Embed Size (px)
Citation preview
Optimizing Robustness while Generating Shared Secret Safe Primes
Emil Ong and John Kubiatowicz
University of California, Berkeley
Motivation
Several multi-party algorithms need or benefit from using safe primesUsually, for RSA moduli (e.g. Shoup’s
RSA signature scheme) In many of these algorithms, the safe
primes must be shared secrets to preserve security
Generating safe primes as shared secrets: Prior Work
Algesheimer, Camenish, and Shoup (CRYPTO ’00) Developed several novel
mechanisms for modular arithmetic Honest-but-curious model
Our contribution
A safe prime generation method which is robust and “efficient”
Use a robust form of distributed sieving to find safe prime candidates
Provide optimized methods for multiparty modular arithmetic
High Level Overview
1. Find a safe prime candidate Sieve for rough numbers – those
without small prime factors Ensure the number is
2. Test the compositeness via a distributed Miller-Rabin test
4 mod 3
1. Each player finds a random “rough” integer (i.e. one relatively prime to the product of the first b primes, )
2. The players generate additive shares such that
3. Players choose a random
4. Locally compute to obtain an additive share of
Distributed Sieving(Malkin, Wu, and Boneh, NDSS’99)
ia
ibaab ii
bM
ir
bii Mrb brMa
1. Each player finds a random “rough” integer (i.e. one relatively prime to the product of the first b primes, ) Need to prove each is genuinely rough
2. The players generate additive shares such that Prefer threshold (polynomial) sharing
3. Players choose a random Need to share the polynomially, prove their size
4. Locally compute to obtain an additive share of
Making Distributed Sieving Robust
ia
ibaab ii
bM
ir
bii Mrb brMa
ia
ir
1. Each player finds a random “rough” integer Each is shared polynomially along with a ZK proof
2. The are multiplied using the usual method (Ben-Or, Goldwasser, and Wigderson)
3. Players choose a random and share them polynomially, along with a proof of size
4. Locally compute to obtain an additive share of
Robust Distributed Sieving
ia
ir
ia
ia
bii Mrb brMa
High Level Overview
1. Find a safe prime candidate Sieve for rough numbers – those
without small prime factors Ensure the number is
2. Test the compositeness via a distributed Miller-Rabin test
4 mod 3
Distributed Miller-Rabin
Input: Secret shares of prime candidate
1. Locally compute e = (φ – 1) / 2
2. Repeat m times:a. Choose a random g (0 ≤ g ≤ φ - 1)
b. Compute shares of ge mod φ
c. If ge mod φ , output failure
3. Output success
}1,1{
Modular exponentiation(Algesheimer, Camenish, and Shoup, CRYPTO ‘00)
Compute shares of ge mod φ
1. Reshare the bits of e as β1,…, βn
2. c=(g-1)* βn+1
3. For i=n-1 downto 1, Do1. d=(g-1)*βi + 1
2. c=((c2 mod φ) * d) mod φ
4. Output c
Note that1*)1( igg i
Optimization: Lookup tables
Alternate perspective: is a “lookup” of a 2 element table: 1 and g
Problem: Sharing bits of a secret can be expensive
Idea: Try to optimize by doing a lookup in an arbitrarily sized tableBreak the exponent into larger pieces
than bits → fewer shares
1*)1( igg i
Compute shares of ge mod φ
1. Precompute g0 mod φ, g1 mod φ, …, gη-1 mod φ
2. Reshare e in base-η as η1,…,ηω (ω=n/η)
3. c=LOOKUP(ηω)
4. For i=ω-1 downto 1, Do1. d=LOOKUP(ηi)
2. c=((cη mod φ) * d) mod φ
5. Output c
Result: The number of modular multiplications is reduced from 2log2e to log2e+ω
Generalized Modular Exponentiation
Input: g0 mod φ, g1 mod φ, …, gη-1 mod φ,
For i=0 to η-1, do For i=0 to η-1, do Locally compute
Normalization (Adapted from Bar-Ilan and
Beaver, PODC 1989):
Lookup procedure
}1,...,0{
ii 1
) mod ( iii g
i
otherwise ,1
0 if ,0 xx
Summary
Robust distributed sieving for safe prime candidate selection
Improvements to modular arithmetic in the multiparty setting
Current work: implementation
Conclusions and Lessons
Modular arithmetic optimizations can be useful in general
Safe prime generation is still slow (up to 5 minutes locally)
The algorithm is non-trivial to implement
If possible, avoid safe primes for now while we optimize further ☺
Thank you!
Check our website soon for an extended version of the paper:
http://oceanstore.cs.berkeley.edu
