FAST DISTRIBUTED RSA KEY GENERATION FOR FAST DISTRIBUTED RSA KEY - - PowerPoint PPT Presentation

fast distributed rsa key generation for fast distributed
SMART_READER_LITE
LIVE PREVIEW

FAST DISTRIBUTED RSA KEY GENERATION FOR FAST DISTRIBUTED RSA KEY - - PowerPoint PPT Presentation

Oct 05, 2023 192 likes •461 views

Making malicious security orders of magnitude more efficient than previous efficient than previous FAST DISTRIBUTED RSA KEY GENERATION FOR FAST DISTRIBUTED RSA KEY GENERATION FOR semi-honest SEMI-HONEST AND MALICIOUS ADVERSARIES Tore

slide-1
SLIDE 1

FAST DISTRIBUTED RSA KEY GENERATION FOR

Making malicious security

  • rders of magnitude more

efficient than previous

FAST DISTRIBUTED RSA KEY GENERATION FOR SEMI-HONEST AND MALICIOUS ADVERSARIES

Tore Frederiksen3, Yehuda Lindell1,2, Valery Osheter2, Benny Pinkas1

efficient than previous semi-honest

15 min vs. 41 sec 1: 2: 15 min vs. 41 sec 3:

slide-2
SLIDE 2
  • Introduction

OUTLINE

  • Semi-honest construction
  • Malicious construction
  • Efficiency
  • Conclusion
  • Conclusion

06-10-2018 Page 2

slide-3
SLIDE 3

INTRODUCTION – PUBLIC KEY ENCRYPTION

m

06-10-2018 Page 3

m

slide-4
SLIDE 4

INTRODUCTION – DISTRIBUTED PKE

m

06-10-2018 Page 4

slide-5
SLIDE 5

INTRODUCTION – MOTIVATION

  • Sometimes it can also be used for distributed signature

schemes schemes

– Which is an end in itself

  • Relevant for MPC protocols

– CDN01, semi-homomorphic PKE – DPSZ12, somewhat-homomorphic PKE

06-10-2018 Page 5

– DPSZ12, somewhat-homomorphic PKE

  • Cloud based key management

– –

slide-6
SLIDE 6

INTRODUCTION – RSA

  • 06-10-2018

Page 6

slide-7
SLIDE 7

INTRODUCTION – DISTRIBUTED RSA

  • 06-10-2018

Page 7

slide-8
SLIDE 8

INTRODUCTION – DISTRIBUTED RSA

  • 06-10-2018

Page 8

slide-9
SLIDE 9

INTRODUCTION – INTUITION

Candidate generation Candidate generation Construct modulus

06-10-2018 Page 9

Verify modulus Construct keys

slide-10
SLIDE 10
  • Introduction

OUTLINE

  • Semi-honest construction
  • Malicious construction
  • Efficiency
  • Conclusion
  • Conclusion

06-10-2018 Page 10

slide-11
SLIDE 11

SEMI-HONEST – CANDIDATE GENERATION

  • 06-10-2018

Page 11

slide-12
SLIDE 12

SEMI-HONEST – CONSTRUCT MODULUS

  • 06-10-2018

Page 12

slide-13
SLIDE 13

SEMI-HONEST – VERIFY MODULUS

  • Biprimality test [BF01]

False positive positive prob ½

06-10-2018 Page 14

Repeat

slide-14
SLIDE 14

SEMI-HONEST – CONSTRUCT KEYS

  • 06-10-2018

Page 16

slide-15
SLIDE 15
  • Introduction

OUTLINE

  • Semi-honest construction
  • Malicious construction
  • Efficiency
  • Conclusion
  • Conclusion

06-10-2018 Page 17

slide-16
SLIDE 16

MALICIOUS – IDEA

  • Allow adversary to fail good candidates
  • Accepted key must be “good” without leakage
  • Accepted key must be “good” without leakage
  • Selective failure prevention
  • Input consistency
  • Correctness of biprimality

06-10-2018 Page 18

  • Correctness of biprimality
slide-17
SLIDE 17

MALICIOUS – STEPS

  • Selective failure prevention

– Do OT on random, linear encoding – Do OT on random, linear encoding – Use linearity to obtain correct product – Randomness ensures leakage on encoding does not leak on input

  • Input consistency

– Commitments based on AES encryption – Zero-knowledge of correct encryption – Very efficient commit-many-open-few

06-10-2018 Page 19

– Very efficient commit-many-open-few

  • Correctness of biprimality (zero-knowledge)

– Almost standard proof-of-knowledge of discrete log – Few “commitments” on top to ensure composability

slide-18
SLIDE 18

MALICIOUS – CONSISTENCY

  • “Commitment” by encrypting using AES
  • Efficient commit-many-open-few

06-10-2018 Page 21

slide-19
SLIDE 19

MALICIOUS – VERIFY MODULUS

06-10-2018 Page 22

slide-20
SLIDE 20

MALICIOUS – VERIFY MODULUS

Zero-knowledge

06-10-2018 Page 23

slide-21
SLIDE 21
  • Introduction

OUTLINE

  • Semi-honest construction
  • Malicious construction
  • Efficiency
  • Conclusion
  • Conclusion

06-10-2018 Page 24

slide-22
SLIDE 22

EFFICIENCY – IMPLEMENTATION 2048 RSA

  • 06-10-2018

Page 26

slide-23
SLIDE 23

IMPLEMENTATION – EXPERIMENTS

  • Azure using multi-threaded Xeon machine
  • Single-thread min 56, max 598, average 182 seconds

Malicious!

  • 8-thread, average 41 seconds
  • Best previous 15 minutes for semi-honest [HMR+12]

Phase Percentage Candidate generation 10 Construct modulus 55

06-10-2018 Page 27

Construct modulus 55 Verify modulus 6 Zero-knowledge 16* Other 13

slide-24
SLIDE 24
  • Introduction

OUTLINE

  • Semi-honest construction
  • Malicious construction
  • Efficiency
  • Conclusion
  • Conclusion

06-10-2018 Page 28

slide-25
SLIDE 25
  • New protocol for malicious distributed RSA generation

– Malicious security almost for free

CONCLUSION

– Malicious security almost for free – No specific number theoretic assumptions – Implementation

  • New efficient commit-many-open-few protocol
  • Effective selective failure prevention for multiplication using OT

06-10-2018 Page 29

slide-26
SLIDE 26

Thank you for your attention!

Tore Frederiksen Cryptography Engineer tore.frederiksen@alexandra.dk

Cutting-edge IT research and technology