Fast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests

Transcription

1 Fast Three-Party Shared Generation of RSA Keys Without Distributed Primality Tests Maged H. Ibrahim I. I. Ibrahim A. H. El-Sawy Telecommunications Department, Faculty of Engineering, Helwan University Helwan, Cairo; Egypt Abstract Distributed primality tests for the purpose of testing the factors of the jointly generated RSA modulus were always considered as a nightmare due to the large amount of time required for this test to succeed. Enormous number of trials must be performed before a suitable RSA modulus is established. In this paper we propose a protocol to allow three parties to share the generation of a RSA modulus N and to share the secret key d. The protocol enjoys the following properties which do not exist in previous protocols: The protocol does not need any distributed primality tests. The three parties are able to find a suitable modulus from the first trial without any additional tests. The protocol can generate a RSA modulus which is a composite of safe primes. The protocol is less vulnerable to the RSA attacks in [26, 27]. 1 Introduction In several cryptographic protocols, such as threshold cryptography [1, 6, 23], there are n parties (players) sharing the signature key in a way that no subset of t or less players can generate a signature, while any subset of t + 1 or more players can perform the signature correctly, where t is the threshold. The shares of the private key are set and distributed by an honest dealer.the problem with such protocols is that the dealer himself is a single point of failure, any adversary who compromises the dealer can forge the signature. When collective signature protocols are considered, the problem with the RSA signature scheme is that the RSA public modulus N is a composite of two large primes p and q, these two primes must be kept secret from the players. The players need to agree on a modulus N and be convinced that N is a product of two large primes with no information revealed to them about its factorization. The nature of the modulus N of the RSA function increased the difficulties to share the RSA keys without the help of the dealer over other signature schemes which only require large public primes such as DSS [2, 3, 4]. 2 Related Work, Motivations and Contributions 2.1 Related work Boneh and Franklin [7] showed how to generate the RSA keys without the help of the dealer, several phases of their protocols utilize reduced versions of information theoretic private multiparty computations. Clifford Cocks [8] has proposed another but unproven solution for the two party RSA function sharing, the protocol was extended for the multiparty case in [21]; the computational intractability of his problem is weaker than RSA. Blackburn et al [9] have investigated Cocks protocol by adding verifiability to his scheme to face malicious behavior of the two parties. Frankel, Mackenzie and Yung [10] have improved the security of the Boneh-Franklin protocol. Later, Poupard and Stern [11] showed a different protocol for two Parties to jointly generate an RSA key. Niv Gilboa [12] constructed three protocols for the two-party RSA key generation, the first is based on the (1-out-2) - oblivious transfer of strings, the second is based on an efficient polynomial evaluation technique, the third uses special type of homomorphic encryption function. Due to the way the modulus is generated as a product of two l-bit random numbers chosen simultaneously the probability that such generated modulus is a product of exactly two primes is (ln 2.l) 2 according to the prime number theorm requiring a number of trials in the order of

2 O(l 2 ). The method of Boneh and Horwitz [24] is a k private test to check if a candidate modulus is a product of three primes. Yet picking three l-bit numbers simultaneously would result in an O(l 3 ) running time. Confining itself to the three party setting, a variant of the algorithm achieves an O(l) running time. Straub in [25] took up ideas of Boneh-Horwitz and Gilboa to obtain an efficient algorithm tailored to the two-party scenario. His method allows the generation of a multi-prime RSA modulus of length 3l in an expected running time of O(l). In [?], in the honest but curious scenario, Shoup et al introduced a protocol to share a safe prime and applied this protocol to jointly generate an RSA modulus which is a composite of safe primes. However, their protocol still requires a number of trials of O(l). In the above protocols, if trial division test (spoken off as trivial division test) is performed to test if the picked random strings are not divisible by small primes, the number of trials required to find a suitable modulus drop by a factor of lg l. 2.2 Motivations The work in this paper is motivated by the observation that almost all the methods proposed so far suffer from the following common weaknesses: They require a distributed primality test to ensure that the generated modulus is a composite of two or more primes, requiring a large number of trials until this test succeeds, which is an extensive task. They are unable to generate an RSA modulus which is a composite of two or more safe primes. Remark. The second weakness applies to all previous protocols except the protocol in [?] 2.3 Contributions In this paper we propose a three-party protocol for the shared generation of an RSA modulus N which is a composite of three primes without the need for any distributed primality tests after this modulus is generated. A suitable modulus is generated from the first trial. Also, our protocol is able to generate an RSA modulus which is a product of three safe primes. This is possible since the parties originally select the factors as prime numbers. 3 The Model In the communication model, the three parties, Alice, Bob and Carol are fully connected such that any party can communicate with any other party through a private and authenticated channel. Also the parties have access to a broadcast channel. In the adversary model, we assume a passive adversary, which means that this adversary can see and learn all information sent to or from the corrupted party without compromising the correct behavior of this party. The parties follow the execution steps of the protocol word for word. This commonly used security model is well-known as the honest-but-curious scenario. The protocol is 1-private, a single party has no information about the full factorization of the RSA modulus N, whereas, if two parties collaborate, they can factor N. One may alternatively say, if the adversary can successfully eavesdrops more than one party she can factor N. 4 Preliminaries 4.1 RSA Cryptosystem A valid RSA modulus N is a product of distinct odd primes or safe primes, N = n i=1 q i, n 2. A safe prime q is on the form q = 2q + 1 where q is also a prime. In case n = 2, the cryptosystem is spoken off as standard RSA, otherwise, it is a multi-prime RSA. e is the public exponent while d is the private exponent satisfying ed = 1modφ(N). For threshold cryptography purposes, the private exponent is to be shared among the incorporated parties, a straight forward way to do that is to additively share d = d 1 + d 2 + d 3 modφ(n) among three parties for example. In order to sign the hash of a message h, each party generates her partial signature as S i = h di modn. The final signature is S = S 1 S 2 S 3 modn. There are some advantages to using RSA modulus N = q 1 q 2 q 3 rather than the usual N = pq: Signature generation is much faster using the Chinese remainder theorem [28]. One may compute m dmodqi 1 modq i, i = (1, 2, 3), since the numbers and exponents are smaller, the generation of the signature is twice as fast as using the Chinese remainder theorem for N = pq. The attack on RSA due to Wiener [26] becomes less efficient when using three prime factors [24]. The fastest factoring methods [27] cannot take advantage that the factors of N = q 1 q 2 q 3 are smaller than those of a standard RSA modulus N = pq [24]. 4.2 Related Protocols As a warmup, we introduce several protocols which are closely related to the protocol presented in this paper. First,

3 we describe the protocol of Boneh and Franklin [7] which allows three parties (Alice, Bob and Carol) to jointly generate an RSA modulus N = pq, the protocol outlines are as follows: Step 1. Alice picks at random two secret l-bit integers p a and q a, Bob picks two random and secret l-bit integers p b and q b while Carol picks two random and secret l-bit integers p c and q c. Step 2. Using private distributed computation they compute N = (p a + p b + p c )(q a + q b + q c ). Step 3. They perform a distributed primality test to ensure that N is a product of two primes. The expected number of trials until a suitable modulus is generated is O(l 2 ). An alternate approach proposed by Boneh and Horwitz [24] to combat the quadratic slowdown in the above protocol is as follows: Step 1. Alice picks a random l-bit prime p and a random l-bit integer r a, Bob picks a random l-bit prime q and a random l-bit integer r b and Carol picks a random l-bit integer r c. Step 2. Using a private distributed computation they compute N = pq(r a + r b + r c ) with no information revealed about the full factorization of N. Step 3. The three parties run a distributed primality test to test that r a + r b + r c is exactly a prime. In the recent two-party protocol of Straub [25], the two parties Alice and Bob construct a 3l-bit modulus of the form (p a + p b )q a q b where p a, p b are arbitrary l 1-bit random numbers and q a, q b are l-bit primes. Alice holds p a, q a while Bob holds p b, q b. A suitable modulus is found after an expected time of O(l) using distributed sieving. 4.3 Notion of Secret Sharing Representations: The Building Block Let R be a ring and let s R be a secret. Assume that Alice holds the pair x, a R while Bob holds the pair y, b R where s = x + y = ab The pair (x, y) is called an additive sharing of s while the pair (a, b) is called a multiplicative sharing of s. The protocol described in this paper requires a subprotocol for two parties to switch from multiplicative sharing of a secret value to additive sharing of this value. Namely, Alice holds a while Bob holds b such that ab = s, Alice and Bob runs a subroutine which we will call it mult-to-sum, at the end of this subroutine Alice holds x and Bob holds y such that x + y = s, with no information leaked to any of them about s or the multiplicative shares. The mult-to-sum subroutine can be implemented by different techniques, it may be implemented by Homomorphic encryption which is essentially a public key cryptosystem with a useful homomorphic property [25]. It can also be implemented via oblivious transfer of strings [13, 14, 15, 16, 18, 19]. The subroutine we describe next is an example not a restriction, it uses the 1-out-2 oblivious transfer of strings OT 1 2 [20] as the underlying primitive. Consider party A(lice) and party B(ob) where A holds a secret a and B holds a secret b. a, b R where R is a public ring and let ρ = log R. A and B wish to perform a computation resulting in that A has x and B has y such that x + y = ab. All computations are performed over R. The mult-to-sum subroutine is as follows [12]: B selects uniformly at random and independently ρ ring elements, s 0,..., s ρ 1 R. B proceeds by preparing ρ pairs of elements in R: (t 0 0, t 1 0),..., (t 0 ρ 1, t 1 ρ 1). B sets t 0 i = s i and t 1 i = 2 i b + s i i(0 i ρ 1). Let the binary representation of a be a ρ 1,..., a 0. A and B executes ρ OT 1 2 s. In the k-th invocation, A chooses t ai k from the pair (t0 k, t1 k ). A sets x = ρ 1 i=0 tai i and B sets y = ρ 1 i=0 s i. In the above subroutine, x = ρ 1 i=0 t(ai) i = ρ 1 i=0 a i2 i b + s i and consequently, x + y = ab over R. The transcript of the view of both parties can be simulated and hence the protocol is secure. The proof of this statement is given in [12]. 5 The Protocol In this section we present the complete description of our protocol. 5.1 Shared Generation of the RSA Modulus N Alice picks a random l-bit prime q a, Bob picks a random l-bit prime q b and Carol picks a random l-bit prime q c. They want to share the computation of the RSA modulus N = q a q b q c with no information revealed to any of them about the full factorization of N. The protocol must end with Alice only knows q a, Bob only knows q b and Carol only knows q c, in addition to the published modulus N. Let R be a publicly known ring and let ρ = 3l = log R. The protocol is as follows:

4 Bob picks two (l 1)-bit random numbers r a and r c such that q b = r a + r c. Bob secretly delivers r a to Alice and r c to Carol. Alice computes a = q a r a while carol computes c = q c r c to compute additive shares of the product aq c. At the end, Alice holds x 1 while Carol holds y 1 such that x 1 + y 1 = aq c. to compute additive shares of the product cq a. At the end, Alice holds y 2 while Carol holds x 2 such that x 2 + y 2 = cq a. Alice broadcasts x 1 +y 2 while Carol broadcasts y 1 + x 2. Any of the three parties is able to compute N from the broadcasted quantities. Due to the extreme simplicity of our protocol, the proofs of the following two lemmas may be noticeable by any expert in the field, however, we give them for clarity. Lemma 1. N = x 1 + x 2 + y 1 + y 2 over the ring. Proof. x 1 + y 1 = aq c, x 2 + y 2 = cq a, but a = r a q a and c = r c q c. Hence, x 1 + y 1 + x 2 + y 2 = r a q a q c + r c q c q a = q a q c (r a + r c ) = q a q c q b = N. Lemma 2. Under the assumption that the mult-to-sum subroutine is secure and the parties are honest-but-curious, the above described protocol is 1-private. Proof. It is obvious that the protocol cannot withstand a collusion of two parties, an adversary that successfully eavesdrops any two parties knows the full factorization of N. This is accepted in the theory of threshold cryptography, since in threshold cryptography it is assumed that the majority of the players must be honest (untouchable by any adversary) in order to perform computations. An adversary that successfully eavesdrops any of the three parties has the view of this party. The situation for Bob is trivial, the adversary knows only q b, she is faced with the problem of factorizing q a q c. Considering the situation for Alice (the situation for Carol is similar), the adversary view is N, q a, r a, x 1, y 2. Assuming that the underlying mult-to-sum subroutine is secure (i.e. preserves the privacy of both Alice and Carol), the adversary gains no information about r c or q c from x 1, y 2 and consequently, knowing r a provides no information about q b since all values of r c is possible such that r c = q b r a. Therefore, non of the three parties knows any factor of N other than what he initially picked and hence the protocol is 1-private. It is also nice to notice that the situation for Alice and Carol is exactly the situation for the two parties in Straub protocol [25]. 5.2 Sharing the Secret Euler Totient φ(n) We reached the point where the three parties Alice, Bob and Carol agreed on an RSA modulus N which is a composite of exactly three primes (or safe primes if needed). They jointly agree on a public prime exponent e. Now, they want to compute shares of the secret key d where ed = 1modφ(N) where φ(n) = (q a 1)(q b 1)(q c 1). To additively share φ(n) the parties proceed in a similar fashion as follows: Bob picks to random numbers r a and r c such that q b 1 = r a + r c. Bob secretly delivers r a to Alice and r c to Carol. Remark. Notice that the above two steps can be eliminated if Alice and Carol did not forget the values r a and r c they previously received from Bob. If so, Alice may set r a = r a 1 and Carol sets r c = r c, it follows that r a+r c = q b 1. Alice computes a = r a(q a 1) while Carol computes c = r c(q c 1). to additively share a(q c 1). At the end, Alice holds x 1 while Carol holds y 1 such that a(q c 1) = x 1 +y 1. to additively share c(q a 1). At the end, Alice holds y 2 while Carol holds x 2 such that c(q a 1) = x 2 +y 2. Alice computes φ a = x 1 + y 2 while Carol computes φ c = x 2 + y 1. It is clear that φ(n) = φ a + φ c. One may argue that Bob does not hold a share of φ(n). Bob must not worry about this since the protocol is 1-private, an adversary that eavesdrops either Alice or Carol gains no information about φ(n). What mainly concerns Bob is that he will recieve a valid share of the secret key d at the end of the protocol. 5.3 Computing Inverses Over the Shared Secret φ(n): Sharing the Secret Key Alice picks two random secret numbers λ a, R a, Bob picks a secret random number R b and Carol picks two random secret numbers λ c, R c. Following the recommendations in [22], the secrets λ a, λ c are much greater than φ(n) (i.e. in the order of O(N 2 )) while R a, R b, R c are in the order of O(N 3 ). Alice, Bob and Carol want to jointly compute the quantity γ where

5 γ = λφ(n)+re = (λ a +λ c )(φ a +φ c )+(R a +R b +R c )e Bob picks two random numbers R a, R c such that R b = R a + R c. He secretly delivers R a to Alice and R c to Carol. twice. At the end of the first run, Alice holds x 1 while Carol holds y 1 such that λ a φ c = x 1 + y 1. At the end of the second run, Alice holds y 2 while Carol holds x 2 such that λ c φ a = x 2 + y 2. Alice computes γ a = x 1 + y 2 + λ a φ a + (R a + R a)e while Carol computes γ c = x 2 + y 1 + λ c φ c + (R c + R c)e. Alice broadcasts γ a while Carol broadcasts γ c. Any of the three parties is able to compute γ = γ a + γ c. Assuming that gcd(γ, e) = 1, the parties run the extended Euclidian algorithm to find the pair (x, y) such that xγ + ye = 1 which must exist. Since xr + y = e 1 modφ(n), one may set d = xr + y. Additive shares of d can be computed easily, Alice sets d a = xr a + y, Bob sets d b = xr b and Carol sets d c = xr c. Clearly, d = d a + d b + d c. 5.4 Signature Generation In the classical method, in order to perform a signature on a message m after hashing and padding, Alice computes and broadcasts S a = m da modn, Bob computes and broadcasts S b = m d b modn while Carol computes and broadcasts S c = m dc modn. The final signature is computed as S = S a S b S c modn. 5.5 Note on Tolerating Crashes: Threshold Structure At this point, Alice, Bob and Carol share the secret key d as a 3-out-3 secret sharing structure. In this structure, if a party is halted or crashed, the other two parties will not be able to perform the signature. It is possible to convert this structure to be an efficient threshold one allowing any two parties to be able to generate the signature even in the absence of the third party [29]. Let P be a set of three parties, P= {P 1, P 2, P 3 }. Each party P i holds a share d i of the secret key d such that d = d 1 + d 2 + d 3. Let the minimal set of qualified subsets Γ 0 be the set of all subsets of cardinality two, that is Γ 0 = {X 1, X 2, X 3 } where, X 1 = {P 1, P 2 }, X 2 = {P 1, P 3 }, X 3 = {P 2, P 3 }. Simply, for each X j each party P i, i = (1, 2, 3) splits her share d i of d into two pieces, she gives a piece to each of the two parties in X j. Each party in X j sums what she has to compute a new share of d. The shares represent a 2-out-3 secret sharing structure. 6 Conclusions Distributed primality tests for the purpose of testing the factors of the RSA modulus were always considered as a nightmare due to the large amount of time required for this test to succeed. Enormous number of trials must be performed before a suitable RSA-modulus is established. All previous RSA-key generation protocols are not able to generate a RSA-modulus which is a composite of safe primes. In this paper we proposed a three-party RSA-key generation protocol which covers all the mentioned drawbacks. The protocol establishes a suitable modulus from the first trial and is able to produce a modulus which is a composite of three safe primes. The protocol can be easily extended to n several parties larger than three with a number of prime factors equal to n. The darkside of our protocol is that it is not secure for the two-party case. References [1] Desmedt, Y.: Threshold cryptography. European Transactions on Tele-communications and Related technologies. Vol.5 No.4 (July-august 1994) [2] Langford, S.: Threshold DSS Signatures without a Trusted Party. In CRYPTO 95 (1995) , LNCS 963, Springer-Verlag, (1995). [3] Gennaro, R.: Theory and Practice of Verifiable Secret Sharing. PhD thesis, Massachusetts Institute of Technology (MIT) (May 1996). [4] Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust Threshold DSS Signatures. Advances in Cryptology, Proc. Eurocrypt 96, Lecture Notes in Computer Science 1070, Springer, (1996) [5] Frankel, Y., Desmedt, Y.: Parallel reliable threshold multisignature. Technical Report TR Univ. of Wisconsin Milwaukee (1992). [6] Desmedt, Y., Frankel, Y.: Threshold Cryptosystem. In Crypto 89, Lecture Notes in Computer Science, LNCS 435, Springer Verlag (1990) [7] Boneh, D., Franklin, M.: Efficient generation of shared RSA keys. In Crypto 97 (1997) [8] Cocks, C.: Split Knowledge Generation of RSA Parameters. In Cryptography and Coding 6th IMA Conference, LNCS 1355, Springer-Verlag (1997)

6 [9] Blackburn, S., Blake-Wilson, S., Burmester, M., Galbraith, S.: Shared generation of shared RSA keys. Technical Report CORR98-19, Department of Combinatorics and Optimization, University of Waterloo (1998). [10] Frankel, Y., Mackenzie, P., Yung, M.: Robust efficient distributed rsa-key generation. In Proc. of 30th Stoc. (1998) [11] Poupard, G., Stern, J.: Generation of shared rsa-keys by two parties. In ASIACRYPT 98 (1999) [12] Gilboa, N.: Two Party RSA Key Generation. Proc. of Crypto 99, Lecture Notes in Computer Science, Vol. 1666, Springer-Verlag (1999) [13] Rabin, M.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard Aiken Computation Laboratory (1981). [14] Gertner, Y.,Ishai, Y.,Kushilevitz, E., Malkin, T.: Protecting data privacy in information retrieval schemes. In Proc. of 30th Stoc. (1998). [15] Stern, J.: A new and efficient all-or-nothing disclosure of secrets protocol. In ASIACRYPT 98, Springer- Verlag (1998) [16] Kushilevitz, E., Ostrovsky, R.: Single-database computationally private information retrieval. In Proc. of 38th FOCS. (1997) [17] Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In Advances in Cryptography. EU- ROCRYPT 99 (1999). [18] Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic faulttolerant distributed computation. In Proc. of the 20th ACM symposium on the theory of computing (1988) [23] Desmedt, Y.: Society and group oriented cryptography: A new concept. In Advances in Cryptology, Proceedings of Crypto 87, Lecture Notes in Computer Science, Vol.293, Springer-Verlag (1988) [24] D. Boneh, J. Horwitz: Generating a product of three primes with an unknown factorization, Proc. 3rd Algorithmic Number Theory Symposium (ANTS-III), Portland, USA, (1998), pp [25] T. Straub: Efficient Two Party Multi-Prime RSA Key Generation. In (Hamza, M.H. Hrsg.): Proc. IASTED International Conference on Communication, Network, and Information Security, New York, [26] Michael J. Wiener: Cryptanalysis of Short RSA Secret Exponents. IEEE Transactions on Information Theory, Vol. 36, No. 3, pp , May [27] A. K. Lenstra, H. W. Lenstra, Jr. (eds), The development of the number field sieve, Lecture Notes in Math. 1554, Springer-Verlag, Berlin, [28] J. Grobschadl: The Chinese Remainder Theorem and its Application in a High-Speed RSA Crypto Chip,in Proceedings of the 16th Annual Computer Security Applications Conference, pp IEEE Computer Society Press, ISBN [29] Maged H. Ibrahim, I. A. Ali, I. I. Ibrahim and A. H. El-Sawy, Fully Distributed and Robust Threshold RSA Function Sharing Efficient for Small Number of Players, Embedded Cryptographic Hardware: Methodologies and Architectures-2004, Nadia Nedjah and Luiza de Macedo Mourelle (Editors) (State Univ. of Rio de Janeiro), Nova Science Publishers, NewYork, USA, ISBN: [19] Chor, B., Goldreich, O., Kushilevitz, E., Susdan, M.: Private information retrieval. Journal of the ACM 45(6) (1998) [20] Noar, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In Proc. of stat. Stoc. (1999) [21] Cocks, C.: Split generation of RSA parameters with multiple participants. Appears on the web at [22] Catalano, D., Gennaro, R., Halevi, S.: Computing Inverses over a Shared Secret Modulus. In Eurocrypt 00, LNCS 1807, Springer-Verlag (2000)