
































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This document delves into the realm of threshold cryptography, exploring techniques for secure key sharing and signature generation in distributed environments. It focuses on shared rsa schemes, where decryption is distributed among multiple parties, and multi-party computation protocols, enabling collaborative computation without revealing individual inputs. Detailed explanations of algorithms, proofs, and practical considerations for implementing these cryptographic techniques.
Typology: Cheat Sheet
1 / 40
This page cannot be seen from the preview
Don't miss anything!

































Dept. of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom. [email protected]
Abstract In this project, a new threshold signing scheme for RSA has been pro- posed. The scheme does not require a trusted third party and no secure information is leaked throughout the protocol. The time and storage com- plexity of the protocol is linear in the number of parties and no restriction is placed on the RSA moduli. Combined with the n-out-of-n key genera- tion protocol of Boneh and Franklin, one has a complete solution for the threshold RSA problem with no trusted dealer. The complete protocol has also been implemented, a paper has been written and submitted to a conference on cryptography and coding.
Threshold decryption has been studied a lot for the last two decades. It is a branch of public key cryptography in general, and multi-party computation in particular. Essentially, in a k-out-of-n threshold crypto-system, denoted (k, n) where 1 < k ≤ n, for the RSA function [31], our aim is to generate and then split the secret decryption/signing exponent d into n different pieces, which are then distributed privately to n parties. This enables:
The area of threshold cryptography has been pioneered by Adi Shamir in his 1978 paper [32], however the idea only took off when the problem was formally stated by Desmedt in [13]. Since then there has been much work devoted to the topic such as Desmedt and Frankel [14], Pedersen [29], Gennaro et. al. [21], and many more. However, the majority of these solutions are only for discrete logarithm based system that has a direct application to the Elgamal encryption and decryption algorithm [16]. The reason why discrete logarithm based thresh- old systems are easier to design is because the group in which one works has a publicly known order. Whereas, in the RSA signature scheme, the group we are working in has an unknown group order and so various technical problems arise. For example, standard polynomial interpolation over the ring Zφ(N ) is hard as no party knows φ(N ). Another problem is that it is relatively easy to generate a shared discrete logarithm public/private key pair, but it is harder to generate a shared RSA public/private key pair, n-out-of-n threshold scheme, without the presence of a trusted third party. However, there was in breakthrough in the area of shared RSA key generation when both Boyd [7] and Frankel [19] independently pro- posed a simple and elegant solution for distributed RSA. The decryption key d is additively shared amongst n parties, d = d 1 + d 2 + · · · + dn, signing is simply done as follows: s = md^ = md^1 · · · mdn^ (mod N ),
and each si = mdi^ (mod N ) is called the partial signature or signature share. Extending this idea, a number of new schemes for shared RSA key generation were proposed, for example, a complete solution for this problem was given in [11]. Unfortunately, the moduli N was assumed to be generated by a trusted dealer. The dealer, therefore can forge a signature on a message of his or her choosing. There was also something called general secure circuit evaluation techniques presented in [4, 8, 22, 34] as primality test can be done by using boolean circuit. However, this idea was too inefficient to be implemented in practice. So far, the best solution for this problem is probably the one that was built by Boneh and Franklin [5, 6], which does not require a trusted third party, and which can efficiently generate shared RSA keys that satisfy the above property. This solution is also the one, we have studied and implemented in the
first half of this project. The drawback of the scheme is that it only gives us a n-out-of-n threshold decryption that cannot be switched easily into a k-out-of-n threshold scheme. In trying to solve the last piece of this problem, a number of threshold schemes for RSA have been proposed in the literature, most notable are Ra- bin’s [30] and Shoup’s [33] schemes. In Rabin’s protocol, the author uses Shamir secret sharing to share the secret but on signing the k signing parties need to interact so as to recover the secrets of the non-signing parties. This removes the problem of working in a group of unknown order, but means the scheme leaks information about the additive shares of various parties. To get around this problem a share-refreshing protocol is given. All parts of Rabin’s scheme require a large amount of interaction between the various parties. Taking a different approach, Shoup provides a framework that leads to the possibility of applying the protocol in practice, where dealing, signature share generation, signature share verification and signature share combining are sep- arated from each other and only the first part, i.e. dealing, requires interaction of the various parties. The scheme Shoup proposes is then fully non-interactive, bar the initial dealing phase. However, the drawbacks of his scheme are that it requires both a trusted dealer and strong RSA moduli. Hence, Shoup’s scheme cannot be applied with the Boneh and Franklin shared key generation protocol. In this project we give a new RSA threshold scheme [25] which does not require trusted dealers and which can be applied with the Boneh and Franklin shared key generation protocol. In addition we try to minimise the amount of interaction required between the parties and we eliminate the need for a share refreshing stage of the protocol.
Barnett and Smart in [1] where all players must agree to decrypt a card in order to do so.
There are many proposed identification schemes notably, Guillou-QuisQuater [23], Fiat-Shamir [18] and their extended and modified versions in [17, 20, 26, 27] that are achieved by asking a dealer to generate RSA moduli N. Clearly, the dealer must be trusted to generate N correctly as well as keeping them secret to all parties and in real life this is a too strong assumption. The protocol imple- mented by me will be able to eliminate the need of the trusted party since all parties can generate the moduli N by themselves and not knowing about the secret in the mean time.
There are two hard problems, factoring big number and discrete logarithm, which we are going to describe in this section. Everything in this protocol is based on the assumption that these two problems are computationally infeasible to be solved in polynomial time.
3.1.1 Factoring Problem
The problem states that given a big number, about 1000 bits, it is computa- tionally infeasible to factorise the number into prime factors. The best known algorithm has exponential complexity in term number of bits of the number. For example: If N = pq where p and q are big prime numbers (500 bits) then it is hard to find p and q given the value of N. This problem will be the basis of security of RSA encryption and decryption scheme.
3.1.2 Discrete Logarithm Problem
Given a big number N , of size 1000 bits, and y, g in the interval [1, · · · , (N − 1)] where gcd(g, N ) = 1. It is hard to find x that satisfies the equation:
y = gx^ (mod N )
This problem will be the basis of threshold decryption and the signing scheme implemented in this project.
Euler theorem is probably one of the most important theorem used in public cryptography.
3.2.1 Euler Theorem
Given a number N = pa 11 pa 22 · · · pa nn and p 1 , · · · , pn are prime numbers, there are exact φ(N ) numbers between 1 and (N − 1) that are co-prime to N , where:
φ(N ) =
∏^ n
i=
pa i i−^1 (pi − 1)
3.2.2 RSA case
When N = pq, we have φ(N ) = (p − 1)(q − 1) and for any e co-prime to N it satisfies that: eφ(N^ )^ = 1 (mod N )
An interesting direct result of this case is that it gives us a way to test whether or not a number is a product of two large prime numbers indirectly. The method will be explained in more detail in section 5.2.4 as it actually forms the primality testing stage of this protocol.
The reader might wonder how can we generate such a scheme like this with- out the help of a trusted third party and still keep p, q, and d secret to everyone in the world? The answer is that such scheme is exactly what we want to achieve with the n-out-of-n shared key generation protocol in first half of this project. For now, I shall assume that we have achieved the properties and I am going to show you two different ways to encrypt a message and decrypt a cipher text based on Discrete Logarithm Problem and RSA Paillier presented in [28].
3.4.1 Discrete Logarithm Approach
As the name implies, this approach is based on the difficulty of Discrete Loga- rithm problem.
m =
∏^ n
i=
mi
Proof: m = m 1 m 2 ..mn (mod N ) m = cd^1 cd^2 · · · cdn^ = c
∑i=n i=1 (^) di (mod N ) m = cd^ = med^ (mod N ) m = m (mod N )
An alternate way to do encryption and decryption can be based on Elgamal algorithm [16].
3.4.2 RSA Paillier Approach
This scheme has been recently proposed in [28] for a single party and extended to deal with multiple participants in another paper of Barnett and Smart [1]. All the parties generate a share of φ = (p − 1)(q − 1) by setting:
xi =
n − (p 1 + q 1 ) + 1 If i = 1 −(pi + qi) If i > 1
Note that φ =
∑n i=1 xi.^ The parties then commit to the value^ xi^ by pub- lishing hi = gxi^ (mod N 2 ) where g = N + 1. They then set publicly:
h =
∏^ n
i=
hi − 1 (mod N 2 ) = gφ^ − 1 (mod N 2 )
c = gmrN^ (mod N 2 )
m =
h
( (^) n ∏
i=
mi − 1 (mod N 2 )
(mod N )
4.1.1 Modulo non-prime
In the previous case, M is chosen as a prime number. In fact, the scheme still works as long as M is a composite and does not have any prime factor that is smaller than or equal to the number of servers. The reader shall see this case is applied in the Distributed Sieving stage of the protocol.
4.1.2 Sharing the final outcome
Note that the additive share sj = bj yj = (
1 ≤h≤w,h 6 =j
xh xh−xj )yj^ can be com- puted privately by party Pj. Therefore, the secret s can be additively shared amongst the servers rather than becomes publicly available. As a result, the servers do not perform the above step 3 of Shamir Secret Sharing scheme any more.
Suppose each of the n parties has a secret share, si. They wish to compute s =
∑n i=1 si^ (mod^ M^ ) without revealing any further information about their secret shares modulo M. This can be done by Benaloh’s protocol developed in [3], which is (n − 2) private, and it works as follows:
∑n j=1 si,j^ (mod^ M^ ). For example, party^ Pi^ chooses (n^ −^ 1) random numbers, si, 1 , · · · , si,(n−1) and sets:
si,n = (si −
n∑− 1
j=
si,j ) (mod M )
ˆsj =
∑^ n
i=
si,j (mod M )
And then broadcasts ˆsj to all other parties.
s =
∑^ n
i=
ˆsi (mod M )
Proof: s =
∑n i=1 si^ (mod^ M^ ) s =
∑n i=1(
∑n j=1 si,j^ )^ (mod^ M^ ) s =
∑n j=1(
∑n i=1 si,j^ )^ (mod^ M^ ) s =
∑n j=1 ˆsj^ (mod^ M^ )
The scheme is (n − 2) private as if (n − 1) parties collude then they will be able to find out the final share of the single left party modulo M.
The reader can skip this section and come back to it later when she has got to the Distributed Sieving and N Computation stages of the protocol. This protocol was originally invented by Ben-Or, Goldwasser and Wigdirson in [4]. The following protocol is a simplified version of it. This protocol makes use of Shamir Secret Sharing scheme, and therefore the reader is strongly rec- ommended to understand Shamir’s scheme first before attempting to read this one. Suppose each one of n parties has pi, qi. They wish to compute:
∑^ n
i=
pi)(
∑^ n
j=
pj )
Without revealing any further information about their secret shares, pi and qi. That means at the end of the protocol, N is made public but pi and qi are known to only party Pi. In addition, p =
∑n i=1 pi^ and^ q^ =^
∑n j=1 pj^ are also unknown to all parties. Let M be a big number, M > N and M does not have any prime factor that is smaller or equal to number of parties. Unless otherwise stated, all arithmetic operations are done modulo M.
fi(x) = pi +
∑l j=1 ai,j^ x
j gi(x) = qi +
∑l j=1 bi,j^ x
j hi(x) =
∑ 2 l j=1 ci,j^ x
j
and therefore we have for all i = 1, · · · , n: fi(0) = pi, gi(0) = qi and hi(0) = 0. They computes the followings for all j = 1, · · · , n:
fi,j = fi(j) gi,j = gi(j) hi,j = hi(j)
∑n i=1 fi,j^ )(
∑n i=1 gi,j^ ) +^
∑n i=1 hi,j
= (
∑n i=1 fi(j))(
∑n i=1 gi(j)) +^
∑n i=1 hi(j) Party Pj publishes Nj to every one in the scheme.
In this section, I would like to give the reader a high level overview of the protocol before going into detailed discussion of each stage of the protocol. What the protocol wants to achieve is that multiples parties, say n, will come together to generate a moduli N and make N and the encryption exponent, e public. No body knows the prime factors of N but everyone is convinced that N is a product of two large prime numbers. The scheme is n-out-of-n threshold scheme, and that means decryption requires the presence of all parties because each party keeps an additive share, di of the decryption exponent, d. As a result, this scheme allows a new Threshold Signing Scheme, (k, n), to be added later on in this project. Also note that the value of d is unknown to all parties and after any number of decryptions. Throughout the protocol, a trusted third party is not required and all stages in the protocol need the contribution of all individual parties.
∑n i=1 pi^ and q =
∑n i=1 qi^ are not divisible by any prime number between 0 and some bound, B1, by using distributed sieving method. If they are, the protocol will come back to part (1) of this stage. Note that the values of p and q remain totally unknown to all parties.
∑^ n
i=
pi)(
∑^ n
i=
qi)
N is public but p 1 , · · · , pn and q 1 , · · · , qn remain private.
d =
∑n i=1 di^ +^ x^ and^ de^ = 1 (mod^ N^ )
Note that x is not known at the moment.
Thus, the main advantages of the scheme over previous protocols are that it does not require a trusted third party, and it still can generate the public/private keys pairs efficiently. The main disadvantage is that the protocol is fully inter- active in every single stage as all parties need to known to the identities of each other.
5.2.1 Picking candidates and Distributed Sieving:
The purpose of distributed sieving is to make sure that the sum of all parties’ shares, p =
∑n i=1 pi^ and^ q^ =^
∑n i=1 qi^ are not divisible by any prime number between 2 and some bound B1. In order to achieve this goal, firstly all par- ticipants must agree on bound B1 and compute M as the product of all prime numbers between n, the number of parties, and B1.
∏^ t
j=
mi
where n < m 1 < m 2 < · · · < mt ≤ B1 and mj is prime for all j = 1, · · · , t.
Then each party Pi picks a random secret integer ai relatively prime to M , so that their product across all parties is also relatively prime to M.
a =
∏n i=1 ai gcd(ai, M ) = 1 for all i = 1, · · · , n
⇒ gcd(a, M ) = 1
However, what we want to have is that each party Pi keeps pi secret and
a = a 1 · · · an = p 1 + · · · + pn
That is equivalent to converting a multiplicative sharing (a 1 , · · · , an) into an additive sharing (p 1 , · · · , pn) and it is done iteratively as follows:
Note that party Pi keeps ai secret. All parties run the algorithm of section 4.3 on the input:
a 1 = (a 1 + 0 + · · · + 0)(1 + 0 + · · · + 0) (mod M ) = (u 1 , 1 + · · · + u 1 ,n)(v 1 , 1 + · · · + v 1 ,n) (mod M )
The algorithm produces the following additive sharing:
5.2.3 Parallel Trial Division:
Once, the parties have computed the public moduli N , they now want to test whether N is not divisible by any prime number between two bounds, B1 and B2 where B 2 > B1 before invoking the expensive primality test described in the next section. We can store the list of all these prime numbers as an array s 1 , s 2 , · · · , st into each party permanently. So
B 1 < s 1 < · · · < st < B 2 In order to speed up the process by factor of n, trial division is done in parallel. So what it means is that party i is in charge of testing that N is not divisible by any prime number sj in the above list for all j = i (mod n) and 1 ≤ j ≤ t. As a result of n-fold increase in speed, we can use a large trial division bound, B2 which then increases the effectiveness of trial division.
5.2.4 Load Balance Primality Test:
In this stage, all parties need to determine whether N is a product of two large prime numbers or not. This can be done by using the extended Fermat primality test explained in section 3.2.2. This requires the cooperation of all parties as follows:
vi =
gN^ −p^1 −q^1 +1^ (mod N ) If i = 1 gpi+qi^ (mod N ) If i > 1
and then publishes vi. Note that because of difficulty of solving Discrete Logarithm Problem, an eavesdropper cannot find out the value of pi and qi for i = 1, · · · , n.
v 1 =
∏^ n
i=
vi
If the equality holds then all parties are nearly convinced that N is a product of two large prime numbers. Proof: g(p−1)(q−1)^ = gpq−(p+q)+1^ (modN) = gN^ −(
∑n i=1 pi+
∑n i=1 qi)+1^ (mod N ) = gN^ −p^1 −q^1 +^
∏n i=2 g −(pi+qi) (^) (mod N ) = ∏nv^1 i=2 vi^ (mod N ) So if both p and q are prime then
g(p−1)(q−1)^ = gφ(N^ )^ = 1 (mod N )
Therefore:
v 1 =
∏^ n
i=
vi
Unfortunately, there are still cases where p and q are not both prime but g(p−1)(q−1)^ = 1 (mod pq), however, this only happens very rarely. Furthermore, all the cases will be eliminated by trial decryption done at the very end of this protocol.
Load balance optimisation: In practice, we have to carry out this test with many different candidates for N to make sure that at least one of them is correct. As the reader might notice that the length of (N − p 1 − q 1 + 1) is twice as long as (pi + qi) and therefore it takes party 1 a longer time to finish step 2 of the primality test. So it makes sense to assign the task equally to all parties when the number of N is large to get a factor of 2 speed up. For example: if there are n ∗ t different N s, then:
5.2.5 Private Key Generation:
At this point in the scheme, N has been computed and all parties agree on the public encryption exponent, e. Now, they want to find their additive shares of the decryption exponent, d. Another word, each party i keeps di secret and:
{ d =
∑n i=1 di^ (mod^ N^ ) ed = 1 (mod φ(N ))
No body knows φ(N ) and d. This can be achieved by the following algorithm:
φi =
N − (p 1 + q 1 ) + 1 If i = 1 −(pi + qi) If i > 1
So φ(N ) = (p − 1)(q − 1) = N −
∑n i=1 pi^ −^
∑n i=1 qi^ + 1 =^
∑n i=1 φi
ψ = φ(N ) (mod e) =
∑n i=1 φi^ (mod^ e) and^ ψ
− (^1) (mod e)
As the public encryption exponent e is small and therefore only a few bits are leaked in this stage of the protocol.