Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz University of California, Berkeley

Motivation Several multi-party algorithms need or benefit from using safe primes Usually, for RSA moduli (e.g. Shoup’s RSA signature scheme) In many of these algorithms, the safe primes must be shared secrets to preserve security

Generating safe primes as shared secrets: Prior Work Algesheimer, Camenish, and Shoup (CRYPTO ’00) Developed several novel mechanisms for modular arithmetic  Honest-but-curious model

Our contribution A safe prime generation method which is robust and “efficient” Use a robust form of distributed sieving to find safe prime candidates Provide optimized methods for multiparty modular arithmetic

High Level Overview 1. Find a safe prime candidate Sieve for rough numbers – those without small prime factors Ensure the number is 2. Test the compositeness via a distributed Miller-Rabin test

1. Each player finds a random “rough” integer (i.e. one relatively prime to the product of the first b primes, ) 2. The players generate additive shares such that 3. Players choose a random 4. Locally compute to obtain an additive share of Distributed Sieving (Malkin, Wu, and Boneh, NDSS’99)

1. Each player finds a random “rough” integer (i.e. one relatively prime to the product of the first b primes, ) Need to prove each is genuinely rough 2. The players generate additive shares such that Prefer threshold (polynomial) sharing 3. Players choose a random Need to share the polynomially, prove their size 4. Locally compute to obtain an additive share of Making Distributed Sieving Robust

1. Each player finds a random “rough” integer Each is shared polynomially along with a ZK proof 2. The are multiplied using the usual method (Ben-Or, Goldwasser, and Wigderson) 3. Players choose a random and share them polynomially, along with a proof of size 4. Locally compute to obtain an additive share of Robust Distributed Sieving

High Level Overview 1. Find a safe prime candidate Sieve for rough numbers – those without small prime factors Ensure the number is 2. Test the compositeness via a distributed Miller-Rabin test

Distributed Miller-Rabin Input: Secret shares of prime candidate 1. Locally compute e = (φ – 1) / 2 2. Repeat m times: a. Choose a random g (0 ≤ g ≤ φ - 1) b. Compute shares of g e mod φ c. If g e mod φ, output failure 3. Output success

Modular exponentiation (Algesheimer, Camenish, and Shoup, CRYPTO ‘00) Compute shares of g e mod φ 1. Reshare the bits of e as β 1,…, β n 2. c=(g-1)* β n For i=n-1 downto 1, Do 1. d=(g-1)*β i c=((c 2 mod φ) * d) mod φ 4. Output c Note that

Optimization: Lookup tables Alternate perspective: is a “lookup” of a 2 element table: 1 and g Problem: Sharing bits of a secret can be expensive Idea: Try to optimize by doing a lookup in an arbitrarily sized table Break the exponent into larger pieces than bits → fewer shares

Compute shares of g e mod φ 1. Precompute g 0 mod φ, g 1 mod φ, …, g η-1 mod φ 2. Reshare e in base-η as η 1,…,η ω (ω=n/η) 3. c=LOOKUP(η ω ) 4. For i=ω-1 downto 1, Do 1. d=LOOKUP(η i ) 2. c=((c η mod φ) * d) mod φ 5. Output c Result: The number of modular multiplications is reduced from 2log 2 e to log 2 e+ω Generalized Modular Exponentiation

Input: g 0 mod φ, g 1 mod φ, …, g η-1 mod φ, For i=0 to η-1, do Locally compute Normalization ( Adapted from Bar-Ilan and Beaver, PODC 1989 ): Lookup procedure

Summary Robust distributed sieving for safe prime candidate selection Improvements to modular arithmetic in the multiparty setting Current work: implementation

Conclusions and Lessons Modular arithmetic optimizations can be useful in general Safe prime generation is still slow (up to 5 minutes locally) The algorithm is non-trivial to implement If possible, avoid safe primes for now while we optimize further ☺

Thank you! Check our website soon for an extended version of the paper: