Threshold Cryptography: Shared RSA and Multi-party Computation Protocols, Cheat Sheet of Cryptography and System Security

This document delves into the realm of threshold cryptography, exploring techniques for secure key sharing and signature generation in distributed environments. It focuses on shared rsa schemes, where decryption is distributed among multiple parties, and multi-party computation protocols, enabling collaborative computation without revealing individual inputs. Detailed explanations of algorithms, proofs, and practical considerations for implementing these cryptographic techniques.

Typology: Cheat Sheet

2022/2023

Uploaded on 10/19/2024

mhmd-sadq-qrlywndzadh
mhmd-sadq-qrlywndzadh 🇮🇷

1 document

1 / 40

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
RSA Threshold Cryptography
H.L. Nguyen
May 4, 2005
Dept. of Computer Science,
University of Bristol,
Merchant Venturers Building,
Woodland Road,
Bristol, BS8 1UB,
United Kingdom.
Abstract
In this project, a new threshold signing scheme for RSA has been pro-
posed. The scheme does not require a trusted third party and no secure
information is leaked throughout the protocol. The time and storage com-
plexity of the protocol is linear in the number of parties and no restriction
is placed on the RSA moduli. Combined with the n-out-of-nkey genera-
tion protocol of Boneh and Franklin, one has a complete solution for the
threshold RSA problem with no trusted dealer. The complete protocol
has also been implemented, a paper has been written and submitted to a
conference on cryptography and coding.
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28

Partial preview of the text

Download Threshold Cryptography: Shared RSA and Multi-party Computation Protocols and more Cheat Sheet Cryptography and System Security in PDF only on Docsity!

RSA Threshold Cryptography

H.L. Nguyen

May 4, 2005

Dept. of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom. [email protected]

Abstract In this project, a new threshold signing scheme for RSA has been pro- posed. The scheme does not require a trusted third party and no secure information is leaked throughout the protocol. The time and storage com- plexity of the protocol is linear in the number of parties and no restriction is placed on the RSA moduli. Combined with the n-out-of-n key genera- tion protocol of Boneh and Franklin, one has a complete solution for the threshold RSA problem with no trusted dealer. The complete protocol has also been implemented, a paper has been written and submitted to a conference on cryptography and coding.

Contents

1 Introduction

Threshold decryption has been studied a lot for the last two decades. It is a branch of public key cryptography in general, and multi-party computation in particular. Essentially, in a k-out-of-n threshold crypto-system, denoted (k, n) where 1 < k ≤ n, for the RSA function [31], our aim is to generate and then split the secret decryption/signing exponent d into n different pieces, which are then distributed privately to n parties. This enables:

  • Any k or more out of n total parties, when they come together, they can “reconstruct” the secret d in a way which enables them to decrypt or sign a message. This should be done in a way that does not reveal the value of d and its shares to any one in the scheme.
  • Secondly, signing or decryption will be totally impossible in the circum- stance where less than k parties are present.

The area of threshold cryptography has been pioneered by Adi Shamir in his 1978 paper [32], however the idea only took off when the problem was formally stated by Desmedt in [13]. Since then there has been much work devoted to the topic such as Desmedt and Frankel [14], Pedersen [29], Gennaro et. al. [21], and many more. However, the majority of these solutions are only for discrete logarithm based system that has a direct application to the Elgamal encryption and decryption algorithm [16]. The reason why discrete logarithm based thresh- old systems are easier to design is because the group in which one works has a publicly known order. Whereas, in the RSA signature scheme, the group we are working in has an unknown group order and so various technical problems arise. For example, standard polynomial interpolation over the ring Zφ(N ) is hard as no party knows φ(N ). Another problem is that it is relatively easy to generate a shared discrete logarithm public/private key pair, but it is harder to generate a shared RSA public/private key pair, n-out-of-n threshold scheme, without the presence of a trusted third party. However, there was in breakthrough in the area of shared RSA key generation when both Boyd [7] and Frankel [19] independently pro- posed a simple and elegant solution for distributed RSA. The decryption key d is additively shared amongst n parties, d = d 1 + d 2 + · · · + dn, signing is simply done as follows: s = md^ = md^1 · · · mdn^ (mod N ),

and each si = mdi^ (mod N ) is called the partial signature or signature share. Extending this idea, a number of new schemes for shared RSA key generation were proposed, for example, a complete solution for this problem was given in [11]. Unfortunately, the moduli N was assumed to be generated by a trusted dealer. The dealer, therefore can forge a signature on a message of his or her choosing. There was also something called general secure circuit evaluation techniques presented in [4, 8, 22, 34] as primality test can be done by using boolean circuit. However, this idea was too inefficient to be implemented in practice. So far, the best solution for this problem is probably the one that was built by Boneh and Franklin [5, 6], which does not require a trusted third party, and which can efficiently generate shared RSA keys that satisfy the above property. This solution is also the one, we have studied and implemented in the

first half of this project. The drawback of the scheme is that it only gives us a n-out-of-n threshold decryption that cannot be switched easily into a k-out-of-n threshold scheme. In trying to solve the last piece of this problem, a number of threshold schemes for RSA have been proposed in the literature, most notable are Ra- bin’s [30] and Shoup’s [33] schemes. In Rabin’s protocol, the author uses Shamir secret sharing to share the secret but on signing the k signing parties need to interact so as to recover the secrets of the non-signing parties. This removes the problem of working in a group of unknown order, but means the scheme leaks information about the additive shares of various parties. To get around this problem a share-refreshing protocol is given. All parts of Rabin’s scheme require a large amount of interaction between the various parties. Taking a different approach, Shoup provides a framework that leads to the possibility of applying the protocol in practice, where dealing, signature share generation, signature share verification and signature share combining are sep- arated from each other and only the first part, i.e. dealing, requires interaction of the various parties. The scheme Shoup proposes is then fully non-interactive, bar the initial dealing phase. However, the drawbacks of his scheme are that it requires both a trusted dealer and strong RSA moduli. Hence, Shoup’s scheme cannot be applied with the Boneh and Franklin shared key generation protocol. In this project we give a new RSA threshold scheme [25] which does not require trusted dealers and which can be applied with the Boneh and Franklin shared key generation protocol. In addition we try to minimise the amount of interaction required between the parties and we eliminate the need for a share refreshing stage of the protocol.

Barnett and Smart in [1] where all players must agree to decrypt a card in order to do so.

2.4 Identification Scheme

There are many proposed identification schemes notably, Guillou-QuisQuater [23], Fiat-Shamir [18] and their extended and modified versions in [17, 20, 26, 27] that are achieved by asking a dealer to generate RSA moduli N. Clearly, the dealer must be trusted to generate N correctly as well as keeping them secret to all parties and in real life this is a too strong assumption. The protocol imple- mented by me will be able to eliminate the need of the trusted party since all parties can generate the moduli N by themselves and not knowing about the secret in the mean time.

3 Cryptography Techniques

3.1 Hard Problem

There are two hard problems, factoring big number and discrete logarithm, which we are going to describe in this section. Everything in this protocol is based on the assumption that these two problems are computationally infeasible to be solved in polynomial time.

3.1.1 Factoring Problem

The problem states that given a big number, about 1000 bits, it is computa- tionally infeasible to factorise the number into prime factors. The best known algorithm has exponential complexity in term number of bits of the number. For example: If N = pq where p and q are big prime numbers (500 bits) then it is hard to find p and q given the value of N. This problem will be the basis of security of RSA encryption and decryption scheme.

3.1.2 Discrete Logarithm Problem

Given a big number N , of size 1000 bits, and y, g in the interval [1, · · · , (N − 1)] where gcd(g, N ) = 1. It is hard to find x that satisfies the equation:

y = gx^ (mod N )

This problem will be the basis of threshold decryption and the signing scheme implemented in this project.

3.2 Euler Theorem and Fermat Primality test

Euler theorem is probably one of the most important theorem used in public cryptography.

3.2.1 Euler Theorem

Given a number N = pa 11 pa 22 · · · pa nn and p 1 , · · · , pn are prime numbers, there are exact φ(N ) numbers between 1 and (N − 1) that are co-prime to N , where:

φ(N ) =

∏^ n

i=

pa i i−^1 (pi − 1)

3.2.2 RSA case

When N = pq, we have φ(N ) = (p − 1)(q − 1) and for any e co-prime to N it satisfies that: eφ(N^ )^ = 1 (mod N )

An interesting direct result of this case is that it gives us a way to test whether or not a number is a product of two large prime numbers indirectly. The method will be explained in more detail in section 5.2.4 as it actually forms the primality testing stage of this protocol.

  1. And ed = 1 (mod φ(N )).

The reader might wonder how can we generate such a scheme like this with- out the help of a trusted third party and still keep p, q, and d secret to everyone in the world? The answer is that such scheme is exactly what we want to achieve with the n-out-of-n shared key generation protocol in first half of this project. For now, I shall assume that we have achieved the properties and I am going to show you two different ways to encrypt a message and decrypt a cipher text based on Discrete Logarithm Problem and RSA Paillier presented in [28].

3.4.1 Discrete Logarithm Approach

As the name implies, this approach is based on the difficulty of Discrete Loga- rithm problem.

  • Encryption: is identical to RSA: c = me^ (mod N ).
  • Decryption: each party Pi computes mi = cdi^ (mod N ) and then pub- lishes mi to all other parties. As it is hard to find di given mi and c (discrete logarithm problem) so that di still remains secret to party Pi after decryption. Now, each party knows all mi for i = 1, · · · , n and therefore can recover m from the following formulae:

m =

∏^ n

i=

mi

Proof: m = m 1 m 2 ..mn (mod N ) m = cd^1 cd^2 · · · cdn^ = c

∑i=n i=1 (^) di (mod N ) m = cd^ = med^ (mod N ) m = m (mod N )

An alternate way to do encryption and decryption can be based on Elgamal algorithm [16].

3.4.2 RSA Paillier Approach

This scheme has been recently proposed in [28] for a single party and extended to deal with multiple participants in another paper of Barnett and Smart [1]. All the parties generate a share of φ = (p − 1)(q − 1) by setting:

xi =

n − (p 1 + q 1 ) + 1 If i = 1 −(pi + qi) If i > 1

Note that φ =

∑n i=1 xi.^ The parties then commit to the value^ xi^ by pub- lishing hi = gxi^ (mod N 2 ) where g = N + 1. They then set publicly:

h =

∏^ n

i=

hi − 1 (mod N 2 ) = gφ^ − 1 (mod N 2 )

  • Encryption: To encrypt a message m, a user chooses a random number r in the range [1, · · · , N ] and gcd(r, N ) = 1. The cipher text is computed as follows:

c = gmrN^ (mod N 2 )

  • Decryption: each party Pi computes mi = cxi^ (mod N 2 ) and then publishes mi to all other parties. Each party knows all mi for i = 1, · · · , n and therefore can recover message m by computing:

m =

h

( (^) n ∏

i=

mi − 1 (mod N 2 )

(mod N )

4.1.1 Modulo non-prime

In the previous case, M is chosen as a prime number. In fact, the scheme still works as long as M is a composite and does not have any prime factor that is smaller than or equal to the number of servers. The reader shall see this case is applied in the Distributed Sieving stage of the protocol.

4.1.2 Sharing the final outcome

Note that the additive share sj = bj yj = (

1 ≤h≤w,h 6 =j

xh xh−xj )yj^ can be com- puted privately by party Pj. Therefore, the secret s can be additively shared amongst the servers rather than becomes publicly available. As a result, the servers do not perform the above step 3 of Shamir Secret Sharing scheme any more.

4.2 Benaloh Protocol

Suppose each of the n parties has a secret share, si. They wish to compute s =

∑n i=1 si^ (mod^ M^ ) without revealing any further information about their secret shares modulo M. This can be done by Benaloh’s protocol developed in [3], which is (n − 2) private, and it works as follows:

  • Step 1: Each party Pi picks n random elements si,j for j = 1, · · · , n such that si =

∑n j=1 si,j^ (mod^ M^ ). For example, party^ Pi^ chooses (n^ −^ 1) random numbers, si, 1 , · · · , si,(n−1) and sets:

si,n = (si −

n∑− 1

j=

si,j ) (mod M )

  • Step 2: Each party Pi privately sends si,j to party j for j = 1, · · · , n.
  • Step 3: Each party Pj receives n shares si,j for i = 1, · · · , n and then computes:

ˆsj =

∑^ n

i=

si,j (mod M )

And then broadcasts ˆsj to all other parties.

  • Step 4: Each party receives ˆs 1 , · · · , sˆn and computes the required sum as follows:

s =

∑^ n

i=

ˆsi (mod M )

Proof: s =

∑n i=1 si^ (mod^ M^ ) s =

∑n i=1(

∑n j=1 si,j^ )^ (mod^ M^ ) s =

∑n j=1(

∑n i=1 si,j^ )^ (mod^ M^ ) s =

∑n j=1 ˆsj^ (mod^ M^ )

The scheme is (n − 2) private as if (n − 1) parties collude then they will be able to find out the final share of the single left party modulo M.

4.3 BGW Protocol

The reader can skip this section and come back to it later when she has got to the Distributed Sieving and N Computation stages of the protocol. This protocol was originally invented by Ben-Or, Goldwasser and Wigdirson in [4]. The following protocol is a simplified version of it. This protocol makes use of Shamir Secret Sharing scheme, and therefore the reader is strongly rec- ommended to understand Shamir’s scheme first before attempting to read this one. Suppose each one of n parties has pi, qi. They wish to compute:

N = (

∑^ n

i=

pi)(

∑^ n

j=

pj )

Without revealing any further information about their secret shares, pi and qi. That means at the end of the protocol, N is made public but pi and qi are known to only party Pi. In addition, p =

∑n i=1 pi^ and^ q^ =^

∑n j=1 pj^ are also unknown to all parties. Let M be a big number, M > N and M does not have any prime factor that is smaller or equal to number of parties. Unless otherwise stated, all arithmetic operations are done modulo M.

  • Step 1: Let l = b n− 2 1 c, each party Pi picks 4l random secret coefficients: ai, 1 , · · · , ai,l and bi, 1 , · · · , bi,l, and ci, 1 , · · · , ci,l, ci,(l+1), · · · , ci, 2 l that form the three polynomials:

fi(x) = pi +

∑l j=1 ai,j^ x

j gi(x) = qi +

∑l j=1 bi,j^ x

j hi(x) =

∑ 2 l j=1 ci,j^ x

j

and therefore we have for all i = 1, · · · , n: fi(0) = pi, gi(0) = qi and hi(0) = 0. They computes the followings for all j = 1, · · · , n:

fi,j = fi(j) gi,j = gi(j) hi,j = hi(j)

  • Step 2: Each party Pi sends tuple < fi,j , gi,j , hi,j > to party Pj privately for all j = 1, · · · , n.
  • Step 3: Each party j receives n tuples < fi,j , gi,j , hi,j > for i = 1, · · · , n and then computes: Nj = (

∑n i=1 fi,j^ )(

∑n i=1 gi,j^ ) +^

∑n i=1 hi,j

= (

∑n i=1 fi(j))(

∑n i=1 gi(j)) +^

∑n i=1 hi(j) Party Pj publishes Nj to every one in the scheme.

5 Shared RSA Secret Keys Generation Proto-

col, an n-out-of-n Threshold Scheme

5.1 Problem Definition and Notation

In this section, I would like to give the reader a high level overview of the protocol before going into detailed discussion of each stage of the protocol. What the protocol wants to achieve is that multiples parties, say n, will come together to generate a moduli N and make N and the encryption exponent, e public. No body knows the prime factors of N but everyone is convinced that N is a product of two large prime numbers. The scheme is n-out-of-n threshold scheme, and that means decryption requires the presence of all parties because each party keeps an additive share, di of the decryption exponent, d. As a result, this scheme allows a new Threshold Signing Scheme, (k, n), to be added later on in this project. Also note that the value of d is unknown to all parties and after any number of decryptions. Throughout the protocol, a trusted third party is not required and all stages in the protocol need the contribution of all individual parties.

  • Picking candidates and Distributed Sieving.
    1. Each party i picks two secret numbers pi and qi.
    2. All parties determine whether or not, the sums p =

∑n i=1 pi^ and q =

∑n i=1 qi^ are not divisible by any prime number between 0 and some bound, B1, by using distributed sieving method. If they are, the protocol will come back to part (1) of this stage. Note that the values of p and q remain totally unknown to all parties.

  • N Computation: All parties come together to implement the distributed computation of

N = (

∑^ n

i=

pi)(

∑^ n

i=

qi)

N is public but p 1 , · · · , pn and q 1 , · · · , qn remain private.

  • Trial Division: This stage is done to make sure that N is not divisible by any number between B1 and B2, agreed by all parties.
  • Primality Test: Extended Fermat Primality test is used to determine whether N is a product of two prime numbers. If the test failed, then the protocol would come back to the first stage, Picking candidates and Distributed Sieving.
  • Private Key Generation: Having computed N and a public encryption exponent e, each party now computes its own private additive share, di, of the decryption key, d. So we have:

d =

∑n i=1 di^ +^ x^ and^ de^ = 1 (mod^ N^ )

Note that x is not known at the moment.

  • Trial Decryption: As x can be proved to be in the range [0, n] and therefore we can easily determine it by doing a trial decryption. This part is also responsible for eliminating candidates of N that passed the above Primality test but actually are not a product of two big prime numbers.

Thus, the main advantages of the scheme over previous protocols are that it does not require a trusted third party, and it still can generate the public/private keys pairs efficiently. The main disadvantage is that the protocol is fully inter- active in every single stage as all parties need to known to the identities of each other.

5.2 Scheme Definition

5.2.1 Picking candidates and Distributed Sieving:

The purpose of distributed sieving is to make sure that the sum of all parties’ shares, p =

∑n i=1 pi^ and^ q^ =^

∑n i=1 qi^ are not divisible by any prime number between 2 and some bound B1. In order to achieve this goal, firstly all par- ticipants must agree on bound B1 and compute M as the product of all prime numbers between n, the number of parties, and B1.

M =

∏^ t

j=

mi

where n < m 1 < m 2 < · · · < mt ≤ B1 and mj is prime for all j = 1, · · · , t.

Then each party Pi picks a random secret integer ai relatively prime to M , so that their product across all parties is also relatively prime to M.

a =

∏n i=1 ai gcd(ai, M ) = 1 for all i = 1, · · · , n

⇒ gcd(a, M ) = 1

However, what we want to have is that each party Pi keeps pi secret and

a = a 1 · · · an = p 1 + · · · + pn

That is equivalent to converting a multiplicative sharing (a 1 , · · · , an) into an additive sharing (p 1 , · · · , pn) and it is done iteratively as follows:

  • Step 1: Initially we have: { u 1 ,i = a 1 and v 1 ,i = 1 for i = 1 u 1 ,i = 0 and v 1 ,i = 0 for i 6 = 1

Note that party Pi keeps ai secret. All parties run the algorithm of section 4.3 on the input:

a 1 = (a 1 + 0 + · · · + 0)(1 + 0 + · · · + 0) (mod M ) = (u 1 , 1 + · · · + u 1 ,n)(v 1 , 1 + · · · + v 1 ,n) (mod M )

The algorithm produces the following additive sharing:

5.2.3 Parallel Trial Division:

Once, the parties have computed the public moduli N , they now want to test whether N is not divisible by any prime number between two bounds, B1 and B2 where B 2 > B1 before invoking the expensive primality test described in the next section. We can store the list of all these prime numbers as an array s 1 , s 2 , · · · , st into each party permanently. So

B 1 < s 1 < · · · < st < B 2 In order to speed up the process by factor of n, trial division is done in parallel. So what it means is that party i is in charge of testing that N is not divisible by any prime number sj in the above list for all j = i (mod n) and 1 ≤ j ≤ t. As a result of n-fold increase in speed, we can use a large trial division bound, B2 which then increases the effectiveness of trial division.

5.2.4 Load Balance Primality Test:

In this stage, all parties need to determine whether N is a product of two large prime numbers or not. This can be done by using the extended Fermat primality test explained in section 3.2.2. This requires the cooperation of all parties as follows:

  • Step 1: All parties agree on a random number g, where gcd(g, N ) = 1.
  • Step 2: Party ith computes:

vi =

gN^ −p^1 −q^1 +1^ (mod N ) If i = 1 gpi+qi^ (mod N ) If i > 1

and then publishes vi. Note that because of difficulty of solving Discrete Logarithm Problem, an eavesdropper cannot find out the value of pi and qi for i = 1, · · · , n.

  • Step 3: Each party receives all vi for i = 1, · · · , n and checks the equality:

v 1 =

∏^ n

i=

vi

If the equality holds then all parties are nearly convinced that N is a product of two large prime numbers. Proof: g(p−1)(q−1)^ = gpq−(p+q)+1^ (modN) = gN^ −(

∑n i=1 pi+

∑n i=1 qi)+1^ (mod N ) = gN^ −p^1 −q^1 +^

∏n i=2 g −(pi+qi) (^) (mod N ) = ∏nv^1 i=2 vi^ (mod N ) So if both p and q are prime then

g(p−1)(q−1)^ = gφ(N^ )^ = 1 (mod N )

Therefore:

v 1 =

∏^ n

i=

vi

Unfortunately, there are still cases where p and q are not both prime but g(p−1)(q−1)^ = 1 (mod pq), however, this only happens very rarely. Furthermore, all the cases will be eliminated by trial decryption done at the very end of this protocol.

Load balance optimisation: In practice, we have to carry out this test with many different candidates for N to make sure that at least one of them is correct. As the reader might notice that the length of (N − p 1 − q 1 + 1) is twice as long as (pi + qi) and therefore it takes party 1 a longer time to finish step 2 of the primality test. So it makes sense to assign the task equally to all parties when the number of N is large to get a factor of 2 speed up. For example: if there are n ∗ t different N s, then:

  • The first party will carry this task for the first t candidates of N.
  • The second party will carry this task for the next t candidates of N and so on.
  • The nth^ party will carry this task for the last t candidates.

5.2.5 Private Key Generation:

At this point in the scheme, N has been computed and all parties agree on the public encryption exponent, e. Now, they want to find their additive shares of the decryption exponent, d. Another word, each party i keeps di secret and:

{ d =

∑n i=1 di^ (mod^ N^ ) ed = 1 (mod φ(N ))

No body knows φ(N ) and d. This can be achieved by the following algorithm:

  • Step 1: All parties generate a share of φ(N ) bet setting:

φi =

N − (p 1 + q 1 ) + 1 If i = 1 −(pi + qi) If i > 1

So φ(N ) = (p − 1)(q − 1) = N −

∑n i=1 pi^ −^

∑n i=1 qi^ + 1 =^

∑n i=1 φi

  • Step 2: By using Benaloh’s protocol described in section 4.2 on input φ 1 , φ 2 , · · · , φn. All parties can find:

ψ = φ(N ) (mod e) =

∑n i=1 φi^ (mod^ e) and^ ψ

− (^1) (mod e)

As the public encryption exponent e is small and therefore only a few bits are leaked in this stage of the protocol.