University Alexandru Ioan Cuza of Iaşi Faculty of Computer Science. Threshold RSA Based on the General Chinese Remainder Theorem

Transcription

1 University Alexandru Ioan Cuza of Iaşi Faculty of Computer Science T E C H N I C A L R E P O R T Threshold RSA Based on the General Chinese Remainder Theorem Sorin Iftene TR 05-05, August 2005 ISSN Universitatea Alexandru Ioan Cuza Iaşi Facultatea de Informatică Str. Berthelot 16, 6600-Iaşi, Romania Tel , bibl@infoiasi.ro

2 Threshold RSA Based on the General Chinese Remainder Theorem Sorin Iftene Faculty of Computer Science Al. I. Cuza University Iaşi, Romania Abstract. In this paper we combine the threshold secret sharing schemes based on the general Chinese remainder theorem with the RSA cryptosystem in order to get threshold decryption or signature generation, as an alternative to the classical solutions based on the Shamir s threshold secret sharing scheme. AMS Subject Classification: 94A60, 94A62, 11A07 Keywords and phrases: threshold cryptography, secret sharing, Chinese remainder theorem 1 Introduction and Preliminaries In threshold (or group-oriented) cryptography (see, for example, [7]), the capacity of performing cryptographic operations such as decryption or digital signature generation is shared among members of a certain group. This can be achieved by combining multiplicative secret sharing schemes with homomorphic cryptographic operations. In this paper we focus on threshold RSA decryption and threshold RSA digital signature generation. More exactly, we combine the threshold secret sharing schemes based on the Chinese remainder theorem (CRT) with the RSA cryptosystem, as an alternative to the classical solutions based on the Shamir s threshold secret sharing scheme. The paper is organized as follows. The rest of this section is dedicated to some preliminaries on number theory, focusing on the CRT. We survey the threshold secret sharing schemes based on the CRT in Section 2. The RSA cryptosystem and digital signature scheme are presented in Section 3. Moreover, in this section we combine the threshold secret sharing schemes based on the general CRT with the RSA cryptosystem in order to get threshold decryption or signature generation. The last section concludes the paper. We recall a few basic facts on number theory (for more details, the reader is referred to [4]). Let a,b Z such that b 0. The quotient of integer division of a by b will be denoted by a div b and the remainder will be denoted by a mod b. In the case a mod b = 0 we will say that b is a divisor of a and denote this by b a. Let a 1,...,a n Z such that a a2 n 0. The greatest common divisor (gcd) of a 1,...,a n will be denoted by (a 1,...,a n ). It is well-known that there exist α 1,...,α n Z such that α 1 a α n a n = (a 1,...,a n ) (this is the linear form of the gcd).

3 Let a 1,...,a n Z such that a 1 a n 0. The least common multiple (lcm) of a 1,...,a n will be denoted by [a 1,...,a n ]. For a given sequence of integers m 1,...,m n and a set 1 A P({1,...,n}), [A] stands for the lcm of the elements m i, for i A. Z m is the set {0,1,...,m 1}, Z m stands for the set {a Z m (a,m) = 1} and φ(m) denotes the cardinality of the set Z m, for all m 2. Let a,b,m Z. We say that a and b are congruent modulo m, denoted by a b mod m, if m (a b). It is easy to see that a mod b a mod m, for any a,b,m Z such that m b. Let m = p q, where p and q are distinct primes. An important result that will be used in this paper is that x a x b mod m, for any positive integers x, a 0, and b 0 such that a b mod [p 1,q 1]. As a particular case we obtain x a x a mod [p 1,q 1] mod m, for any positive integer a 0, providing that a mod [p 1,q 1] 0. The Chinese remainder theorem (CRT) has many applications in computer science (see, for example, [11]). We only mention its applications to the RSA decryption algorithm as proposed by Quisquater and Couvreur [20], the discrete logarithm algorithm as proposed by Pohlig and Hellman [19], and the algorithm for recovering the secret in the Mignotte s threshold secret sharing scheme [17] or in its generalization [15], or in the Asmuth-Bloom threshold secret sharing scheme [1]. Several versions of the CRT have been proposed. The next one is called the general CRT [18]: Theorem 1. Let k 2, m 1,...,m k 2, and b 1,...,b k Z. The system of equations x b 1 mod m 1. x b k mod m k has solutions in Z if and only if b i b j mod (m i,m j ) for all 1 i,j k. Moreover, if the above system of equations has solutions in Z, then it has an unique solution in Z [m1,...,m k ]. When (m i,m j ) = 1, for all 1 i < j k, one gets the standard version of the CRT. Garner [13] found an efficient algorithm for this case and Fraenkel [12] extended it to the general case. 2 Threshold Secret Sharing Schemes Based on the CRT We first present some basic facts about secret sharing schemes and then briefly discuss the threshold secret sharing schemes based on the CRT. 1 P({1,..., n}) denotes the powerset of {1,..., n}, i.e., the set of all subsets of {1,...,n}

4 2.1 Secret Sharing A secret sharing scheme starts with a secret and then derives from it certain shares (or shadows). The secret may be recovered only in the case of possessing a certain predetermined set of shares. Applications of secret sharing include safeguarding cryptographic keys and shared access to strategical resources. Threshold cryptography (see, for example, [7]) and some e-voting schemes (see, for example, [5]) are more recent applications of the secret sharing schemes. In the first secret sharing schemes only the cardinality of the sets of shares was important for recovering the secret. Such schemes have been referred to as threshold secret sharing schemes. We mention Shamir s threshold secret sharing scheme [23] based on polynomial interpolation, Blakley s geometric threshold secret sharing scheme [3], Mignotte s threshold secret sharing scheme [17], and Asmuth-Bloom threshold secret sharing scheme [1], both based on the CRT. Ito, Saito, and Nishizeki [16], Benaloh and Leichter [2] proposed constructions for more general secret sharing schemes. Definition 1. Let n be an integer, n 2 and A P({1,2,...,n}). An A-secret sharing scheme is a method of generating (S,(I 1,...,I n )) such that for any A A, the problem of finding the element S, given the set {I i i A}, is easy ; for any A P({1,2,...,n}) \ A, the problem of finding the element S, given the set {I i i A}, is intractable. The set A will be referred to as the authorized access structure or simply as the access structure, S will be referred to as the secret, and I 1,...,I n will be referred to as the shares (or the shadows) of S. The elements of the set A will be referred to as the authorized access sets of the scheme. A natural condition is that an access structure A is monotone, i.e., ( B P({1,2,...,n}))(( A A)(A B) B A) In this case, the access structure A is well specified by the set of the minimal authorized access sets, i.e., the set A min = {A A ( B A\{A})( B A)}. Also, the unauthorized access structure A, A = P({1,2,...,n}) \ A, is well specified by the set of the maximal unauthorized access sets, i.e., the set A max = {A A ( B A \ {A})( A B)}. In this paper we shall only use threshold secret sharing schemes. In these schemes, only the cardinality of the sets of shares is important for recovering the secret. More exactly, if the required threshold is k, 2 k n, the authorized access structure is A = {A P({1,2,...,n}) A k} and the corresponding minimal access structure is A min = {A P({1,2,...,n}) A = k}. In this case, an A-secret sharing scheme will be referred to as an (k,n)-threshold secret sharing scheme. The multiplicative threshold secret sharing schemes were introduced in [8]. We present here a slight version of the definition given in [8].

5 Definition 2. Let D secret be the set of possible secrets, D shares be the set of possible shares and let be an associative and commutative binary operation over D secret. We say that an A-secret sharing scheme is multiplicative with respect to if for any set A A there is a family of public functions (f (i,a) i A) from D shares to D secret such that S = i A f (i,a) (I i ) As we shall see in Section 3, this property of secret sharing schemes can be used in designing threshold cryptographic primitives. 2.2 Mignotte s Threshold Secret Sharing scheme Mignotte s threshold secret sharing scheme [17] uses special sequences of integers, referred to as the Mignotte sequences. Definition 3. Let n be an integer, n 2, and 2 k n. An (k,n)-mignotte sequence is a sequence of positive integers m 1 < < m n such that (m i,m j ) = 1, for all 1 i < j n, and m n k+2 m n < m 1 m k. Given an (k,n)-mignotte sequence, the scheme works as follows: The secret S is chosen as a random integer such that β < S < α, where α = m 1 m k and β = m n k+2 m n ; The shares I i are chosen by I i = S mod m i, for all 1 i n; Given k distinct shares I i1,...,i ik, the secret S is recovered using the standard CRT, as the unique solution modulo m i1 m ik of the system x I i1 mod m i1. x I ik mod m ik A generalization of Mignotte s scheme by allowing modules that are not necessarily pairwise coprime was proposed in [15], by introducing generalized Mignotte sequences. Definition 4. Let n be an integer, n 2, and 2 k n. A generalized (k,n)-mignotte sequence is a sequence m 1,...,m n of positive integers such that max 1 i1 < <i k 1 n([{i 1,...,i k 1 }]) < min 1 i1 < <i k n([{i 1,...,i k }]) It is easy to see that every (k, n)-mignotte sequence is a generalized (k, n)-mignotte sequence. Moreover, if we multiply every element of an (k, n)-mignotte sequence by a fixed element δ Z, (δ,m 1 m n ) = 1, we obtain a generalized (k,n)-mignotte sequence. Generalized Mignotte s scheme works like Mignotte s scheme, except for the fact that α = min 1 i1 < <i k n([{i 1,...,i k }]) and β = max 1 i1 < <i k 1 n([{i 1,...,i k 1 }]). Moreover, in this case, the general CRT must be used for recovering the secret.

6 2.3 Asmuth-Bloom Threshold Secret Sharing Scheme This scheme, proposed by Asmuth and Bloom in [1], also uses special sequences of integers. More exactly, a sequence of pairwise coprime positive integers r,m 1 < < m n is chosen such that r m n k+2 m n < m 1 m k Given such a sequence, the scheme works as follows: The secret S is chosen as a random element of the set Z r ; The shares I i are chosen by I i = (S + γ r) mod m i, for all 1 i n, where γ is an arbitrary integer such that S + γ r Z m1 m k ; Given k distinct shares I i1,...,i ik, the secret S can be obtained as S = x 0 mod r, where x 0 is obtained, using the standard CRT, as the unique solution modulo m i1 m ik of the system x I i1 mod m i1. x I ik mod m ik The sequences used in the Asmuth-Bloom scheme can be generalized by allowing modules that are not necessarily pairwise coprime in an obvious manner. We can use any sequence r,m 1,,m n such that r max 1 i1 < <i k 1 n([{i 1,...,i k 1 }]) < min 1 i1 < <i k n([{i 1,...,i k }]) It is easy to see that if we multiply every element of an ordinary Asmuth-Bloom sequence excepting r with a fixed element δ Z, (δ,m 1 m n ) = 1, we obtain a generalized Asmuth-Bloom sequence. The application of the CRT in threshold secret sharing have been also discussed in [14] and an unitary point of view on the security of the threshold secret sharing schemes based on the CRT was presented in [21]. 3 Threshold RSA Based on the General CRT In [22], Rivest, Shamir, and Adleman have proposed the following public-key cryptosystem, known as the RSA cryptosystem: public key: (m,e), where m = p q, p and q are distinct primes, and e Z φ(m) ; private key: (p,q,d), where d is a positive integer such that e d 1 mod φ(m); encryption: a plaintext x Z m is encrypted as y = x e mod m; decryption: a cryptotext y Z m is decrypted as x = y d mod m. The RSA cryptosystem can be used as a digital signature as follows: public key and private key: as above;

7 signature generation: the digital signature corresponding to a message x Z m is y = x d mod m; signature verification: having a pair (x,y) Z m Z m, y is the correct signature with respect to x if and only if x = y e mod m. The correctness of the cryptosystem and of the digital signature scheme is based on the fact that x ed x mod m, for all x Z m and e,d,m as above. The security of the RSA cryptosystem relies on the intractibility of factoring. For the threshold feature, the shares corresponding to the secret exponent d from the RSA cryptosystem are derived using a multiplicative secret sharing scheme by a dealer who must be a mutually trusted party. Afterwards, the dealer securely distributes the shares to the users. If an authorized group of users want to cooperate in computing x d mod m, for some x Z m, they individually compute results of form x f (i,a)(i i ) mod m and send them to a combiner who will compute the final result. In this way, the secret exponent will not be revealed to the members of the group or to the combiner. In [9], Desmedt and Frankel have raised the problem of threshold RSA. They have remarked that Shamir s threshold secret sharing scheme can not be used directly for this purpose because Lagrange interpolation requires a field structure. Desmedt and Frankel have reconsidered this problem in [10], giving a solution in the case that p and q are safe primes, i.e., p = 2p + 1 and q = 2q + 1 with p and q primes. Shoup [24] also presented a solution in the case that p and q are safe primes, and Damgård and Dupont described in [6] an efficient solution for general modules, all these methods being based on Shamir s threshold secret sharing scheme. We will show how to accomplish threshold RSA using the generalized Mignotte threshold secret sharing scheme. This scheme is multiplicative in the sense that the secret can be expressed, according to [18], as: S = i Af (i,a) (I i ) mod [A], where the function f (i,a) : Z Z is given by where f (i,a) (x) = λ (i,a) (µ (i,a) mod [A])x, - λ (i,a) = [A] m i (remark that these numbers are coprime); - the numbers µ (i,a) are arbitrary positive integers that satisfy λ (i,a) µ (i,a) = 1, i A

8 for every authorized set A and for all i A. Let I 1,...,I n be the shadows corresponding to the secret d using a generalized (k,n)- Mignotte scheme based on the sequence m 1,...,m n. The main problem is how to combine x f (i,a)(i i ) mod m for some authorized access set A in order to obtain x d mod m. One elegant solution to this problem is to choose the sequence m 1,...,m n such that [p 1,q 1] [A], for any authorized set A. In this case, using the form of d and the properties presented in the first section, we obtain x d mod m = x i A f (i,a)(i i ) mod [A] mod m = x i A f (i,a)(i i ) mod m = i A xf (i,a)(i i ) mod m = i A(x f (i,a)(i i ) mod m) mod m, for any authorized set A. The sequence m 1,...,m n can be obtained by multiplying every element of an ordinary Mignotte sequence m 1,...,m n with [p 1,q 1], providing that ([p 1,q 1],m 1 m n ) = 1. Example 1. (with artificial small parameters) Let m = 481, p = 13, q = 37, d = 401, x = 39, n = 3 and k = 2. Let consider the numbers m 1 = 180, m 2 = 252 and m 3 = 396. The sequence m 1,m 2,m 3 is indeed a generalized (2,3)-Mignotte sequence that satisfies that [p 1,q 1] divides [m 1,m 2 ], [m 1,m 3 ] and [m 2,m 3 ]. The shares corresponding to the secret d are I 1 = 41, I 2 = 149 and I 3 = 5. Suppose that we want to compute the value y = x d mod m having I 1 and I 3. In this case, because d = ( ) mod 1980, y can be obtained as ( mod 481) ( mod 481) mod 481, which leads to the correct result y = 143. Next, we will show how to accomplish threshold RSA using the generalized Asmuth- Bloom threshold secret sharing scheme. This scheme is also multiplicative in the sense that the secret can be expressed as: S = ( i Af (i,a) (I i ) mod [A]) mod r, where the functions f (i,a) : Z Z are defined as above, for every authorized set A and for all i A. We may choose the sequence r,m 1,...,m n such that [p 1,q 1] r and [p 1,q 1] [A], for any authorized set A. In this case, using the form of d and the properties presented in the first section, we obtain x d mod m = i A(x f (i,a)(i i ) mod m) mod m

9 Example 2. (with artificial small parameters) Let m = 481, p = 13, q = 37, d = 71, x = 39, n = 3 and k = 2. Let consider the numbers r = 72, m 1 = 4068, m 2 = 4572 and m 3 = The sequence r,m 1,m 2,m 3 is indeed a generalized (2, 3)-Asmuth-Bloom sequence that satisfies that [p 1, q 1] divides r, [m 1,m 2 ], [m 1,m 3 ] and [m 2,m 3 ]. If we choose γ = 150, the shares corresponding to the secret d are I 1 = 2735, I 2 = 1727 and I 3 = Suppose that we want to compute the value y = x d mod m having I 2 and I 3. In this case, because y can be obtained as d = (( ) mod ) mod 72, ( mod 481) ( mod 481) mod 481, which leads to the correct result y = 130. It is important to remark that the modules used in the schemes above can not be pairwise prime and, thus, the threshold secret sharing schemes based on the general variant of the CRT must be used. As we have seen in the first section, x a x a mod [p 1,q 1] mod m, for any positive integer a 0 proving that amod [p 1,q 1] 0. Thus, for a more efficient computation of the individual exponentiations, the computation of the corresponding exponents may be performed modulo [p 1, q 1], providing that the resulted reduced exponents are non-zero. This is the case of Example 1 and Example 2, where the final results can be, respectively, obtained as ( mod 36 mod 481) ( mod 36 mod 481) mod 481, ( mod 36 mod 481) ( mod 36 mod 481) mod 481 Unfortunately, in this case, the value [p 1,q 1] must be revealed to the users, thus compromising the security of the scheme. 4 Conclusions We have discussed the possibility of accomplishing threshold RSA using as building blocks the threshold secret sharing schemes based on the CRT, as an alternative to the classical solutions based on the Shamir s threshold secret sharing scheme. We have also remarked that modules used in these schemes can not be pairwise prime and, thus, the threshold secret sharing schemes based on the general CRT must be used.

10 An interesting open problem is the problem to efficiently generate generalized Mignotte or Asmuth-Blom sequences suitable for threshold RSA. We shall consider this problem in our future work. Acknowledgements Research reported here was partially supported by the National University Research Council of Romania under the grant CNCSIS632/2005. References 1. C. A. Asmuth and J. Bloom. A modular approach to key safeguarding. IEEE Transactions on Information Theory, IT-29(2): , J. Benaloh and J. Leichter. Generalized secret sharing and monotone functions. In S. Goldwasser, editor, Advanced in Cryptology-CRYPTO 88, volume 403 of Lecture Notes in Computer Science, pages Springer-Verlag, G. R. Blakley. Safeguarding cryptographic keys. In National Computer Conference, 1979, volume 48 of American Federation of Information Processing Societies Proceedings, pages , H. Cohen. A Course in Computational Algebraic Number Theory. Graduate Texts in Mathematics. Springer-Verlag, 4th edition, R. Cramer, M. K. Franklin, B. Schoenmakers, and M. Yung. Multi-authority secret-ballot elections with linear work. In U. Maurer, editor, Advances in Cryptology - EuroCrypt 96, volume 1070 of Lecture Notes in Computer Science, pages Springer-Verlag, I. Damgård and K. Dupont. Efficient threshold RSA signatures with general moduli and no extra assumptions. In S. Vaudenay, editor, Public Key Cryptography - PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, volume 3386 of Lecture Notes in Computer Science, pages Springer, Y. Desmedt. Some recent research aspects of threshold cryptography. In E. Okamoto, G. I. Davida, and M. Mambo, editors, ISW 97: Proceedings of the First International Workshop on Information Security, volume 1396 of Lecture Notes in Computer Science, pages Springer-Verlag, Y. Desmedt, G. Di Crescenzo, and M. Burmester. Multiplicative non-abelian sharing schemes and their applications to threshold cryptography. In J. Pieprzyk and R. Safavi-Naini, editors, Advances in Cryptology - Asiacrypt 94, volume 917 of Lecture Notes in Computer Science Volume, pages Springer-Verlag, Y. Desmedt and Y. Frankel. Threshold cryptosystems. In G. Brassard, editor, Advances in Cryptology - Crypto 89, volume 435 of Lecture Notes in Computer Science, pages Springer-Verlag, Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor, Advances in Cryptology - Crypto 91, volume 576 of Lecture Notes in Computer Science, pages Springer-Verlag, C. Ding, D. Pei, and A. Salomaa. Chinese remainder theorem: applications in computing, coding, cryptography. World Scientific Publishing Co., Inc., A. S. Fraenkel. New proof of the generalized Chinese remainder theorem. Proceedings of American Mathematical Society, 14: , H. Garner. The residue number system. IRE Transactions on Electronic Computers, EC-8: , O. Goldreich, D. Ron, and M. Sudan. Chinese remaindering with errors. IEEE Transactions on Information Theory, IT-46(4): , S. Iftene. A generalization of Mignotte s secret sharing scheme. In T. Jebelean, V. Negru, D. Petcu, and D. Zaharie, editors, Proceedings of the 6th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, Timisoara, Romania, September, 2004, pages , M. Ito, A. Saito, and T. Nishizeki. Secret sharing scheme realizing general access structure. In Proceedings of the IEEE Global Telecommunications Conference, Globecom 87, pages IEEE Press, 1987.

11 17. M. Mignotte. How to share a secret. In T. Beth, editor, Cryptography-Proceedings of the Workshop on Cryptography, Burg Feuerstein, 1982, volume 149 of Lecture Notes in Computer Science, pages Springer-Verlag, O. Ore. The general Chinese remainder theorem. American Mathematical Monthly, 59: , S. C. Pohlig and M. E. Hellman. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transactions on Information Theory, 24: , J.-J. Quisquater and C. Couvreur. Fast decipherment algorithm for the RSA public-key cryptosystem. IEE Electronics Letters, 18 (21): , M. Quisquater, B. Preneel, and J. Vandewalle. On the security of the threshold scheme based on the Chinese remainder theorem. In D. Naccache and P. Paillier, editors, Public Key Cryptography, 5th International Workshop on Practice and Theory in Public Key Cryptosystems, PKC 2002, volume 2274 of Lecture Notes in Computer Science, pages Springer-Verlag, R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2): , A. Shamir. How to share a secret. Communications of the ACM, 22(11): , V. Shoup. Practical threshold signatures. In B. Preneel, editor, Advances in Cryptology - EURO- CRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages Springer-Verlag, 2000.