scalable rsa modulus generation with a dishonest
play

Scalable RSA Modulus Generation with a Dishonest Majority Muthu - PowerPoint PPT Presentation

Jun 24, 2023 •562 likes •1.12k views

Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc. & University of Rochester Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Ruihan Wang

  1. Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc. & University of Rochester Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Ruihan Wang

  2. What is an RSA Modulus? Biprime - product of exactly two primes

  3. Why? RSA History • 1977 - RSA Public-Key Encryption • 1999 - Paillier Public-Key Encryption • 2001 - CRS for UC setting • 2018 - Verifiable Delay Functions (VDF) NIST Randomness Beacon Source: https://csrc.nist.gov/projects/interoperable-randomness-beacons

  4. Verifiable Delay Functions • [Rivest-Shamir-Wagner96] introduced Inherently Sequential functions (ISH) • 2018 - VDF constructions by Pietrzak, Wesolowski

  5. Goal Sample a biprime N where factorization “hidden” USE MPC!

  6. Desiderata Modulus size: 2048 bits • Threshold: n-1 corruption • # Participants: > 1000 • Party Spec: “ Lightweight ” • Bandwidth: < 5 Mbps • Security: 60-bit statistical security • 128-bit computational security

  7. Protocol Blueprint PASSIVE Step 1: Design protocol for corruptions Step 2: Upgrade security to tolerate ACTIVE corruptions

  8. Step 1: Scalable Passive Protocol

  9. Previous Works: Overview Corruption Milestone Work Adversary Parties Threshold First Work [BF97] Passive n >= 3 t < n/2 [FMY98] Active n t < n/2 [PS98] Active 2 t = 1 Based on OT [Gil99] Passive 2 t = 1 [ACS02] Passive n t < n/2 [DM10] Active 3 t = 1 [HMRT12] Active n t < n [FLOP18] Active 2 t = 1 [CCD+20] Active n t < n

  10. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division

  11. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose p i , q i randomly

  12. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose p i , q i randomly

  13. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose Is N the product p i , q i randomly of two primes?

  14. [CCD+20] Passive Protocol p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose Is N the product p i , q i randomly of two primes?

  15. [CCD+20] Passive Protocol p i , q i N 0,1 3. Biprimality 1. PRESIEVED 2. Mult Testing CANDIDATES Parties choose Is N the product p i , q i randomly of two primes?

  16. [CCD+20] Passive Protocol 1. Pre-sieving Secure Multiplication candidates Secure Multiplication 2. Mult Secure Multiplication 3. Biprimality Jacobi test [BF97] testing

  17. Secure Multiplication a 1 ,b 1 ∈ 𝔾 a 2 ,b 2 ∈ 𝔾 a 𝑜 , b n ∈ 𝔾 … MUL c 1 c n c 2

  18. Implementing Secure Multiplication • Oblivious Linear Evaluation (OLE) – Scales quadratic in # parties • Threshold Additively Homomorphic Encryption (TAHE) [CDN01] – Scales linearly in # parties • Our Approach: TAHE with verifiable coordinator – per-party comm. scales logarithmically in # parties

  19. Threshold AHE with a coordinator P i C p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  20. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  21. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  22. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  23. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  24. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  25. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  26. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  27. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  28. [BF97]’s Distributed Biprimality Test 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  29. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  30. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  31. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  32. Step 2: Compile to full security

  33. GMW Paradigm P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 m k . . .

  34. GMW Paradigm P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit ZK m k . . . ZK

  35. Our Approach P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit ZK m k . . . ZK

  36. Our Approach P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit m k . . . ZK

  37. Our Protocol Commit to randomness Commitment Generate threshold keys Key Setup Sample pre-sieved primes Generate Candidates Use TAHE to compute candidates Compute Products Jacobi test Biprimality test Zero-knowledge proof Certification

  38. Verifiable Coordinator C • Coordinator performs only public operations • Sign every message • Post message on bulletin board

  39. Modular Proof (UC-security) Generate Beaver triples Passive Protocol (with triples) Certify triples

  40. Modular Proof (UC-security) ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓 Passive Protocol (with triples) ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓

  41. Certified Beaver Triples Functionality P i 𝑏 𝑘 𝑗 , 𝑐 𝑘 𝑗 , 𝑑 𝑘 Generate 𝑗 𝑘 ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓 Relation 𝑆 𝑦, 𝑥 𝑦, 𝑆 𝑦, 𝑥, 𝑏 𝑘 𝑗 ,𝑐 𝑗 , 𝑑 𝑗 𝑘 𝑘 𝑘

  42. Realizing Certified Beaver Triples Functionality ℱ 𝑑𝑞 (commit) Commit and Prove Semi-malicious security Generate triples using TAHE ℱ 𝑑𝑞 (prove)

  43. Which TAHE to choose? Paillier? Circular choice • El Gamal? Inefficient decryption (discrete log) • LWE? Does not support all AHE operations • Ring-LWE more efficient, flexible Supports AHE, better parameters, packing •

  44. ZK Constraints • Triples generation - Operations in Ring ℤ 𝑅 where 𝑅 = 𝑞 1 × 𝑞 2 ×∙ ∙ ∙× 𝑞 𝑜 and each 𝑞 𝑗 is a 62-bit prime. • Triples consumption - Linear operations modulo τ • Jacobi test - Operations modulo ℤ 𝑂 ∗ where 𝑂 is the that is a product of (a different set of) primes 2048-bit candidate modulus

  45. What ZK Protocol to Use? Needs: • Memory efficient (2GB RAM for prover) • Communication efficient (sublinear) • Transparent Our Approa oach Ligero [AHIV17] + Sigma [Sho00]

  46. The Proofs Ligero • Triples generation via Ring-LWE (Range Proofs) • Triples consumption (modular arithmetic) Sigma • Jacobi test (knowledge of exponent)

Recommend

Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest.

Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest.

Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest. Honestly, it's the honest ones you want to watch out for, because you can never predict when they're going to do something incredibly stupid.

369 views • 25 slides
18 th November 2016 The Dishonest Litigant Lies, damned lies and statistics [Benjamin

18 th November 2016 The Dishonest Litigant Lies, damned lies and statistics [Benjamin

The Dishonest Litigant Richard Pugh and Craig Murray 18 th November 2016 The Dishonest Litigant Lies, damned lies and statistics [Benjamin Disraeli (possibly...)] What we are not covering Not going to cover the incidence of insurance

702 views • 44 slides
Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress

Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress

Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress Resilient Modulus Cyclic Triaxial Test Haversine Load Pulse Haversine Load Pulse T t sin 2 = ( ) t Flowchart

704 views • 31 slides
Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain

Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain

Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain Resilient Modulus Cyclic Triaxial Test 2 Haversine Load Pulse Haversine Load Pulse sin t ( ) = 2 t T

537 views • 11 slides
A Scalable Approach to Attack Graph Generation By Ou, Boyer, McQueen Presented By: Philip Koshy

A Scalable Approach to Attack Graph Generation By Ou, Boyer, McQueen Presented By: Philip Koshy

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA A Scalable Approach to Attack Graph Generation By Ou, Boyer,

591 views • 33 slides
Scalable 10 to 20 Kilo-pixel MKID Signal Generation and DAQ for Cosmology Gustavo Cancelo

Scalable 10 to 20 Kilo-pixel MKID Signal Generation and DAQ for Cosmology Gustavo Cancelo

Scalable 10 to 20 Kilo-pixel MKID Signal Generation and DAQ for Cosmology Gustavo Cancelo Fermilab Detector R&amp;D Program Review 29 October 2014 MKIDs (Microwave Kinetic Inductance Devices) Pixelated micro-size resonator array.

629 views • 28 slides
StarTrack Next Generation A Scalable Infrastructure for Track-Based Applications Maya Haridasan

StarTrack Next Generation A Scalable Infrastructure for Track-Based Applications Maya Haridasan

StarTrack Next Generation A Scalable Infrastructure for Track-Based Applications Maya Haridasan Iqbal Mohomed Doug Terry Chandu Thekkath Li Zhang MICROSOFT RESEARCH SILICON VALLEY OSDI 2010 Location-Based Applications Many phones

676 views • 24 slides
Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and

Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and

0 12 1 Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and two integers a and b, we say a b (mod m) if m|(a-b) Typically, we shall consider modulus &gt; 0 a b (mod 0) a=b a b (mod 1)

342 views • 13 slides
StarTrack Next Generation: A Scalable Infrastructure for Track-Based Applications Maya Haridasan,

StarTrack Next Generation: A Scalable Infrastructure for Track-Based Applications Maya Haridasan,

Introduction Application Programming Interface StarTrack Server Design Storage Platform Design Evaluation Conclusion StarTrack Next Generation: A Scalable Infrastructure for Track-Based Applications Maya Haridasan, Iqbal Mohomed, Doug Terry,

868 views • 82 slides
Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam

Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam

Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam www.cwi.nl/~fehr Eli Ben-Sasson Rafail Ostrovsky Technion UCLA Multiparty Computation (MPC) x 2 x 3 Goal: x 1 Compute function f on private inputs x

373 views • 13 slides
5th Generation Touchscreen Controller for Mobile Phones and Tablets Hot Chips 2013 Milton

5th Generation Touchscreen Controller for Mobile Phones and Tablets Hot Chips 2013 Milton

5th Generation Touchscreen Controller for Mobile Phones and Tablets Hot Chips 2013 Milton Ribeiro John Carey August, 2013 Design Goals Quick design of derivatives Platform-based design Scalable analog front-end (AFE) Scalable

233 views • 11 slides
Building the Next Generation of Parallel Applications Michael A. Heroux Scalable Algorithms

Building the Next Generation of Parallel Applications Michael A. Heroux Scalable Algorithms

Building the Next Generation of Parallel Applications Michael A. Heroux Scalable Algorithms Department Sandia National Laboratories, USA Sandia National Laboratories is a multi-program laboratory operated by Sandia Corporation, a wholly owned

1.22k views • 73 slides
Building Adaptable and Scalable Natural Language Generation Systems Yannis Konstas Natural

Building Adaptable and Scalable Natural Language Generation Systems Yannis Konstas Natural

Building Adaptable and Scalable Natural Language Generation Systems Yannis Konstas Natural Language Generation is everywhere (Machine Translation)

1.78k views • 174 slides
Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu)

Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu)

. . . . . . . . . . . . . . . . Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu) Hanshen Xiao (hsxiao@mit.edu) Elaine Shi (runting@gmail.com) . . . . . . . . . . . . . .

274 views • 11 slides
Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, Karim ElDefrawy**, Joshua

Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, Karim ElDefrawy**, Joshua

Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, Karim ElDefrawy**, Joshua Lampkins**, Rafail Ostrovsky***, Moti Yung**** * Ben-Gurion University ** Hughes Research Labs (HRL) *** University of California Los Angeles (UCLA)

569 views • 21 slides
! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on

! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on

ME 437/537 G. Ahmadi ME 437/537 G. Ahmadi Polystyrene on Polyurethane High elastic High elastic ! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on particles on ! ! Hydrodynamic Hydrodynamic

198 views • 6 slides
Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview of the Talk Part 1: Background Part 2: Our solution for arbitrary modulus G-lattice sampling Part 3: Our

210 views • 20 slides
Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit Sahai UCLA Secure Multiparty Computation A set of mutually distrustful parties (n) wish to compute a joint function of their private inputs

309 views • 16 slides
(In an Increasingly Dishonest World) Friday October 30, 2015 MASSW-Michigan Annual Conference

(In an Increasingly Dishonest World) Friday October 30, 2015 MASSW-Michigan Annual Conference

Cultivating Honesty and Integrity in Our Kids (In an Increasingly Dishonest World) Friday October 30, 2015 MASSW-Michigan Annual Conference Lansing, Michigan Terrence Daryl Shulman, JD, LMSW, ACSW, CAADC, CPC Founder/Director, The Shulman

438 views • 21 slides
RSA Accumulator Oct 29, 2019 Overview Definitions modulus math RSA Accumulator

RSA Accumulator Oct 29, 2019 Overview Definitions modulus math RSA Accumulator

RSA Accumulator Oct 29, 2019 Overview Definitions modulus math RSA Accumulator Hash to prime E ffi cient algorithms (Batching) Trusted Setup problem Class Group accumulators Terminology Accumulator : A

426 views • 40 slides
Jason Baumgartner, Hari Mony, Michael Case, Jun Sawada and Karen Yorav IBM Corporation FMCAD

Jason Baumgartner, Hari Mony, Michael Case, Jun Sawada and Karen Yorav IBM Corporation FMCAD

Scalable Conditional Equivalence Checking: Scalable Conditional Equivalence Checking: An Automated Invariant- -Generation Based Approach Generation Based Approach An Automated Invariant Jason Baumgartner, Hari Mony, Michael Case, Jun Sawada

491 views • 24 slides
Scalable String Matching on the Scalable String Matching on the Scalable String Matching on the

Scalable String Matching on the Scalable String Matching on the Scalable String Matching on the

Scalable String Matching on the Scalable String Matching on the Scalable String Matching on the Cell BE Processor BE Processor Cell Cell BE Processor Daniele Scarpazza, Oreste Villa, Fabrizio Petrini Applied Computer Science Group Pacific

408 views • 21 slides
Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed

Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed

Cache Coherence in Scalable Machines Scalable Cache Coherent Systems Scalable, distributed memory plus coherent replication Scalable distributed memory machines P-C-M nodes connected by network communication assist interprets

1.13k views • 87 slides
Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and

Factoring RSA Modulus using Prime Reconstruction from Random Known Bits S. Maitra, S. Sarkar and S. Sen Gupta Cryptology Research Group, ASU Indian Statistcal Institute, Kolkata May 3, 2010 Background Slide 2 of 31 RSA Framework Key-Gen

607 views • 58 slides

More recommend