scalable rsa modulus generation with a dishonest
play

Scalable RSA Modulus Generation with a Dishonest Majority Muthu - PowerPoint PPT Presentation

Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc. & University of Rochester Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Ruihan Wang


  1. Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc. & University of Rochester Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Ruihan Wang

  2. What is an RSA Modulus? Biprime - product of exactly two primes

  3. Why? RSA History • 1977 - RSA Public-Key Encryption • 1999 - Paillier Public-Key Encryption • 2001 - CRS for UC setting • 2018 - Verifiable Delay Functions (VDF) NIST Randomness Beacon Source: https://csrc.nist.gov/projects/interoperable-randomness-beacons

  4. Verifiable Delay Functions • [Rivest-Shamir-Wagner96] introduced Inherently Sequential functions (ISH) • 2018 - VDF constructions by Pietrzak, Wesolowski

  5. Goal Sample a biprime N where factorization “hidden” USE MPC!

  6. Desiderata Modulus size: 2048 bits • Threshold: n-1 corruption • # Participants: > 1000 • Party Spec: “ Lightweight ” • Bandwidth: < 5 Mbps • Security: 60-bit statistical security • 128-bit computational security

  7. Protocol Blueprint PASSIVE Step 1: Design protocol for corruptions Step 2: Upgrade security to tolerate ACTIVE corruptions

  8. Step 1: Scalable Passive Protocol

  9. Previous Works: Overview Corruption Milestone Work Adversary Parties Threshold First Work [BF97] Passive n >= 3 t < n/2 [FMY98] Active n t < n/2 [PS98] Active 2 t = 1 Based on OT [Gil99] Passive 2 t = 1 [ACS02] Passive n t < n/2 [DM10] Active 3 t = 1 [HMRT12] Active n t < n [FLOP18] Active 2 t = 1 [CCD+20] Active n t < n

  10. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division

  11. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose p i , q i randomly

  12. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose p i , q i randomly

  13. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose Is N the product p i , q i randomly of two primes?

  14. [CCD+20] Passive Protocol p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose Is N the product p i , q i randomly of two primes?

  15. [CCD+20] Passive Protocol p i , q i N 0,1 3. Biprimality 1. PRESIEVED 2. Mult Testing CANDIDATES Parties choose Is N the product p i , q i randomly of two primes?

  16. [CCD+20] Passive Protocol 1. Pre-sieving Secure Multiplication candidates Secure Multiplication 2. Mult Secure Multiplication 3. Biprimality Jacobi test [BF97] testing

  17. Secure Multiplication a 1 ,b 1 ∈ 𝔾 a 2 ,b 2 ∈ 𝔾 a 𝑜 , b n ∈ 𝔾 … MUL c 1 c n c 2

  18. Implementing Secure Multiplication • Oblivious Linear Evaluation (OLE) – Scales quadratic in # parties • Threshold Additively Homomorphic Encryption (TAHE) [CDN01] – Scales linearly in # parties • Our Approach: TAHE with verifiable coordinator – per-party comm. scales logarithmically in # parties

  19. Threshold AHE with a coordinator P i C p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  20. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  21. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  22. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  23. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  24. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  25. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  26. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  27. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  28. [BF97]’s Distributed Biprimality Test 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  29. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  30. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  31. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  32. Step 2: Compile to full security

  33. GMW Paradigm P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 m k . . .

  34. GMW Paradigm P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit ZK m k . . . ZK

  35. Our Approach P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit ZK m k . . . ZK

  36. Our Approach P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit m k . . . ZK

  37. Our Protocol Commit to randomness Commitment Generate threshold keys Key Setup Sample pre-sieved primes Generate Candidates Use TAHE to compute candidates Compute Products Jacobi test Biprimality test Zero-knowledge proof Certification

  38. Verifiable Coordinator C • Coordinator performs only public operations • Sign every message • Post message on bulletin board

  39. Modular Proof (UC-security) Generate Beaver triples Passive Protocol (with triples) Certify triples

  40. Modular Proof (UC-security) ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓 Passive Protocol (with triples) ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓

  41. Certified Beaver Triples Functionality P i 𝑏 𝑘 𝑗 , 𝑐 𝑘 𝑗 , 𝑑 𝑘 Generate 𝑗 𝑘 ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓 Relation 𝑆 𝑦, 𝑥 𝑦, 𝑆 𝑦, 𝑥, 𝑏 𝑘 𝑗 ,𝑐 𝑗 , 𝑑 𝑗 𝑘 𝑘 𝑘

  42. Realizing Certified Beaver Triples Functionality ℱ 𝑑𝑞 (commit) Commit and Prove Semi-malicious security Generate triples using TAHE ℱ 𝑑𝑞 (prove)

  43. Which TAHE to choose? Paillier? Circular choice • El Gamal? Inefficient decryption (discrete log) • LWE? Does not support all AHE operations • Ring-LWE more efficient, flexible Supports AHE, better parameters, packing •

  44. ZK Constraints • Triples generation - Operations in Ring ℤ 𝑅 where 𝑅 = 𝑞 1 × 𝑞 2 ×∙ ∙ ∙× 𝑞 𝑜 and each 𝑞 𝑗 is a 62-bit prime. • Triples consumption - Linear operations modulo τ • Jacobi test - Operations modulo ℤ 𝑂 ∗ where 𝑂 is the that is a product of (a different set of) primes 2048-bit candidate modulus

  45. What ZK Protocol to Use? Needs: • Memory efficient (2GB RAM for prover) • Communication efficient (sublinear) • Transparent Our Approa oach Ligero [AHIV17] + Sigma [Sho00]

  46. The Proofs Ligero • Triples generation via Ring-LWE (Range Proofs) • Triples consumption (modular arithmetic) Sigma • Jacobi test (knowledge of exponent)

Recommend


More recommend