Non-Interactive Provably Secure Attestations for Arbitrary RSA Prime Generation Algorithms

Similar documents
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

Lecture 1: Introduction to Public key cryptography

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Comparing With RSA. 1 ucl Crypto Group

A New RSA-Based Signature Scheme

Provable security. Michel Abdalla

Fault Attacks Against emv Signatures

Algorithmic Number Theory and Public-key Cryptography

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

5199/IOC5063 Theory of Cryptology, 2014 Fall

The security of RSA (part 1) The security of RSA (part 1)

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Secure and Practical Identity-Based Encryption

Cryptography IV: Asymmetric Ciphers

Pseudo-random Number Generation. Qiuliang Tang

Threshold Undeniable RSA Signature Scheme

Foundations of Network and Computer Security

Aspect of Prime Numbers in Public Key Cryptosystem

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Notes on Zero Knowledge

Linear Bandwidth Naccache-Stern Encryption

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Cryptographie basée sur les codes correcteurs d erreurs et arithmétique

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Robust Password- Protected Secret Sharing

Cryptographical Security in the Quantum Random Oracle Model

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

How to Use Linear Homomorphic Signature in Network Coding

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Asymmetric Encryption

Public-Key Cryptosystems CHAPTER 4

Classical hardness of the Learning with Errors problem

RSA and Rabin Signatures Signcryption

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

THE CUBIC PUBLIC-KEY TRANSFORMATION*

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Semantic Security of RSA. Semantic Security

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Public Key Algorithms

CS 355: Topics in Cryptography Spring Problem Set 5.

XMX: A Firmware-oriented Block Cipher Based on Modular Multiplications

Public-key Cryptography and elliptic curves

Security Protocols and Application Final Exam

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Cryptography and Security Final Exam

Key Recovery on Hidden Monomial Multivariate Schemes

Introduction to Modern Cryptography. Benny Chor

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lattice-Based Fault Attacks on RSA Signatures

Regulating the Pace of von Neumann Correctors

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

during signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech

New attacks on RSA with Moduli N = p r q

Divisible E-cash Made Practical

Factoring and RSA Codes using DERIVE Johann Wiesenbauer, Technical Univ. of Vienna,

CPSC 467b: Cryptography and Computer Security

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Practice Assignment 2 Discussion 24/02/ /02/2018

arxiv: v1 [cs.it] 1 Sep 2015

Lecture 10 - MAC s continued, hash & MAC

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Slow Motion Zero Knowledge Identifying With Colliding Commitments

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

DATA PRIVACY AND SECURITY

Threshold RSA for Dynamic and Ad-Hoc Groups

New Attacks against Standardized MACs

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Question: Total Points: Score:

Introduction to Modern Cryptography. Benny Chor

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Cryptography and Security Midterm Exam

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

The Polynomial Composition Problem in (Z/nZ)[X]

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Public Key Cryptography

Dr George Danezis University College London, UK

Introduction to Cryptography. Susan Hohenberger

Proving that a Number is the Product of Two Safe Primes 107 entity as well. An example of groups used in such schemes are subgroups of Z n. Here, it s

The Polynomial Composition Problem in (Z/nZ)[X]

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

A New Attack on RSA with Two or Three Decryption Exponents

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Efficient Smooth Projective Hash Functions and Applications

Mathematics of Cryptography

A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm

Notes for Lecture 9. 1 Combining Encryption and Authentication

True & Deterministic Random Number Generators

Cramer-Damgård Signatures Revisited: Efficient Flat-Tree Signatures Based on Factoring

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Cryptographic Hash Functions

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Security Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05

Transcription:

Non-Interactive Provably Secure Attestations for Arbitrary RSA Prime Generation Algorithms Fabrice Benhamouda Houda Ferradi Rémi Géraud David Naccache École Normale Supérieure Équipe de cryptographie, 45 rue d Ulm, f-75230 Paris cedex 05, France January 4, 2016 enhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 1 / 17

Context The Certification Authority s Cornelian Dilemma: The Cornelian dilemma is named after French dramatist Pierre Corneille, in whose play Le Cid (1636) Rodrigue, is torn between the love of Chimene, or avenging his family, who have been wronged by Chimene s father. Rodrigue can either seek revenge and lose his beloved, or renounce revenge and lose his honour: thus embodying the Cornelian Dilemma. All today s Certification Authorities face a Cornelian Dilemma: Either certify potentially insecure RSA keys or... learn the key s factors and hence render these keys insecure. Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 2 / 17

This Proposal Solve the certification authority s Cornelian Dilemma. A totally new way to test a match without lighting it! Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 3 / 17

Prior Work The first ad hoc modulus attestation scheme was introduced by Van de Graff and Peralta and consists in proving that n is a Blum integer without revealing its factors. Boyar, Friedl and Lund present a proof that n is square-free. Gennaro, Micciancio and Rabin present a protocol proving that n is the product of two quasi-safe primes 1 Camenisch and Michels give an NIZK proof that n is a product of two safe primes. Juels and Guajardo introduce a proof for RSA key generation with verifiable randomness. Micali, Boneh, Chan, and Mao describe different protocols proving that n is the product of two primes p and q, without leaking anything on p, q but their primality. 1 A prime p is quasi-safe if p = 2u a + 1 for a prime u and some integer a. Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 4 / 17

Our Contribution A user generates an RSA modulus n and wants a CA to certify it. The CA wants to check that n was properly generated. We want this done without the CA learning the factors of n. A typical application: Users want to check that a PKI s root PK was properly generated before relying on this CA s PKI. In general: How to ascertain, before using or certifying an RSA public-key that this public-key was properly generated? Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 5 / 17

Desired Features We wish the modulus attestation scheme to be: Generic: Work for any prime number generation algorithm G. Secretless: n is provided with an attestation ω n that can be verified by everybody without knowing any secret. Non-interactive: ω n,n can be checked without any interaction with the creator of n. Compact: The size of ω n should be manageable, i.e. polynomial in log n. Efficient: Calculations for creating or verifying an attestation must remain manageable. Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 6 / 17

Our approach The proposed attestation method is based on the following idea: fix k 2, generate k random numbers r 1,..., r k and define h i = H(i, r i ) where H denotes a hash function. Let p i = G(h i ) and: N = Define (X 1, X 2 ) = H 2 (N), where H 2 is a hash function which outputs two indices 1 X 1 < X 2 k. This defines n = p X1 p X2 and k i=1 ω n = {r 1, r 2,..., r X1 1,, r X1+1,..., r X2 1,, r X2+1,..., r k } Here, a denotes a placeholder used to skip one index. The data ω n is called the attestation of n. The algorithm A used to obtain ω n is called an attestator. The attestation process is illustrated in the next slide. p i Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 7 / 17

The Approach Used to Generate and Validate an Attestation The choice of the r i determines N, which is split into two parts: n and N/n. Splitting is determined by d, which is the digest of N, and is hence unpredictable for the opponent. Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 8 / 17

The Attestator A Input: r 1,..., r k Output: n, ω n N 1 for all i = 1 to k do h i H(i, r i ) p i G (h i ) N N p i end for (X 1, X 2 ) H 2 (N) ω n {r 1,..., r X1 1,, r X1+1,..., r X2 1,, r X2+1,..., r k } n p X1 p X2 return n, ω n Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 9 / 17

The Validator V Input: n, ω n Output: True or False N n for all r i in ω n do h i H(i, r i ) p i G (h i ) N N p i end for (X 1, X 2 ) H 2 (N) if r X1 = and r X2 = and #{r i ω n s.t. r i = } = 2 then return True else return False end if Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 10 / 17

The Issue: Efficiency! Selecting only two primes out of k makes attacks easy. Indeed, the attacker must only bet on two indices amongst k, i.e. his success probability is 2 k(k 1). In addition, this is the success probability per trial and attestations are not an interactive experiments, hence with sufficient computing power this can be broken even if k is made very large (say 1,000,000). To overcome this we propose two approaches: Use moduli with more than l = 2 prime factors. Use more than u = 1 modulus for signing or encrypting the same message. Different (l, u) parameters allow to reach sufficient security. Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 11 / 17

Multi-Factor Moduli It suffices to have only two properly generated factors to make n secure for RSA encryption and signature. Advantage: Security grows quickly with the number of factors (details in the paper). Disadvantage: Working with bigger moduli slows-down multiplications quadratically (and exponentions cubically). We hence buy security at the price of slower execution. Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 12 / 17

Using Several Moduli It suffices to have only one properly generated modulus to perform secure RSA encryption and signature. Advantage: Again; security grows quickly with the number of moduli (details in the paper). Disadvantage: Working with more moduli slows-down calculations linearly. We hence buy again security at the price of slower execution. Note: For signature we sign u times the same message using different u moduli. But for encryption we share a secret key κ = κ 1,..., κ u and encrypt each share κ i with a different modulus (the idea is that at least one share gets protected by a properly generated modulus). Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 13 / 17

The Attestator A for More Than u = 1 Modulus Variant consisting in generating u = l/2 bi-factor moduli for some even number l of factors. Input: r 1,..., r k Output: n := (n 1,..., n u ), ω n N 1 for all i 1 to k do h i H(i, r i ) p i G (h i ) N N p i end for (X 1,..., X 2u ) H 2u (N) ω n {r 1,..., r X1 1,, r X1+1,..., r Xul 1,, r Xul +1,..., r k } for all j 1 to u do n j p X2j p X2j+1 end for return n := (n 1,..., n u ), ω n Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 14 / 17

General Attestation Scheme Attestator A for the General Attestation Scheme (u 1, l 2) Input: r 1,..., r k Output: n := (n 1,..., n u ), ω n N 1 for all i 1 to k do h i H(i, r i ) p i G (h i ) N N p i end for (X 1,..., X ul ) H ul (N) ω n {r 1,..., r X1 1,, r X1+1,..., r Xul 1,, r Xul +1,..., r k } for all j 1 to u do n j p X(l 1)j+1 p Xlj end for return n := (n 1,..., n u ), ω n Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 15 / 17

Parameters Refer to the tables in the handouts. Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 16 / 17

Compressing The Attestation Benhamouda, Ferradi, Géraud, Naccache (École Normale Supérieure Non-Interactive ÉquipeProvably de cryptographie, Secure Attestations 45 rue d Ulm, f-75230 Paris cedex 05, January France 4, ) 2016 17 / 17

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback