1 / 17

Optimizing Robustness while Generating Shared Secret Safe Primes

Optimizing Robustness while Generating Shared Secret Safe Primes. Emil Ong and John Kubiatowicz < emilong@cs.berkeley.edu > University of California, Berkeley. Motivation. Several multi-party algorithms need or benefit from using safe primes

kendis
Download Presentation

Optimizing Robustness while Generating Shared Secret Safe Primes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz <emilong@cs.berkeley.edu> University of California, Berkeley

  2. Motivation • Several multi-party algorithms need or benefit from using safe primes • Usually, for RSA moduli (e.g. Shoup’s RSA signature scheme) • In many of these algorithms, the safe primes must be shared secrets to preserve security

  3. Generating safe primes as shared secrets: Prior Work • Algesheimer, Camenish, and Shoup (CRYPTO ’00) • Developed several novel mechanisms for modular arithmetic • Honest-but-curious model

  4. Our contribution A safe prime generation method which is robust and “efficient” • Use a robust form of distributed sieving to find safe prime candidates • Provide optimized methods for multiparty modular arithmetic

  5. High Level Overview • Find a safe prime candidate • Sieve for rough numbers – those without small prime factors • Ensure the number is • Test the compositeness via a distributed Miller-Rabin test

  6. Distributed Sieving(Malkin, Wu, and Boneh, NDSS’99) • Each player finds a random “rough” integer (i.e. one relatively prime to the product of the first b primes, ) • The players generate additive shares such that • Players choose a random • Locally compute to obtain an additive share of

  7. Making Distributed Sieving Robust • Each player finds a random “rough” integer (i.e. one relatively prime to the product of the first b primes, ) Need to prove each is genuinely rough • The players generate additive shares such that Prefer threshold (polynomial) sharing • Players choose a random Need to share the polynomially, prove their size • Locally compute to obtain an additive share of

  8. Robust Distributed Sieving • Each player finds a random “rough” integer Each is shared polynomially along with a ZK proof • The are multiplied using the usual method (Ben-Or, Goldwasser, and Wigderson) • Players choose a random and share them polynomially, along with a proof of size • Locally compute to obtain an additive share of

  9. High Level Overview • Find a safe prime candidate • Sieve for rough numbers – those without small prime factors • Ensure the number is • Test the compositeness via a distributed Miller-Rabin test

  10. Distributed Miller-Rabin Input: Secret shares of prime candidate • Locally compute e = (φ – 1) / 2 • Repeat m times: • Choose a random g (0 ≤ g ≤ φ - 1) • Compute shares of gemod φ • If gemod φ,output failure • Output success

  11. Compute shares of gemod φ Reshare the bits of e as β1,…, βn c=(g-1)* βn+1 For i=n-1 downto 1, Do d=(g-1)*βi + 1 c=((c2 mod φ) * d) mod φ Output c Note that Modular exponentiation(Algesheimer, Camenish, and Shoup, CRYPTO ‘00)

  12. Optimization: Lookup tables • Alternate perspective: is a “lookup” of a 2 element table: 1 and g • Problem: Sharing bits of a secret can be expensive • Idea: Try to optimize by doing a lookup in an arbitrarily sized table • Break the exponent into larger pieces than bits → fewer shares

  13. Generalized Modular Exponentiation Compute shares of gemod φ • Precompute g0mod φ, g1mod φ, …, gη-1mod φ • Reshare e in base-ηas η1,…,ηω(ω=n/η) • c=LOOKUP(ηω) • For i=ω-1 downto 1, Do • d=LOOKUP(ηi) • c=((cη mod φ)* d) mod φ • Output c Result: The number of modular multiplications is reduced from 2log2e to log2e+ω

  14. Lookup procedure Input: g0mod φ, g1mod φ, …, gη-1mod φ, • For i=0 to η-1, do • For i=0 to η-1, do • Locally compute Normalization (Adapted from Bar-Ilan and Beaver, PODC 1989):

  15. Summary • Robust distributed sieving for safe prime candidate selection • Improvements to modular arithmetic in the multiparty setting • Current work: implementation

  16. Conclusions and Lessons • Modular arithmetic optimizations can be useful in general • Safe prime generation is still slow (up to 5 minutes locally) • The algorithm is non-trivial to implement • If possible, avoid safe primes for now while we optimize further ☺

  17. Thank you! Check our website soon for an extended version of the paper: http://oceanstore.cs.berkeley.edu

More Related