Assignment 7 1. Alice picked a 4 bit secret number 13 and Bob picked another 4 bit secret number 10. Show how it can be determined that 13+10 is a prime without revealing their secrets. Efficient Generation of Shared RSA Keys (Extended Abstract) Dan Boneh 1 dabo~bellcore.com M a t t h e w Franklin 2 franklin@research.att.com 1 Bellcore, 445 South St., Morristown, N J, 07960, USA AT&T Labs, 18{] Park Ave., FlorhaJn-Park, NJ, 07932, USA Abstract. We describe efficient techniques for three (or more) parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. K e y w o r d s : RSA, Threshold Cryptography, Primality testing, Multiparty computation. 1 Introduction We propose efficient protocols for three (or more) parties to jointly generate an RSA modulus N = p q where p, q are prime. At the end of the computation the parties are convinced that N is indeed a product of two large primes. However, none of the parties know the factorization of N. We then show how the parties can proceed to compute a public exponent e and shares of the corresponding private exponent. Our techniques require a number of steps including a new distributed primality test. The test enables two (or more) parties to test that a random integer N is a product of two large primes without revealing the primes themselves. Several cryptographic protocols require an P~A modulus N for which none of the participants know the factorization. For examples see [11, 12, 14, 19, 20, 21]. Usually this is done by asking a dealer to generate N. Clearly, the dealer must be trusted not to reveal the factorization of N. Our results eliminate the need for a trusted dealer since the parties can generate the modulus N by themselves. Threshold cryptography is a concrete example where shared generation of RSA keys is very useful. We give a brief motivating discussion and refer to [9] for a survey. A threshold RSA signature scheme involves k parties and enables any subset of t of them to generate an RSA signature of a given message. No subset of t - 1 parties can generate a signature. A complete solution to this problem was given in [8]. Unfortunately, the modulus N and the shares of the private key were assumed to be generated by a dealer. The dealer, or anyone who 426 compromises the dealer, can forge signatures. Our results eliminate the need for a trusted dealer (as long as t < [k/2] ) since the k parties can generate N and the private shares themselves. Such results were previously known for the E1Gamal public key system [22], but not for RSA. We note that generic secure circuit evaluation techniques, e.g. [26, 17, 3, 6] can also be used to generate shared RSA keys. After all, a primality test can be represented as a boolean circuit. However, such general techniques are usually too inefficient. Our protocols are useful even when only two parties are involved. However, some steps of the protocol require the parties to interact with a third "helper" party we call Henry. At the end of the protocol Henry learns nothing, but the value of N which is public. To simplify the exposition we first describe our results for the case of two parties with a third helper (Sections 2-6). In Section 7, we explain how our methods generalize to more parties. An overview of our techniques is given in Section 2, and the various stages of the protocol are given in Sections 3-6. 2 Overview In this section we give a high level overview of the protocol. The parties are Alice and Bob, with a third helper party Henry (see Section 7 for a generalization to more parties). Alice and Bob wish to generate a shared RSA key. More precisely, they wish to generate an RSA modulus N = pq and a public/private pair of exponents e, d. At the end of the computation N and e are public, and d is shared between Alice and Bob in a way which enables threshold decryption. Alice and Bob should be convinced that N is indeed a product of two primes, hut neither of them know the factorization of N. We assume a model of passive adversaries, i.e. all three parties follow the protocol as required. At the end of the protocol no party is able to factor N. We discuss the case of active adversaries at the end of the paper. At a high level the protocol works as follows: (1) pick c a n d i d a t e s : The following two steps are repeated twice. (a) secret choice: Alice and Bob pick random n-bit integers Pa and Pb respectively, and keep them secret. (b) trial division: Using a private distributed computation Alice, Bob and Henry determine that Pa +Pb is not divisible by small primes. If this step fails repeat step (a). Denote the secret values picked at the first iteration by Pa,Pb, and at the second iteration by qa, qb. (2) c o m p u t e N: Using a private distributed computation Alice, Bob and Henry compute N = (p~ + Pb)" (q~ + qb) Other than the value of N, this step reveals no further information about the secret values pa, qa, Pb, qb. 427 (3) primaUty test: Alice and Bob (without Henry) engage in a private distributed computation to test that N is indeed the product of two primes. If the test fails,then the protocol is restarted from step i. (4) key generation: Alice and Bob engage in a private distributed computation to generate a public encryption exponent e and a shared secret decryption exponent d. Notation Throughout the paper we adhere to the following notation: the R S A modulus is denoted by N and is a product of two n bit primes p, q. W h e n P -- ~'~Pi we denote by Pi the share in possession of party i. Similarly for qi. W h e n the pi's themselves are shared among the parties we denote by pi,j the share of Pi that is sent to party j. Performance issues Our protocol generates two random numbers and tests that N - pq is a product of two primes. By the prime number theorem the probability that both p and q are prime is asymptotically 1In2.Therefore, naively one has to perform n ~ probes on average until a suitable N is found. This is somewhat worse than the expected 2n probes needed in traditional generation of an R S A modulus (one first generates one prime using n probes and then a second prime using another n probes). This n/2 degradation in performance is usually unacceptable (typically n = 512). Fortunately, thanks to trial division things aren't so bad. Our trial division tests each prime individually. Therefore, to analyze our protocol we must analyze the effectiveness of trial division. Suppose a random n-bit number p passes the trial division test where all primes less than B are tested. W e take B = c 9 n for some constant c. H o w likely is p to be prime? Using a classic result due to Mertens, DeBruijn [7] shows that asymptotically Pr~p prime ] trialdivision up to B] = e"r~2n(1+o(1/n)) = 2.57 InBn (1+o(1/n)) Hence, when n = 512 bits and In B = 9 (i.e.B = 8103) the probability that p is prime is approximately 1/22. Consequently, traditional R S A modulus generation requires 44 probes while our protocol requires 484 probes. This eleven fold degradation in performance is unfortunate, but manageable. Generation of shares In step (1) of the protocol each of Alice and Bob uniformly picked a random n bit integer Pa, Pb as its secret share. The prime p was taken to be the sum of these shares. Since the sum of uniform independent random variables over the integers is sot uniformly distributed, p is picked from a distribution with slightly less entropy than uniform. W e show that this is not a problem. For the generalization to k parties, each party i uniformly picks a random n bit integer Pi. Then p = ~-~iPi is at most an n + log k bit number. One can easily show that p is chosen from a distribution with at least n bits of entropy (since the n least significant bits of p are a uniformly chosen n bit string). Intuitively, these log k bits of "lost" entropy can not help an adversary, since they can be easily guessed (the number of parties k is small, certainly k < n). This is formally stated in the next lemma. W e note that by allowing some 428 communication between the parties it is possible to ensure that p is uniformly distributed among "most" n bit integers. A second issue is the fact that the shares themselves leak some information about the factors of N. For instance, party i knows that p > Pi. We argue that this information does not help an adversary either. The two issues raised above are dealt with in the following lemma. Due to space limitation we leave the proof for the full version. Let Z~2) be the set of RSA moduli N = pq that can be output by our protocol above when k parties are involved. We assume k < log N. L e m m a 1. Suppose there exists a polynomial Lime algorithm ,4 that given a random N E Z (2) chosen from the distribution above and the shares {Pi} of k - 1 parties, factors N with probability at least 1/n d. Then there exists an expected polynomial time algorithm B that factors 1/n d+2 of the integers in :E(2). 3 Distributed primality test We now consider the distributed primality test. We describe our protocol for the case of two parties, and discuss the case of k > 2 parties in Section 7. In the case of two parties, Alice and Bob possess integers pa, qa and Pb, qb respectively. Both parties know N, where N = (Pa + Pb)(qa + qb). T h e y wish to determine if N is the product of two primes. The primality test is a mix of the Solovay-Strassen [24] and the Rabin-Miller [23] primality tests. We assume that the secret values chosen by the parties satisfy Pa = qa = 3 mod 4 and p~ = qb = 0 mod 4. This can be agreed upon before hand and causes the resulting modulus N to be a Blum integer s, since p _= q - 3 mod 4. The test is as follows: 1. Alice and Bob agree on a random g E Z~v. 2. Alice computes the Jacobi symbol of g over N. If (N ~ ) r 1 the protocol is restarted at step (1). 3. Otherwise, Alice computes va = g(N-p,-q,+l)/4 mod N, and Bob computes Vb = g(Pb+qb)/4 mod N. They exchange these values, and verify that Va = =l:vb (mod N) If the test fails then the parties declare that N is not a product of two primes. Otherwise they declare success. Since Pa = qa = 3 mod 4 and Pb -- qb -- 0 mod 4 both exponents in the computation of va, Vb are integers after division by 4. The correctness and privacy of the protocol is proved in the next two lemmas. 3 The primality test described in this section is best suited for Blum integers. For nonBlum moduli the test may leak a few bits of information depending on the power of two dividing lcm(p - 1, q - 1). For non-Blum integers N = pq with p -- q = 1 mod 4 these problems can be avoided by performing the test in a different group (i.e. not in Z~). We use a quadratic extension of ZN. 429 2. Let N = pq be an integer with p = q ~ 3 mod 4. If N is a product of two distinct primes then success is declared in all invocations of the protocol. Otherwise, for all but an exponentially small fraction of N, the parties declare that N is not a product of two primes with probability at least 89(over the choice of g). L e m m a Proof. Observe that the test in step (3) of the protocol checks that g(N-p-q+l)/4 =_ 4-1 mod N. Suppose p and q are prime. In step (2) we verify that ( ~ ) = 1. This implies sin Since ( ~ ) = e aro ( ~ ) i t follows that g~(N)/4 = 4-1 rood N. Since r N-p-q+l when p and q are prime, it follows that the test in step 3 always succeeds. Suppose at least one of p, q is not prime. T h a t is, N = r d' . . - r ,~~ is a nontrivial factorization of N with ~ di _> 3 and s > 1. Set e = (N - p - q + 1)/4 = ( p - 1)(q - 1)/4 to be the exponent used in step (3). Note that e is odd since p =- q -= 3 mod 4. Define the following two subgroups of 7~v: G={gGZN s.t. (g) =1} and H={gEG s.t. g e = 4 . 1 m o d N } To prove the lemma we show that IHI < 1 _ ~IGI. Since H is a subgroup of G it suffices to prove proper containment of H in G, i.e. prove the existence of g E G \ H . There are four cases to consider. C a s e 1. Suppose s > 3. Let a be a quadratic non-residue modulo r3. Define g E Z N to be an element satisfying a mod ra if = -1 and g _-- 1 mod ri for i > 3. Observe that g G G. Since e is odd ge = g = 1 mod rl and ge = g = - 1 mod ra. Consequently, g* # -4-1 mod N i.e. gq~H. C a s e 2. Suppose gcd(p, q) > 1. Then there exists an odd prime r such that r divides both p and q. Then r 2 divides N implying that r divides r It follows that in Z~v there exists an element g of order r. Since r is odd we have = ( ~ ) = ( ~ ) = 1, i.e. g E G. Since r divides both p and q we know that r does not divide N - p - q + 1 = 4e. Consequently g4, # 1 mod N implying that ge # 4-1 mod N. Hence, g ~ H . 430 Case 3. The only way N = pq does not fall into both cases above is if p = r dl and q = r~ 2 where rl, r2 are distinct primes and at least one of dz, d2 is bigger than 1 (case 2 handles N that are a prime power N = rd). By s y m m e t r y we may assume dl > 1. Since Z ; is a cyclic group of order r d l - l ( r l -- 1) it contains an element of order r~ 1-1. It follows that Z~v also contains an element g of order r d ' - l . As before, (N ~ ) = 1, i.e. g 9 G. If q r 1 mod r d ' - I then 4e = N - p - q q- 1 is not divisible by r dt-1. Consequently, g4e i mod N, i.e. g ~ H. Case 4. We are left with the case N = pq with p = r d~, q = r d2, dl > 1 as above and q - 1 mod r d~-l. In this case it may indeed happen that H = G. For example, p = 3" and q = 2 . 3 n-1 + 1 with n odd and q prime. Observe that r d~-I _> v/~ > 2n/2. Consequently, since p and q are chosen independently the probability of q - 1 mod r~ ~-1 is less than 1/2 n/2. In addition, p has to be a prime power which happens with probability less than n/2 n/2. The probability that both events happen is less than n/2 n. Hence, this case occurs with exponentially small probability. [] Integers N that fall into Case 4 above incorrectly pass the test. This can be rectified by adding a fourth step to the protocol to filter out these integers. With this extra fourth step our protocol becomes a complete probabilistic test for proving that N is a product of two primes. Due to space limitation we only give a high level description in the next subsection. Lemma 3. Suppose p, q are prime. Then either party can simulate the transcript of the primality testing protocol. Consequently, neither party learns anything about the factors of N from this protocol. Proof Sketch. Since p, q are prime we know that va = • mod N where va, Vb are defined as in step (3) of the protocol. Consequently, given either of va or Vb, the simulator can compute the other one up to sign. If Va = Vb then T h a t is, the sign ( ~ ) = ( ~ ) = 1, and if v, =--vb then ( ~ ) = (~)= determines whether g is a quadratic residue or not modulo N. If the simulator chooses the sign according to the flip of an unbiased coin, the resulting distribution is indistinguishable from the true distribution assuming the hardness of quadratic residuosity modulo a Blum integer. [] We note that step (2) of the protocol is crucial. Without it the condition of step (3) might fail (and reveal the factorization) even when p and q are prime. We also note that in practice the probability that a non RSA modulus passes even one iteration of this test is actually much less than a half. 3.1 A complete probabilistic primality test Integers N that fall into Case 4 of L e m m a 2 can be filtered out by adding an extra fourth step to our protocol. Due to lack of space we only give a high level description. There are two alternatives: 431 1. Let K be the group K - (ZN[z]/(z 2 + 1))'/Z~v. When N - pq is a product of two distinct primes K contains (p + 1)(q + 1) elements (recall p = q = 3 mod 4). In this case all g E K satisfy g@+l)(q+l) = 1. One can show that when N falls into Case 4, at least half the elements in K do not satisfy the above condition. Hence, by picking a random g E K and jointly testing that g(p+l)(q+l) = 1 Alice and Bob can eliminate all such N. 2. Alternatively, observe that N that fall into Case 4 satisfy gcd(N, p + q - 1) > 1. The parties can easily test this with the help of a third party, Henry. Alice picks a random ra. Bob picks a random rb. Using the protocol of the next section they compute z = (ra + rb)(pa + qa + Pb + qb -- 1) mod N and test that gcd(z, N) > 1. If so, then N is rejected. Unfortunately this test also eliminates a few valid RSA moduli, i.e. moduli N = pq with p, q prime and q -- 1 mod p. 4 Distributed computation of N We now turn our attention to the computation of N. We describe our protocols for the case of two parties with a helper and discuss the case of k > 2 parties in Section 7. In the case of two parties, Alice and Bob posses integers Pa, qa and Pb, qb respectively. They wish to compute the integer N = (Pa +Pb)(qa + qb) such that at the end of the computation Alice has no information about Pb, q~ beyond what is revealed by the knowledge of N. The same should hold for Bob. To make the protocol secure in the information theoretic sense we require the help of a third "helper" party called Henry. Henry has no information about either Pi nor qi (for i = a, b) and the same should hold at the end of the protocol. Clearly, Henry learns N (since N is public) but he learns nothing more. BenOr, Goldwasser and Wigderson [3] (and similarly Chaum, Crdpeau and Damg~rd [6]) describe an elegant protocol for private evaluation of general functions for three or more parties. Their full technique is an overkill for the simple function we have in mind. We adapt and optimize their protocol in several ways so as to minimize the amount of computation and communication between the parties. From here on, let P > N be some prime. Unless otherwise stated, all arithmetic operations are done modulo P. The protocol works as follows: Alice: Alice picks two random lines that intersect the y axis at Pa, qa respectively. This is done by picking two integers ca, da E Z*p and using the lines CaX + Pa and daz + qa. She evaluates each line at three points Xa = i, Xb = 2, Zh -" 3. Let Paj = cazi + Pa and qa,~ = dazi + qa for i = a, b, h. Next, Alice picks two random numbers Pb,a, qb,a and a random quadratic polynomial r(z) such that r(0) = 0. Set r~ = r(z~) for i = a, b, h. She computes Na = (pa,~ + Pb,a)(qa,a + qb,a) "4- ra. Finally, she sends pa,b, q~,b and Pb,~, qb,a and rb to Bob. She sends Pa,h , qa,h, rh and N~ to Henry. 432 Bob: Bob computes eb = (Pb,a -- pb)/Xa and db = (qb,a -- qb)/Xa. Note that the two lines CbX + Pb and dbz + qb intersect the y-axis at Pb, qb respectively and evaluate to Pb,a, qb,a at x a. Next, Bob computes Pb,i = CbXi + Pb and qb,i = dbzi + qb for i = b, h. He computes Nb = (Pa,b -t- Pb,b)(qa,b "4- qb,b) + rb and sends Pb,h, qb,h and Nb to Henry. H e n r y : Henry computes Nh = (Pa,h + Pb,h)(qa,h q- qb,h) + rh. He then interpolates the quadratic polynomial a(z) that passes through the points (za, Na) ; (Xb, Nb) ; (xh, Nh). We have a(0) = N. Henry sends N to Alice and Bob. To see t h a t a(0) = N observe that the polynomial a(x) satisfies Or(X) -~ ((tax -1t- Pa) "~- (CbX "~-Pb)) " ((dax + qa) + (dbx + qb)) q- r(x) Indeed o~(xi) = Ni for i = a, b, h. L e r a m a 4 . Given N, Alice, Bob and Henry can each simulate the transcript of the protocol. Consequently, they learn nothing more than the value of N . Proof Sketch. This is clear for Alice and Bob. To simulate Henry's view the simulator picks Pa,h, qa,h,Pb,h, qb,h, rh at random and computes Nh = (Pa,h -}Pb,h)(qa,h + qb,h) + rh. It then picks a random quadratic polynomial a(z) satisfying a(0) = g and a(Zh) = Nh. It computes Na = ot(xa) and Nb = ot(Xb). These values are a perfect simulation of Henry's view. [3 The protocol's communication pattern is very simple: initially Alice sends one message to Bob and one to Henry. Then Bob sends a message to Henry. Finally, Henry publishes the value of N. Hence, during the protocol only three messages are sent. The protocol is also efficient in computation since only three multi-precision multiplications are performed. The protocol differs from the BGW protocol in two ways. First, there is no need for a truncation step. Second, to minimize the number of messages we let Alice pick her shares Pb,, and qb,, of Bob's secret. Bob then picks his polynomial to be consistent with Alice's choice. 5 Trial division In this section, we consider the trial division step. We describe our protocol for the case of two parties with a helper and discuss the case of k > 2 parties in Section 7. Let q be some random number. The first step in testing the primality of q is trial division, which tests if q is divisible by any small prime. In our case q = qa "4- qb where Alice knows qa and Bob knows qb. Let Pl,. 99 Pj be the set of small primes to be considered. Together they wish to test that q ~ 0 rood Pi 433 for all i, 1 < i < j, without revealing any other information about qa, qb. This is equivalent to testing that qa mod Pi ~ --qb mod Pi for all i, 1 < i < j. A number of simple protocols have been proposed for privately evaluating the equality predicate [15], including one with a third helper party, based on universal classes of hash functions [5, 25] (attributed to Noga Alon in [15]). Using this equality test, the trial division protocol is as follows: Alice Pick random ci E Zp, and di E Z~,. Compute ui = ci + diqa mod Pi, for all i, 1 _< i_< j. Send c l , d l , . . . , c j , d j to Bob and u l , . . . , u j to Henry. B o b Compute vi = ci - diqbmodpi for all i, 1 _< i g j. Send v l , . . . , v j to Henry. H e n r y Output "pass" if ui ~ vi for all i, 1 < i < j. Otherwise, output "fail". L e m m a 5 . The output of the protocol is "pass" if and only if q ~ 0 m o d p i for all i, l < i < j. L e m m a 6 . When the output is "pass", each party can simulate its view of the transcript of the protocol. Consequently, when the output is "pass", the parties learn nothing about q other than the fact that q ~ 0 rood Pi for all i, 1 < i < j. 6 Shared generation of public/private keys In this section, we consider the step of key generation. We describe our protocol for the case of two parties and discuss the case of k > 2 parties in Section 7. Suppose Alice and Bob have successfully computed N = pq = (Pa + Pb)(qa + qb). They wish to compute shares of d = e -1 rood ~(N) for some agreed upon value of e. We have two approaches for computing shares of d. The first only works for small e (say e < 1000) but is very efficient requiring very little communication between the parties. The second works for any e and is still efficient, however it requires the help of Henry and takes more rounds of communication (but still constant). 6.1 Small public exponent We begin by describing an efficient technique for generating shares of d when the public exponent e is smM1. For simplicity throughout the section we assume e~3. First, Alice and Bob compute r rood 3, by exchanging Pa +qa rood 3 and Pb + qb rood 3. This reveals some little information (less than two bits) about r this information is of no use since it can be easily guessed. Observe that4: 1]/3 = I [ N + 2 - (p. +pb +qa + qb)] i f r = 2 rood 3 d = [2~b(N) + 1]/3 = }[N - (pa +Pb + q. + qb)] + 1 if r = 1 rood 3 d = [r 4 The case ~(N) -----0 mod 3 is of no interest since in that case e = 3 can not be used as a public RSA exponent. 434 Consequently, knowing ~b(N) mod 3 enables Alice and Bob to locally compute shares of the decryption exponent d: If r rood 3 = 1, then Alice sets her share to be da = LN-2~ -2q" ] + 1 and Bob sets his share to be db __ [IN - - 2 p b3- - 2 q b ~i. If r 3 = 2, then da = [g-p.~-q,+2j and db = [ = P - ~ ] . Either way d = da + db mod r This enables threshold decryption as described in [13], i.e., c d - cdac db mod N. 6.2 Arbitrary public exponent Unlike the previous technique, our second method for generating shares of d works for arbitrary public exponent e and leaks no information. However, it requires the help of Henry. Recall that the public modulus N = (Pa + Pb)(qa + qb) satisfies r = ( N - Pa - qa + 1) - (Pb + qb). We set Ca = N - Pa -- qa + 1 and Cb = --Pb -- qb. Then r = Ca + Cb is a sharing of r between Alice and Bob. The private exponent d is the inverse of e mod Ca + Cb. Unfortunately, traditional inversion algorithms, e.g. extended gcd, involve computations modulo Ca + Cb. When r = Ca + Cb is shared among two users we do not know how to efficiently perform these computations. We therefore develop an inversion algorithm for computing e -1 mod r that avoids any computation modulo r When only a single user is involved the inversion algorithm works as follows: (1) Compute ~ = r mod e. (2) Set T = - ~ . r + 1. Observe that T - 0 mod e. (3) Set d = T i e . Then d = e -1 m o d e since d . e -___1 rood r Notice that the algorithm made no reductions modulo r Our inversion algorithm made use of the fact that e -1 m o d r can be immediately deduced from ~b-1 mode. We now show how the above inversion algorithm can be used to compute shares da + d b = e -1 mod Ca + Cb. Clearly we may assume gcd(r e) = 1. Step 1. Alice picks a random ra E Z~. Bob picks a random rb E Z~. Step 2. Using the protocol of Section 4 compute gr = (ra + rb)" (Ca + Cb) mode. Since e is odd (gcd(r e) = 1) all the required Lagrange coefficients indeed exist. At this point ~ is known to both Alice and Bob. If ~ is not invertible modulo e the protocol is restarted at Step 1. Step 3. Alice sets ~a = ra~ -1 mode. Bob sets ~b = rb~ -1 mod e. Observe ~a + ~b ---- (ra "~- rb)~ -1 ----r mode. S t e p 4. Next they fix an arbitrary odd integer P > 2 N 2 e , e.g.P = 2 N 2 e + 1. They then regard the shares 0 < ~a,(b < e as elements of 7 p . Using a modification of the BGW protocol of Section 4 they compute a sharing of A + B = -(~a + ~b)(r + r + 1 mod P such that Alice knows A and Bob knows B. Recall that in Section 4 Alice uses a random quadratic r(x) such that r(0) = 0. Instead, Alice will choose a truly random quadratic r(x). Then the final result computed by Henry is offset from the desired result by an additive factor of r(0), where only Alice knows r(0). If Henry gives his final result to Bob, then Alice and Bob 435 have additive shares of the desired result. These shares could then be rerandomized if Alice adds, and Bob subtracts, an agreed-upon random va|ue unknown to Henry. S t e p 5. From here on we regard A and B as integers 0 < A , B < P. Our objective is to ensure that over the integers A + B = -(Ca + ~b)(r + Cb) + 1 (1) Observe that 0 < A + S mod P < P / N (since Ca + ib < 2e and r < Y). It follows that A + B > P with probability more than 1 - ~ (the only way that A + B < P is if both A and B are less than P / N ) . Therefore, if Alice sets A ~-- A - P then equation (1) holds over the integers. In the very unlikely event (that occurs with probability l / N ) that the relation doesn't hold over the integers, the wrong sharing of the private key will be generated. This will be detected when the parties do a trial decryption . S t e p 6. At this point e divides A + B since A + S = (Ca + Cb)(r + •b) -4- 1 = --(Ca + Cb)-l(r "4- Cb) "4- 1 = 0 (mod e) Therefore d = (A + B)/e since de = A + B = kr + 1 = i mod r Consequently, Alice sets da = LA/eJ and Bob sets db = [B/e]. Clearly d = da + db. Notice that the value P we use in step 4 is quite large. As a result the shares da, db are of the order of N 2. In actual implementations there is no need for this to happen. The only reason P has to be this large is to ensure that step 5 succeeds with overwhelming probability. If one is willing to tolerate leakage of one bit in step 5 then the parties can use a much smaller P, e.g. P = 2Ne + 1. If the resulting A, B satisfy A + B > P then the correct sharing of d is obtained. Otherwise, trial decryption will fail and the parties learn that A + B < P. In this case, Alice adds P back to her share A and step 6 is repeated again. The correct sharing of d is now obtained. This results in shares da, db of order N. The computation o f r -1 m o d e (steps 1-3 above) is based on a technique due to Beaver [2]. 7 Generalizations to k parties Our results thus far show how two parties can generate an RSA modulus N = (Pa +Pb)(qa + qb) with the help of a third neutral party. In this section we discuss how these results generalize to the case of three or more parties. In this case, the k parties will be generating an RSA modulus N = (Pl + . . . + Pk)(ql + . . . + q~), where each party i knows p~, qi. Afterwards, assuming that the parties follow the protocol as required, no coalition of [k/2] - 1 parties can factor N. The primality test from Section 3 generalizes easily to k > 2 parties. Assume that the secret values chosen by the parties satisfy Pl = ql -- 3 mod 4 while for N--pl - - q l ~ l all other parties Pi = q~ = 0 mod 4. Then party 1 computes vl = g 4 mod 436 Pi+qi N. Party i computes vi = g 4 , 2 < i < k. They all publish their values and verify that vl - :l:v2va. 9 9vk rood N. The arguments for correctness and privacy are essentially the same. The resulting protocol is k-private. To generalize the distributed computation of N of Section 4 to k > 2 parties use the BGW protocol with higher degree polynomials (rather than linear). The BGW protocol can be made private (i.e. no information about the pi, qi is leaked) even when rk/2] - 1 parties collude. Trial division (Section 5) with k > 2 parties can be done rk/2] - 1 privately, but a different protocol must be used. We adapt an idea due to Beaver [2]. Let q = ql + . - .+qk be an integer shared among k parties. Let p be a small prime. To test if p divides q each party picks a random ri E Z v. Using the BGW protocol they compute qr = ( ~ qi)(~'~ ri) mod p. If qr ~ 0 then p does not divide q. Furthermore, since r is unknown to any minority of parties, qr provides no other information about q. Note that if qr = 0 mod p it could still be the case that p does not divide q. However, if the test is repeated twice for each small prime p, 1 1 the probability that a good candidate is rejected is at most 1 - H (1 - ~-r < 5" p 2 parties. The second protocol can produce a k-out-of-k sharing d -- ~ di; however the computation is based on BGW and is therefore only [k/2] - 1 private. The more difficult case of t-out-of-k sharing of a private key among k > 2 parties is treated in the next subsection. 7.1 t-out-of-k sharing Since the computation of N in Section 4 relies on the BGW protocol [3] we are a priori restricted to threshold t satisfying t < [k/2]. A coalition of more than k/2 parties can already factor N. We show how to achieve any threshold t < rk/2]. To achieve t-out-of-k sharing of d, first share d using a k-out-of-k scheme as described above, i.e. each party computes a share di such that d -- ~ di mod r Then each party i shares its share di with all other parties using a t-outof-k scheme. We denote the share of di sent to party j by d i j . A coalition C of t parties can do threshold decryption using its shares of d and its shares d i j for i ~ C. Thus, we are left with the problem of showing how party i generates the d i j given di. Secret sharing modulo r is not easy. An elegant solution was given in [8] where the authors show how a trusted dealer (who knows the factorization of N) can generate shares d i j as required. We can show that when N -- (~-'~pi)(~'~ qi) where party i only knows Pi, qi, there is no need for a trusted dealer. T h a t is, the parties can engage in a multi-party protocol to compute the same shares dij that were generated by the dealer in [8]. Unfortunately, this requires multiple invocations of the BGW protocol described in Section 4. Since we are mainly concerned with efficient solutions we describe an alternate approach which works well when the threshold t is small. When t is small 437 t-out-of-k sharing can be achieved through t-out-of-t sharing. Naively this can by done by giving each of the (~) coalitions a t-out-of-t sharing of the secret. Other techniques [1] can reduce t-out-of-k sharing to t-out-of-t far more efficientlys. However, it is essential for these reductions that the instances of t-out-of-t sharing be independent. Because it is difficult to compute reduction modulo r efficiently without revealing r ordinary techniques for generating new sharing instances cannot be used. We propose the following procedure for party i to generate many independent t-out-of-t sharings of di. To avoid unnecessary indices we refer to di as s. Pick t - 1 random integers s i , . . . , st-1 ER [ - B , B ] for some large B and compute t-1 st = s - ~-']j=l sj (where addition is over the integers). We show that s l , . . . , st is a private t-out-of-t sharing of s for suitable choice of B. Note that this sharing scheme is at least as secure as the scheme where every share is a random elements in [ - B , B] and i publishes the difference between the secret and the sum of all the shares. When s E [1, b] the following lemma establishes that this scheme is sufficiently private when B > tb "+~ for any fixed e > 0. LemmaT. Let s E [1...b], and let Px -- prob(s - z ) = 1 f o r all z E [1, b]. Let ( s t , . . . , st) ER [ - B , B]t, and 6 = E~=I si - s. For any coalition C C [1, t], let P~,c = prob(s = ~[6, { s i } i e c ) . Then, f o r every coalition C and every e > O, the distributions {p~}~ and {p~,e}x are statistically indistinguishable when B > tb2+ E. Due to space limitation we give the proof in the full version of the paper. 8 Summary and open problems We presented techniques that allow two or more parties to generate an RSA modulus N = pq such that all parties are convinced that N is indeed a product of two primes; however none of them can factor N. When only two parties are involved, interaction with a third helper party is needed to complete some steps of the protocol. Finally we show how the parties can generate shares of a private decryption exponent to allow threshold decryption. Our protocols are practical, though there is some slowdown in comparison to single user generation of an RSA key. The main reason is that both primes p, q are generated at once. This increases the number of tries until a suitable N is found, as was discussed in Section 2. A possible approach for solving this 5 For instance we show how to efficiently implement 2-out-of-k sharing from 2-out-of-2 sharing. Let d be a secret and r ---- Flogk]. Let d = dl,o + da,x = d2,0 + d2,1 . . . . . dr,o + dr,1 be r independent 2-out-of-2 sharings of the secret d. For an i E [0, k] let i = irir-1 ...io be the binary digits of i. Party i's share of the secret d is the set {dr,i,, d r - l , i r _ l , . . . , do,io }. Given two parties i = irir-1 ... io and j = j r j r - x ... jo there exists an s such that i, ~ j,. Then d -- d,,i, Jr d~,j, enabling the two parties to reconstruct the secret. Hence, we achieved 2-out-of-k sharing using only log k independent 2-out-of-2 sharings (as opposed to (~) required by the naive sohtion). 438 is to generate N as N = PaPb(qa -I- qb) where Pa,Pb are primes known to Alice, Bob respectively and qa, qb are random n bit integers. The number of probes until qa + qb is found to be prime is just as in single user generation of N. Unfortunately, this approach doesn't scale well. To support k parties, N must be a product of k + 1 primes. Also, one has to design a protocol for testing that such an N is indeed a product of three primes. In the two party case our protocols require the use of a third helper party. The helper party is needed for the private computation of N = (Pa +Pb)(qa +qb). Therefore, it is of some interest to develop efficient two party protocols for this specific function which do not make use of a third party. General two party computation protocols(e.g. [26]) are too inefficient. Our protocols generate an RSA modulus which is the product of two large random primes. It would be useful to be able to generate moduli of some special form. For example, a modulus which is a product of "safe primes" (i.e., where both ~ and ~_L are prime) has been considered for security purposes [18] as well as for technical reasons related to threshold cryptography [10, 16]. Throughout the paper we use a model in which parties honestly follow the protocol. The case of active adversaries that cheat during the protocol is of great interest as well. Since the RSA function is verifiable (the parties can simply check that they correctly decrypt encrypted messages) active adversaries are limited in the amount of damage they can cause. However, it may still he possible that one party can cheat during the protocol and consequently be able to factor the resulting N. Our techniques can be made to withstand some number of active adversaries though more parties must participate in the protocol. We leave the details for the full version of the paper. Acknowledgments We thank Yair Frankel and Don Beaver for several stimulating discussions on our results. References 1. N. Alon, Z. Galil and M. Yung, "Dynamic-resh~iug verifiable secret sharing," ESA 1995. 2. D. Beaver, "Security, fault tolerance, and communication complexity in distributed systems," Ph.D. thesis, Harvard University, May 1990. 3. M. Ben-Or, S. Goldwasser, A. Wigderson, "Completeness theorems for noncryptographic fault tolerant distributed computation", STOC 1988, pp. 1-10. 4. J. Benaloh (Cohen), ~Secret sharing homomorphisms: keeping shares of a secret secret," Crypto '86, 251-260. 5. J. Carter and M. Wegman, "Universal dasses of hash functions", J. Comput. Syst. Sci. 18 (1979), 143-154. 6. D. Chanm, C. Cr~pean, and I. Damgs "Multiparty unconditionally secure protocols," ACM STOC 1988, 11-19. 439 7. N. De Bruljn, "On the number of unc~uceled elements in the sieve of Eratosthenes", Proc. Neder. Akszl. Wetensch, vol. 53, 1950, pp. 803-812. Reviewed in LeVeque Reviews in Number Theory, Vol. 4, Section N-28, p. 221. 8. A. DeSantis, Y. Desmedt, Y. Fr~nkel, M. Yung, "How to shaxe a function securely", STOC 1994, pp. 522-533. 9. Y. Desmedt, "Threshold cryptography," European Traass~:tions on Telecommunications a~d Related Technologies, Vol. 5, No. 4, July-August 1994, pp. 35-43. 10. u Desmedt and u Frankel, "Shared generation of authenticators and signatures", Crypto '91,457-469. 11. U. Feige, A. Fiat, and A. Shamir, "Zero-knowledge proofs of identity," Journal of Cryptology 1 (1988), 77-94. 12. A. Fiat and A. ShamKr, "How to prove yourself: Practical solutions to identification aJad signature problems," Crypto '86, 186-194. 13. u Frankel, "A practical protocol for large group oriented networks", Eurocrypt 89, pp. 56-61. 14. M. Franklin and S. Haber, "Joint encryption and message-efficient secure computation," Journal of Cryptology, 9 (1996), 217-232. 15. R. Fagin, M. Naor, P. Winkle,, "Comparing information without leaking it", CACM, Vol 39, No. 5, May 1996, pp. 77-85. 16. R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, "Robust a~d efficient sharing of RSA functions", Crypto 96, pp. 157-172. 17. O. Goldreich, S. Micali, A. Wigderson, "How to play any mental game", STOC 1987, pp. 218-229. 18. J. Gordon, "Strong primes axe easy to find", Eurocrypt 84, pp. 216-223. 19. L. Guillou and J. Quisquater, "A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory," Eurocrypt '88, 123-128. 20. K. Ohta and T. Okamoto, "A modification of the Fiat-Shamir scheme," Crpto '88, 232-243. 21. H. Ong and C. Schnorr, "Fast signature generation with a Fiat Shamir-like scheme," Eurocrypt '90, 432-440. 22. T. Pederson, "A threshold cryptosystem without a trusted party," Proceedings of Eurocrypt 91, pp. 522-526. 23. M. Rabin, "Probabilistic algorithm for testing primality", J. of Number Theory, vol. 12, pp. 128-138, 1980. 24. R. Solovay, V. Strassen, "A fast monte carlo test for primality", SIAM journal of computing, vol. 6, pp. 84-85, 1977. 25. M. Wegm~n and J. Carter, =New hash functions and their use in authentication and set equality", J. Cornput. Sgst. Sci. 22 (1981), 265-279. 26. A. Yao, "How to generate and exchange secrets", FOCS 1986, pp. 162-167. Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 – Hash Functions ver. October 29, 2009 These slides were prepared by Stefan Heyse and Christof Paar and Jan Pelzl Some legal stuff (sorry): Terms of Use • The slides can used free of charge. All copyrights for the slides remain with Christof Paar and Jan Pelzl. • The title of the accompanying book “Understanding Cryptography” by Springer and the author’s names must remain on each slide. • If the slides are modified, appropriate credits to the book authors and the book title must remain within the slides. • It is not permitted to reproduce parts or all of the slides in printed form whatsoever without written consent by the authors. 2/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter • • • • • 3/22 Why we need hash functions How does it work Security properties Algorithms Example: The Secure Hash Algorithm SHA-1 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter • Why we need hash functions • How does it work • Security properties • Algorithms • Example: The Secure Hash Algorithm SHA-1 4/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl Motivation Problem: Naive signing of long messages generates a signature of same length. • Three Problems • Computational overhead • • Message overhead • For more info see Section 11.1 in “Understanding Cryptography”. Security limitations Solution: Instead of signing the whole message, sign only a digest (=hash) Also secure, but much faster Needed: Hash Functions 5/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
Digital Signature with a Hash Function x xi Notes: zi = h( xi || zi-1 ) z sigkprz) • x has fixed length • z, y have fixed length • z, x do not have equal length in general • h(x) does not require a key. • h(x) is public. y = sigkpr(z) 6/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
Basic Protocol for Digital Signatures with a Hash Function: Alice Kpub Bob z = h(x) s = sigKpr(z) (x, s) z' = h(x) verKpub(s,z')=true/false 7/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
Principal input–output behavior of hash functions 8/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter • Why we need hash functions • How does it work • Security properties • Algorithms • Example: The Secure Hash Algorithm SHA-1 9/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
The three security properties of hash functions 10/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
Hash Funktionen: Security Properties • Preimage resistance: For a given output z, it is impossible to find any input x such that h(x) = z, i.e., h(x) is one-way. • Second preimage resistance: Given x1, and thus h(x1), it is computationally infeasible to find any x2 such that h(x1) = h(x2). • Collision resistance: It is computationally infeasible to find any pairs x1 ≠ x2 such that h(x1) = h(x2). 11/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
Hash Funktionen: Security It turns out that collison resistance causes most problems • How hard is it to find a collision with a probability of 0.5 ? • Related Problem: How many people are needed such that two of them have the same birthday with a probability of 0.5 ? • No! Not 365/2=183. 23 are enough ! This is called the birthday paradoxon (Search takes ≈√2n steps) . • For more info see Chapter 11.2.3 in Understanding Cryptography. • To deal with this paradox, hash functions need a output size of at least 160 bits. 12/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter • Why we need hash functions • How does it work • Security properties • Algorithms • Example: The Secure Hash Algorithm SHA-1 13/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
Hash Funktionen: Algorithms Hash Algorithms Special Algorithms, e.g. MD5 - family based on block ciphers • MD5 - family • SHA-1: output - 160 Bit; input - 512 bit chunks of message x; operations - bitwise AND, OR, XOR, complement und cyclic shifts. • RIPE-MD 160: output - 160 Bit; input - 512 bit chunks of message x; operations – like in SHA-1, but two in parallel and combinations of them after each round. 14/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl Content of this Chapter • Why we need hash functions • How does it work • Security properties • Algorithms • Example: The Secure Hash Algorithm SHA-1 15/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
SHA-1 • Part of the MD-4 family. • Based on a Merkle-Dåmgard construction. • 160-bit output from a message of maximum length 264 bit. • Widely used ( even tough some weaknesses are known) 16/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
SHA-1 High Level Diagramm • Compression Function consists of 80 rounds which are divided into four stages of 20 rounds each 17/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
SHA-1: Padding • Message x has to be padded to fit a size of a multiple of 512 bit. • k ≡ 512 − 64 − 1 − l = 448 − (l + 1) mod 512. 18/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
SHA-1: Hash Computation • Each message block xi is processed in four stages with 20 rounds each SHA-1 uses: • A message schedule which computes a 32-bit word W0,W1,...,W79 for each of the 80 rounds • Five working registers of size of 32 bits A,B,C,D,E • A hash value Hi consisting of five 32-bit words Hi(0), Hi(1), Hi(2) , Hi(3), Hi(4) • In the beginning, the hash value holds the initial value H0, which is replaced by a new hash value after the processing of each single message block. • The final hash value Hn is equal to the output h(x) of SHA-1. 19/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
SHA-1: All four stages 20/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
SHA-1: Internals of a Round Stage t Round j Constant Kt Function ft 1 00…19 K=5A827999 f(B,C,D)=(B∧C)∨(¯ B∧D) 2 20…39 K=6ED9EBA1 f(B,C,D)=B⊕C⊕D 3 40…59 K=8F1BBCDC f(B,C,D)=(B⊕C)∨(B⊕D)∨(C⊕D) 4 60…79 K=CA62C1D6 f(B,C,D)=B⊕C⊕D 21/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl
Lessons Learned: Hash-Funktionen • Hash functions are keyless. The two most important applications of hash functions are their use in digital signatures and in message authentication codes such as HMAC. • The three security requirements for hash functions are one-wayness, second preimage resistance and collision resistance. • Hash functions should have at least 160-bit output length in order to withstand collision attacks; 256 bit or more is desirable for long-term security. • MD5, which was widely used, is insecure. Serious security weaknesses have been found in SHA-1, and the hash function should be phased out. The SHA-2 algorithms all appear to be secure. • The ongoing SHA-3 competition will result in new standardized hash functions in a few years. 22/22 Chapter 11 of Understanding Cryptography by Christof Paar and Jan Pelzl Shared RSA (Goal: Creating Private Key without the full knowledge of an individual) up to (n+1)/2 bit prime numbers. This slide shows why we have to divide the sum of two n bit numbers by up to (n+1)/2 bit factors during primality testing. Factor of 36 = 2x18 3x12 4x9 6x6 9x4 12x3 18x2 After Square root value, factors repeat So we have to divide a number by up to its square root to check if the number is prime In terms of number of bits 4 bit number = 1111 4 bit number = 1111 The sum is A (4+1) bit number = 11110  25 The square root of 25 = 25/2 n bit n bit n+1 bit (n+1)/2 bit-- So we have to divide by up to (n+1)/2 bit factors Distributed computation of P= (Pa+ Pb), Q= (Qa+ Qb), and N=PxQ so that no individual knows P and Q Primality Testing (Testing if P=(Pa+ Pb) is divided by a factor, say, 5) Alice Pa=17 Henry 17 mod 5=2 Bob Pb=18 18 mod 5= 3 (2+3) mod 5=0 Computing N= PxQ=(Pa+ Pb) x (Qa+ Qb)= PaxQa+ PaxQb+ PbxQa+ PbxQb Alice Select A S1=(Pa-A)xB S3=AxB Computing Pa x Qb Henry Bob Select B S2=(Qb-B)xA S4= (Pa-A)x(Qb-B) S1 +S2 +S3 +S4 = (Pa-A)xB + (Qb-B)xA + AxB + (Pa-A)x(Qb-B) = ([Pa-A]+ [A]) x ([Qb-B] +[B]) = (Pa) x (Qb) Hash Functions A mathematical function that converts an input “m” of arbitrary length “n” to a fixed length short string “h”. Formally, hash(m)=h. “h” is commonly known as message digest, or digest. |h|
Purchase answer to see full attachment