for two parties to generate an RSA modulus N = PQ where neither party has knowledge of the factorisation, but which enables the parties to collaborate to decipher a encrypted message. We describe a number of ways in which it is possible for one of the parties to the protocol to cheat and obtain knowledge of the factorisation, and suggest modifications to the protocol to guard against cheating. 1 Introduction At the last IMA Conference on Cryptography and Coding, Cocks [3] described a protocol for two parties to generate an RSA modulus N = PQ where neither party has knowledge of the factorisation, but which enables the parties to collaborate to decipher a encrypted message. An alternative method is described by Boneh and Franklin [2]. His protocol allows two parties A and B to form an RSA modulus N = PQ in such a way that neither party has knowledge of the factorisation, but the two parties can combine later to decipher a encrypted messa...