scalable rsa modulus generation with a dishonest
play

Scalable RSA Modulus Generation with a Dishonest Majority Muthu - PowerPoint PPT Presentation

Jun 24, 2023 •562 likes •1.12k views

Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc. & University of Rochester Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Ruihan Wang

  1. Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc. & University of Rochester Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Ruihan Wang

  2. What is an RSA Modulus? Biprime - product of exactly two primes

  3. Why? RSA History • 1977 - RSA Public-Key Encryption • 1999 - Paillier Public-Key Encryption • 2001 - CRS for UC setting • 2018 - Verifiable Delay Functions (VDF) NIST Randomness Beacon Source: https://csrc.nist.gov/projects/interoperable-randomness-beacons

  4. Verifiable Delay Functions • [Rivest-Shamir-Wagner96] introduced Inherently Sequential functions (ISH) • 2018 - VDF constructions by Pietrzak, Wesolowski

  5. Goal Sample a biprime N where factorization “hidden” USE MPC!

  6. Desiderata Modulus size: 2048 bits • Threshold: n-1 corruption • # Participants: > 1000 • Party Spec: “ Lightweight ” • Bandwidth: < 5 Mbps • Security: 60-bit statistical security • 128-bit computational security

  7. Protocol Blueprint PASSIVE Step 1: Design protocol for corruptions Step 2: Upgrade security to tolerate ACTIVE corruptions

  8. Step 1: Scalable Passive Protocol

  9. Previous Works: Overview Corruption Milestone Work Adversary Parties Threshold First Work [BF97] Passive n >= 3 t < n/2 [FMY98] Active n t < n/2 [PS98] Active 2 t = 1 Based on OT [Gil99] Passive 2 t = 1 [ACS02] Passive n t < n/2 [DM10] Active 3 t = 1 [HMRT12] Active n t < n [FLOP18] Active 2 t = 1 [CCD+20] Active n t < n

  10. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division

  11. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose p i , q i randomly

  12. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose p i , q i randomly

  13. Boneh-Franklin Framework [BF97] p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose Is N the product p i , q i randomly of two primes?

  14. [CCD+20] Passive Protocol p i , q i N 0,1 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Parties choose Is N the product p i , q i randomly of two primes?

  15. [CCD+20] Passive Protocol p i , q i N 0,1 3. Biprimality 1. PRESIEVED 2. Mult Testing CANDIDATES Parties choose Is N the product p i , q i randomly of two primes?

  16. [CCD+20] Passive Protocol 1. Pre-sieving Secure Multiplication candidates Secure Multiplication 2. Mult Secure Multiplication 3. Biprimality Jacobi test [BF97] testing

  17. Secure Multiplication a 1 ,b 1 ∈ 𝔾 a 2 ,b 2 ∈ 𝔾 a 𝑜 , b n ∈ 𝔾 … MUL c 1 c n c 2

  18. Implementing Secure Multiplication • Oblivious Linear Evaluation (OLE) – Scales quadratic in # parties • Threshold Additively Homomorphic Encryption (TAHE) [CDN01] – Scales linearly in # parties • Our Approach: TAHE with verifiable coordinator – per-party comm. scales logarithmically in # parties

  19. Threshold AHE with a coordinator P i C p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  20. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  21. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  22. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  23. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  24. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  25. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  26. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  27. Threshold AHE with a coordinator P i C PK p i , q i sk i Parties’ secret shares Enc PK (p i ) Key Generation ∑Enc PK (p i ) Encrypt p i Enc PK (p) Coord. adds q i ⋅ Enc PK (p) Receive Enc(p) from Coord. ∑q i ⋅ Enc PK (p) Multiply by q i Enc PK (p ⋅ q) Coord. adds p ⋅ q Receive Enc( pq ) from Coord. Decrypted product

  28. [BF97]’s Distributed Biprimality Test 3. Biprimality 1. Candidates & 2. Mult Testing Trial division Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  29. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  30. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  31. [BF97]’s Distributed Biprimality Test Test whether N is the product of two primes [BF97] • Jacobi Test (Dist “ Miller-Rabin" test) • GCD Test

  32. Step 2: Compile to full security

  33. GMW Paradigm P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 m k . . .

  34. GMW Paradigm P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit ZK m k . . . ZK

  35. Our Approach P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit ZK m k . . . ZK

  36. Our Approach P 1 P 2 x 1 ,r 1 x 2 ,r 2 m 1 Commit Commit m k . . . ZK

  37. Our Protocol Commit to randomness Commitment Generate threshold keys Key Setup Sample pre-sieved primes Generate Candidates Use TAHE to compute candidates Compute Products Jacobi test Biprimality test Zero-knowledge proof Certification

  38. Verifiable Coordinator C • Coordinator performs only public operations • Sign every message • Post message on bulletin board

  39. Modular Proof (UC-security) Generate Beaver triples Passive Protocol (with triples) Certify triples

  40. Modular Proof (UC-security) ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓 Passive Protocol (with triples) ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓

  41. Certified Beaver Triples Functionality P i 𝑏 𝑘 𝑗 , 𝑐 𝑘 𝑗 , 𝑑 𝑘 Generate 𝑗 𝑘 ℱ 𝑑𝑓𝑠𝑢−𝑢𝑠𝑗𝑞𝑚𝑓 Relation 𝑆 𝑦, 𝑥 𝑦, 𝑆 𝑦, 𝑥, 𝑏 𝑘 𝑗 ,𝑐 𝑗 , 𝑑 𝑗 𝑘 𝑘 𝑘

  42. Realizing Certified Beaver Triples Functionality ℱ 𝑑𝑞 (commit) Commit and Prove Semi-malicious security Generate triples using TAHE ℱ 𝑑𝑞 (prove)

  43. Which TAHE to choose? Paillier? Circular choice • El Gamal? Inefficient decryption (discrete log) • LWE? Does not support all AHE operations • Ring-LWE more efficient, flexible Supports AHE, better parameters, packing •

  44. ZK Constraints • Triples generation - Operations in Ring ℤ 𝑅 where 𝑅 = 𝑞 1 × 𝑞 2 ×∙ ∙ ∙× 𝑞 𝑜 and each 𝑞 𝑗 is a 62-bit prime. • Triples consumption - Linear operations modulo τ • Jacobi test - Operations modulo ℤ 𝑂 ∗ where 𝑂 is the that is a product of (a different set of) primes 2048-bit candidate modulus

  45. What ZK Protocol to Use? Needs: • Memory efficient (2GB RAM for prover) • Communication efficient (sublinear) • Transparent Our Approa oach Ligero [AHIV17] + Sigma [Sho00]

  46. The Proofs Ligero • Triples generation via Ring-LWE (Range Proofs) • Triples consumption (modular arithmetic) Sigma • Jacobi test (knowledge of exponent)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest.

Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest.

Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest. Honestly, it's the honest ones you want to watch out for, because you can never predict when they're going to do something incredibly stupid.

369 views • 25 slides
18 th November 2016 The Dishonest Litigant Lies, damned lies and statistics [Benjamin

18 th November 2016 The Dishonest Litigant Lies, damned lies and statistics [Benjamin

The Dishonest Litigant Richard Pugh and Craig Murray 18 th November 2016 The Dishonest Litigant Lies, damned lies and statistics [Benjamin Disraeli (possibly...)] What we are not covering Not going to cover the incidence of insurance

702 views • 44 slides
Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress

Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress

Resilient Modulus Unbound Materials M R Resilient Modulus Axial strain Deviator stress Resilient Modulus Cyclic Triaxial Test Haversine Load Pulse Haversine Load Pulse T t sin 2 = ( ) t Flowchart

704 views • 31 slides
Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain

Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain

Resilient Modulus Unbound Materials 1 Resilient Modulus M R Deviator stress Axial strain Resilient Modulus Cyclic Triaxial Test 2 Haversine Load Pulse Haversine Load Pulse sin t ( ) = 2 t T

537 views • 11 slides
A Scalable Approach to Attack Graph Generation By Ou, Boyer, McQueen Presented By: Philip Koshy

A Scalable Approach to Attack Graph Generation By Ou, Boyer, McQueen Presented By: Philip Koshy

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA A Scalable Approach to Attack Graph Generation By Ou, Boyer,

591 views • 33 slides
Scalable 10 to 20 Kilo-pixel MKID Signal Generation and DAQ for Cosmology Gustavo Cancelo

Scalable 10 to 20 Kilo-pixel MKID Signal Generation and DAQ for Cosmology Gustavo Cancelo

Scalable 10 to 20 Kilo-pixel MKID Signal Generation and DAQ for Cosmology Gustavo Cancelo Fermilab Detector R&amp;D Program Review 29 October 2014 MKIDs (Microwave Kinetic Inductance Devices) Pixelated micro-size resonator array.

629 views • 28 slides
StarTrack Next Generation A Scalable Infrastructure for Track-Based Applications Maya Haridasan

StarTrack Next Generation A Scalable Infrastructure for Track-Based Applications Maya Haridasan

StarTrack Next Generation A Scalable Infrastructure for Track-Based Applications Maya Haridasan Iqbal Mohomed Doug Terry Chandu Thekkath Li Zhang MICROSOFT RESEARCH SILICON VALLEY OSDI 2010 Location-Based Applications Many phones

676 views • 24 slides
Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and

Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and

0 12 1 Numb3rs 11 2 10 3 Modular Arithmetic 9 4 8 5 7 6 Congruence For a modulus m and two integers a and b, we say a b (mod m) if m|(a-b) Typically, we shall consider modulus &gt; 0 a b (mod 0) a=b a b (mod 1)

342 views • 13 slides
StarTrack Next Generation: A Scalable Infrastructure for Track-Based Applications Maya Haridasan,

StarTrack Next Generation: A Scalable Infrastructure for Track-Based Applications Maya Haridasan,

Introduction Application Programming Interface StarTrack Server Design Storage Platform Design Evaluation Conclusion StarTrack Next Generation: A Scalable Infrastructure for Track-Based Applications Maya Haridasan, Iqbal Mohomed, Doug Terry,

868 views • 82 slides
Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam

Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam

Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam www.cwi.nl/~fehr Eli Ben-Sasson Rafail Ostrovsky Technion UCLA Multiparty Computation (MPC) x 2 x 3 Goal: x 1 Compute function f on private inputs x

373 views • 13 slides
5th Generation Touchscreen Controller for Mobile Phones and Tablets Hot Chips 2013 Milton

5th Generation Touchscreen Controller for Mobile Phones and Tablets Hot Chips 2013 Milton

5th Generation Touchscreen Controller for Mobile Phones and Tablets Hot Chips 2013 Milton Ribeiro John Carey August, 2013 Design Goals Quick design of derivatives Platform-based design Scalable analog front-end (AFE) Scalable

233 views • 11 slides
Building the Next Generation of Parallel Applications Michael A. Heroux Scalable Algorithms

Building the Next Generation of Parallel Applications Michael A. Heroux Scalable Algorithms

Building the Next Generation of Parallel Applications Michael A. Heroux Scalable Algorithms Department Sandia National Laboratories, USA Sandia National Laboratories is a multi-program laboratory operated by Sandia Corporation, a wholly owned

1.22k views • 73 slides
Building Adaptable and Scalable Natural Language Generation Systems Yannis Konstas Natural

Building Adaptable and Scalable Natural Language Generation Systems Yannis Konstas Natural

Building Adaptable and Scalable Natural Language Generation Systems Yannis Konstas Natural Language Generation is everywhere (Machine Translation)

1.78k views • 174 slides
Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu)

Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu)

. . . . . . . . . . . . . . . . Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu) Hanshen Xiao (hsxiao@mit.edu) Elaine Shi (runting@gmail.com) . . . . . . . . . . . . . .

274 views • 11 slides
Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, Karim ElDefrawy**, Joshua

Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, Karim ElDefrawy**, Joshua

Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, Karim ElDefrawy**, Joshua Lampkins**, Rafail Ostrovsky***, Moti Yung**** * Ben-Gurion University ** Hughes Research Labs (HRL) *** University of California Los Angeles (UCLA)

569 views • 21 slides
! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on

! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on

ME 437/537 G. Ahmadi ME 437/537 G. Ahmadi Polystyrene on Polyurethane High elastic High elastic ! Static Equilibrium ! Static Equilibrium modulus spherical modulus spherical particles on particles on ! ! Hydrodynamic Hydrodynamic

198 views • 6 slides
Pacific Graphics Conference &amp; Indigenous Heritage Site Recording Pacific Graphics: Hong

Pacific Graphics Conference &amp; Indigenous Heritage Site Recording Pacific Graphics: Hong

Pacific Graphics Conference &amp; Indigenous Heritage Site Recording Pacific Graphics: Hong Kong, 12-14 September 2012 Heritage recording: Cape Lambert, 6-7 September 2012 Paul Bourke Introduction Pacific Graphics (PG) is an annual

594 views • 37 slides
Why person centred communication matters to patients &amp; families Susan Biggar 22 September

Why person centred communication matters to patients &amp; families Susan Biggar 22 September

Why person centred communication matters to patients &amp; families Susan Biggar 22 September 2017 Last-resort creative communicating? https://www.youtube.com/watch?v=pN0Y2EZuv TU What did Will Reid do? Considered how his Reflected on

482 views • 23 slides
Cross cultural programs and Aboriginal people at the forefront of welcome and inclusion In

Cross cultural programs and Aboriginal people at the forefront of welcome and inclusion In

Cross cultural programs and Aboriginal people at the forefront of welcome and inclusion In recognition of Custodial Boundaries, I acknowledge the Traditional Custodians and pay our respects to Elders, past, present and emerging. Rodney Welch

251 views • 6 slides
Building organisational competency in a diverse world Anukool Sathu Diversity &amp; Inclusion

Building organisational competency in a diverse world Anukool Sathu Diversity &amp; Inclusion

Building organisational competency in a diverse world Anukool Sathu Diversity &amp; Inclusion Consultant Overview New Zealand &amp; Australias ethnic diversity Cognitive illusions &amp; bias through a cultural lens Building organisational

458 views • 22 slides
A Competitive Analysis for Balanced Transactional Memory Workloads Gokarna Sharma and Costas Busch

A Competitive Analysis for Balanced Transactional Memory Workloads Gokarna Sharma and Costas Busch

A Competitive Analysis for Balanced Transactional Memory Workloads Gokarna Sharma and Costas Busch Department of Computer Science Louisiana State University, USA December 16, 2010 Gokarna Sharma and Costas Busch (LSU) A Competitive Analysis for

1.11k views • 79 slides
Testing and Debugging Programming for Engineers Winter 2015 Andreas Zeller, Saarland

Testing and Debugging Programming for Engineers Winter 2015 Andreas Zeller, Saarland

Testing and Debugging Programming for Engineers Winter 2015 Andreas Zeller, Saarland University The Problem 2 1936 schlielich fhrte Turing die Begri fg e des Algorithmus und der Berechenbarkeit fassbar, indem er Alan Turing mit seinem

671 views • 32 slides
Abstract Apache Beam is a unified programming model capable of expressing a wide variety of both

Abstract Apache Beam is a unified programming model capable of expressing a wide variety of both

Abstract Apache Beam is a unified programming model capable of expressing a wide variety of both traditional batch and complex streaming use cases. By neatly separating properties of the data from run-time characteristics, Beam enables users to

1.09k views • 80 slides
Article 370: A Constitutional Impediment to Resolving the Kashmir Crisis Subodh Atal, Ph. D.

Article 370: A Constitutional Impediment to Resolving the Kashmir Crisis Subodh Atal, Ph. D.

Article 370: A Constitutional Impediment to Resolving the Kashmir Crisis Subodh Atal, Ph. D. November 2003 Acknowledgements: Sunil Fotedar, Lalit Koul Kashmir News Network (www.ikashmir.org) 1 Jammu &amp; Kashmir: The Present 14-year

216 views • 19 slides

More recommend