ABSTRACT
Secure distributed generation of RSA moduli (e.g., generating N=pq where none of the parties learns anything about p or q) is an important cryptographic task, that is needed both in threshold implementations of RSA-based cryptosystems and in other, advanced cryptographic protocols that assume that all the parties have access to a trusted RSA modulo. In this paper, we provide a novel protocol for secure distributed RSA key generation based on the Miller-Rabin test. Compared with the more commonly used Boneh-Franklin test (which requires many iterations), the Miller-Rabin test has the advantage of providing negligible error after even a single iteration of the test for large enough moduli (e.g., 4096 bits).
From a technical point of view, our main contribution is a novel divisibility test which allows to perform the primality test in an efficient way, while keeping p and q secret.
Our semi-honest RSA generation protocol uses any underlying secure multiplication protocol in a black-box way, and our protocol can therefore be instantiated in both the honest or dishonest majority setting based on the chosen multiplication protocol. Our semi-honest protocol can be upgraded to protect against active adversaries at low cost using existing compilers. Finally, we provide an experimental evaluation showing that for the honest majority case, our protocol is much faster than Boneh-Franklin.
- Joy Algesheimer, Jan Camenisch, and Victor Shoup. 2002. Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared Safe-Prime Products. In CRYPTO 2002 (LNCS, Vol. 2442), Moti Yung (Ed.). Springer, Heidelberg, 417--432. https://doi.org/10.1007/3--540--45708--9_27Google ScholarCross Ref
- AWS. 2023. Amazon EC2 On-Demand Pricing. https://aws.amazon.com/ec2/ pricing/on-demand/. Accessed: 2023-05-02.Google Scholar
- Judit Bar-Ilan and Donald Beaver. 1989. Non-Cryptographic Fault-Tolerant Computing in Constant Number of Rounds of Interaction. In 8th ACM PODC, Piotr Rudnicki (Ed.). ACM, 201--209. https://doi.org/10.1145/72981.72995Google ScholarDigital Library
- Josh Cohen Benaloh and Michael de Mare. 1994. One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract). In EUROCRYPT'93 (LNCS, Vol. 765), Tor Helleseth (Ed.). Springer, Heidelberg, 274--285. https://doi.org/10.1007/3--540--48285--7_24Google ScholarCross Ref
- Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. 2018. Verifiable Delay Functions. In CRYPTO 2018, Part I (LNCS, Vol. 10991), Hovav Shacham and Alexandra Boldyreva (Eds.). Springer, Heidelberg, 757--788. https://doi.org/10. 1007/978--3--319--96884--1_25Google ScholarDigital Library
- Dan Boneh, Benedikt Bünz, and Ben Fisch. 2019. Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains. In CRYPTO 2019, Part I (LNCS, Vol. 11692), Alexandra Boldyreva and Daniele Micciancio (Eds.). Springer, Heidelberg, 561--586. https://doi.org/10.1007/978--3-030--26948--7_20Google ScholarDigital Library
- Dan Boneh and Matthew K. Franklin. 1997. Efficient Generation of Shared RSA Keys (Extended Abstract). In CRYPTO'97 (LNCS, Vol. 1294), Burton S. Kaliski Jr. (Ed.). Springer, Heidelberg, 425--439. https://doi.org/10.1007/BFb0052253Google ScholarCross Ref
- Elette Boyle, Geoffroy Couteau, Niv Gilboa, Yuval Ishai, Lisa Kohl, Peter Rindal, and Peter Scholl. 2019. Efficient Two-Round OT Extension and Silent NonInteractive Secure Computation. In ACM CCS 2019, Lorenzo Cavallaro, Johannes Kinder, XiaoFeng Wang, and Jonathan Katz (Eds.). ACM Press, 291--308. https: //doi.org/10.1145/3319535.3354255Google ScholarDigital Library
- Jakob Burkhardt, Ivan Damgård, Tore Frederiksen, Satrajit Ghosh, and Claudio Orlandi. 2023. Improved Distributed RSA Key Generation Using the Miller-Rabin Test. Cryptology ePrint Archive, Paper 2023/644. https://eprint.iacr.org/2023/644Google Scholar
- Jan Camenisch and Anna Lysyanskaya. 2002. Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials. In CRYPTO 2002 (LNCS, Vol. 2442), Moti Yung (Ed.). Springer, Heidelberg, 61--76. https://doi.org/10.1007/3- 540--45708--9_5Google ScholarCross Ref
- Megan Chen, Jack Doerner, Yashvanth Kondi, Eysa Lee, Schuyler Rosefield, abhi shelat, and Ran Cohen. 2022. Multiparty Generation of an RSA Modulus. Journal of Cryptology 35, 2 (April 2022), 12. https://doi.org/10.1007/s00145-021-09395-yGoogle ScholarDigital Library
- Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Muthu Venkitasubramaniam, and Ruihan Wang. 2021. Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority. In 2021 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 590--607. https://doi.org/10.1109/SP40001.2021.00025Google ScholarCross Ref
- Ivan Damgård, Peter Landrock, and Carl Pomerance. 1993. Average case error estimates for the strong probable prime test. Mathematics of computation 61, 203 (1993), 177--194.Google Scholar
- Ivan Damgård and Gert Læssøe Mikkelsen. 2010. Efficient, Robust and ConstantRound Distributed RSA Key Generation. In TCC 2010 (LNCS, Vol. 5978), Daniele Micciancio (Ed.). Springer, Heidelberg, 183--200. https://doi.org/10.1007/978--3- 642--11799--2_12Google ScholarCross Ref
- Ivan Damgård, Claudio Orlandi, and Mark Simkin. 2018. Yet Another Compiler for Active Security or: Efficient MPC Over Arbitrary Rings. In CRYPTO 2018, Part II (LNCS, Vol. 10992), Hovav Shacham and Alexandra Boldyreva (Eds.). Springer, Heidelberg, 799--829. https://doi.org/10.1007/978--3--319--96881-0_27Google ScholarDigital Library
- Cyprien Delpech de Saint Guilhem, Eleftheria Makri, Dragos Rotaru, and Titouan Tanguy. 2021. The Return of Eratosthenes: Secure Generation of RSA Moduli using Distributed Sieving. In ACM CCS 2021, Giovanni Vigna and Elaine Shi (Eds.). ACM Press, 594--609. https://doi.org/10.1145/3460120.3484754Google ScholarDigital Library
- Didier Deshommes. 2023. GMP-java. https://github.com/dfdeshom/GMP-java. Accessed: 2023-07--27.Google Scholar
- Hendrik Eerikson, Marcel Keller, Claudio Orlandi, Pille Pullonen, Joonas Puura, and Mark Simkin. 2019. Use your brain! Arithmetic 3PC for any modulus with active security. Cryptology ePrint Archive (2019).Google Scholar
- Hendrik Eerikson, Marcel Keller, Claudio Orlandi, Pille Pullonen, Joonas Puura, and Mark Simkin. 2020. Use Your Brain! Arithmetic 3PC for Any Modulus with Active Security. In ITC 2020, Yael Tauman Kalai, Adam D. Smith, and Daniel Wichs (Eds.). Schloss Dagstuhl, 5:1--5:24. https://doi.org/10.4230/LIPIcs.ITC.2020.5Google ScholarCross Ref
- Yair Frankel, Philip D. MacKenzie, and Moti Yung. 1998. Robust Efficient Distributed RSA-Key Generation. In STOC, Jeffrey Scott Vitter (Ed.). ACM, 663--672. https://doi.org/10.1145/276698.276882Google ScholarDigital Library
- Tore Kasper Frederiksen, Yehuda Lindell, Valery Osheter, and Benny Pinkas. 2018. Fast Distributed RSA Key Generation for Semi-honest and Malicious Adversaries. In CRYPTO 2018, Part II (LNCS, Vol. 10992), Hovav Shacham and Alexandra Boldyreva (Eds.). Springer, Heidelberg, 331--361. https://doi.org/10.1007/978--3- 319--96881-0_12Google ScholarDigital Library
- Rosario Gennaro, Michael O. Rabin, and Tal Rabin. 1998. Simplified VSS and FastTrack Multiparty Computations with Applications to Threshold Cryptography. In 17th ACM PODC, Brian A. Coan and Yehuda Afek (Eds.). ACM, 101--111. https://doi.org/10.1145/277697.277716Google ScholarDigital Library
- Niv Gilboa. 1999. Two Party RSA Key Generation. In CRYPTO'99 (LNCS, Vol. 1666), Michael J. Wiener (Ed.). Springer, Heidelberg, 116--129. https://doi.org/10.1007/3- 540--48405--1_8Google ScholarCross Ref
- Carmit Hazay, Gert Læssøe Mikkelsen, Tal Rabin, and Tomas Toft. 2012. Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting. In CT-RSA (Lecture Notes in Computer Science, Vol. 7178), Orr Dunkelman (Ed.). Springer, 313--331. https://doi.org/10.1007/978--3--642--27954--6_20Google ScholarCross Ref
- Carmit Hazay, Gert Læssøe Mikkelsen, Tal Rabin, and Tomas Toft. 2012. Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting. In CTRSA 2012 (LNCS, Vol. 7178), Orr Dunkelman (Ed.). Springer, Heidelberg, 313--331. https://doi.org/10.1007/978--3--642--27954--6_20Google ScholarCross Ref
- Carmit Hazay, Gert Læssøe Mikkelsen, Tal Rabin, Tomas Toft, and Angelo Agatino Nicolosi. 2019. Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting. Journal of Cryptology 32, 2 (April 2019), 265--323. https: //doi.org/10.1007/s00145-017--9275--7Google ScholarDigital Library
- Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. 2009. Secure Arithmetic Computation with No Honest Majority. In TCC 2009 (LNCS, Vol. 5444), Omer Reingold (Ed.). Springer, Heidelberg, 294--314. https://doi.org/10.1007/978--3--642-00457- 5_18Google ScholarCross Ref
- Mitsuru Ito, Akira Saito, and Takao Nishizeki. 1989. Secret sharing scheme realizing general access structure. Electronics and Communications in Japan (Part III: Fundamental Electronic Science) 72, 9 (1989), 56--64. https://doi.org/10.1002/ecjc.4430720906 arXiv:https://onlinelibrary.wiley.com/doi/pdf/10.1002/ecjc.4430720906Google ScholarCross Ref
- Marcel Keller, Emmanuela Orsini, and Peter Scholl. 2015. Actively Secure OT Extension with Optimal Overhead. In CRYPTO 2015, Part I (LNCS, Vol. 9215), Rosario Gennaro and Matthew J. B. Robshaw (Eds.). Springer, Heidelberg, 724-- 741. https://doi.org/10.1007/978--3--662--47989--6_35Google ScholarDigital Library
- Michael Malkin, Thomas D. Wu, and Dan Boneh. 1999. Experimenting with Shared Generation of RSA Keys. In NDSS'99. The Internet Society.Google Scholar
- Gary L Miller. 1976. Riemann's hypothesis and tests for primality. Journal of computer and system sciences 13, 3 (1976), 300--317.Google ScholarDigital Library
- Pascal Paillier. 1999. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In EUROCRYPT'99 (LNCS, Vol. 1592), Jacques Stern (Ed.). Springer, Heidelberg, 223--238. https://doi.org/10.1007/3--540--48910-X_16Google ScholarCross Ref
- Guillaume Poupard and Jacques Stern. 1998. Generation of Shared RSA Keys by Two Parties. In ASIACRYPT (Lecture Notes in Computer Science, Vol. 1514), Kazuo Ohta and Dingyi Pei (Eds.). Springer, 11--24. https://doi.org/10.1007/3- 540--49649--1_2Google ScholarCross Ref
- Michael O Rabin. 1980. Probabilistic algorithm for testing primality. Journal of number theory 12, 1 (1980), 128--138.Google ScholarCross Ref
- Ronald L Rivest, Adi Shamir, and Leonard Adleman. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (1978), 120--126.Google ScholarDigital Library
- Ronald L Rivest, Adi Shamir, and David A Wagner. 1996. Time-lock puzzles and timed-release crypto. (1996).Google Scholar
- Lawrence Roy. 2022. SoftSpokenOT: Quieter OT Extension from Small-Field Silent VOLE in the Minicrypt Model. In CRYPTO 2022, Part I (LNCS, Vol. 13507), Yevgeniy Dodis and Thomas Shrimpton (Eds.). Springer, Heidelberg, 657--687. https://doi.org/10.1007/978--3-031--15802--5_23Google ScholarDigital Library
- Omer Shlomovits. 2020. Diogenes Octopus*: Playing Red Team for Eth2.0 VDF. Medium blog post. https://medium.com/zengo/diogenes-octopus-playing-redteam-for-eth2-0-vdf-part-1-dac3f2e3cc7bGoogle Scholar
- Omer Shlomovits. 2020. DogByte Attack: Playing Red Team for Eth2.0 VDF. Medium blog post. https://medium.com/zengo/dogbyte-attack-playing-redteam-for-eth2-0-vdf-ea2b9b2152afGoogle Scholar
- Benjamin Wesolowski. 2019. Efficient Verifiable Delay Functions. In EUROCRYPT 2019, Part III (LNCS, Vol. 11478), Yuval Ishai and Vincent Rijmen (Eds.). Springer, Heidelberg, 379--407. https://doi.org/10.1007/978--3-030--17659--4_13Google ScholarDigital Library
Index Terms
- Improved Distributed RSA Key Generation Using the Miller-Rabin Test
Recommendations
Secure and practical threshold RSA
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksThis article describes a scheme that outputs RSA signatures using a threshold mechanism in which each share has a bitlength close to the bitlength of the RSA modulus. The scheme is proven unforgeable under the standard RSA assumption against an honest ...
Efficient generation of shared RSA keys
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is ...
Password-authenticated key exchange based on RSA
Special Issue on Special Purpose Protocols;Guest Editor:Moti YungThere have been many proposals in recent years for password-authenticated key exchange protocols, i.e., protocols in which two parties who share only a short secret password perform a key exchange authenticated with the password. However, the only ones ...
Comments