Presentation is loading. Please wait.

Presentation is loading. Please wait.

Experimenting with Shared Generation of RSA Keys Michael Malkin Thomas Wu Dan Boneh Stanford University *Supported by DARPA.

Published byTamsyn Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "Experimenting with Shared Generation of RSA Keys Michael Malkin Thomas Wu Dan Boneh Stanford University *Supported by DARPA."— Presentation transcript:

1 Experimenting with Shared Generation of RSA Keys Michael Malkin Thomas Wu Dan Boneh Stanford University *Supported by DARPA

2 1/4/992 Why Share Keys? CA d d1d1 d2d2 d3d3  Who generates the shared key? CA The private key is never reconstructed!

3 1/4/993 Trusted Dealers Drawbacks: Single point of failure May have to destroy dealer afterwards d1d1 d2d2 d3d3 CA Trusted Dealer

4 1/4/994 Step 1Step 2Step 3 d1d1 d2d2 d3d3 Distributed Generation Advantages: Nobody ever knows the entire key No single point of failure NeNe

5 1/4/995 RSA Keys d is the secret p or q  d An n-bit modulus, N = pq The encryption (public) key The decryption (private) key NedNed Sharing of d : d = d 1 + d 2 + d 3  Can apply key without reconstructing d

6 1/4/996 Distributed Generation * (*Boneh-Franklin) p i, q i are n/2 bit integers p1q1p1q1 p2q2p2q2 p3q3p3q3 N = (p 1 + p 2 + p 3 )·(q 1 + q 2 + q 3 ) = pq Biprimality Test Nobody ever knows p or q! 1 p1q1p1q1 p2q2p2q2 p3q3p3q3 2 3 4 p 1, q 1 d 1 p 2, q 2 d 2 p 3, q 3 d 3 N

7 1/4/997 How Do They Compare? Non-Distributed: Pick prime p Pick prime q Multiply Distributed: Pick N Hope N = pq is an RSA modulus Can’t test p and q separately  Distributed generation takes more iterations

8 1/4/998 Main Results Distributed Sieving× 10 Multithreading× 6 Load Balancing× 1.3 Parallel Trial Division× 1.3 Initial time: 2.5 hours (1024-bit key) Final time: 1.5 minutes

9 1/4/999 Minding Your p ’s and q ’s Bad N  probably divisible by 3 or 5 or 7 or … Idea: Ensure that N isn’t divisible by any small primes  Distributed Sieving Can pick p i, q i so that p, q are not divisible by small primes … But nobody actually knows p or q !

10 1/4/9910 Synchronous algorithm  synchronization delays Under-utilizing CPU — idle 80% of time  Multithreading 6 threads optimal for 1024-bit key Almost 6 times faster! ( On 300Mhz Pentium II’s running Solaris 2.6) Using Idle Time

11 1/4/9911 Costly Biprimality Test Biprimality test involves time-consuming calculation Idea: Only one server needs to do this  Load Balancing A different server does test for each iteration Probabilistic load balancing

12 1/4/9912 More Small Primes What about small primes not covered by sieving? Trial division on N by small primes  Parallel Trial Division Each server does trial division on different small primes

13 1/4/9913 Private Key Generation Implemented method for small e In RSA usually use a small e After N is found, generate d 1, d 2, and d 3 so: d 1 + d 2 + d 3 = d … But do this so that nobody ever knows d There is an additional way to share d Only a fraction of servers need to be active

14 1/4/9914 Implementation: Config File Num_Servers: 3 Key_Length: Normal Threads: 2 TrialDiv_End: 10000 Sieve: True Test_Mode: True Sequence_Numbers: True Transport: sslv3 Share_IP_Port_0: 8080 Server_IP_Addr_0: ittc.stanford.edu Server_Sequence_File_0: com_security/seq0 Server_Cert_0: com_security/cert_s0.pem Server_Key_0: com_security/key_s0.pem

15 1/4/9915 Implementation: COM Abstraction layer Fault tolerance - non-blocking I/O Private, authenticated channels Based on SSLeay Authenticates share servers using a server certificate: /C=US/ST=California/O=Stanford University/ OU=ITTC Project/CN=[SERVER 0]

16 1/4/9916 Shared Key Storage Stored as PEM-encoded ASN.1 format

17 1/4/9917 Performance On three 300Mhz Pentium II’s running Solaris 2.6 Network bandwidth is reasonable 1024-bit works well 2048-bit is reasonable

18 1/4/9918 Effect of Number of Servers WAN: Two servers at Stanford One server at University of Wisconsin at Madison Difficult to find PC’s running Solaris

19 1/4/9919 Effect of Threads Synchronization/CPU tradeoff Minimize time with 6 threads *Generating a 1024-bit RSA key

20 1/4/9920 Effect of Distributed Sieving *Generating a 512-bit RSA key Sieve bound is largest prime sieved Larger sieve  fewer iterations Diminishing returns

21 1/4/9921 Conclusions  Distributed key generation is practical: 1.5 minutes for 1024-bit key  Several practical improvements to algorithm Distributed Sieving Multithreading Load Balancing Parallel Trial Division  Optimized cryptographic algorithm Requires security proofs http://www.stanford.edu/~dabo/ITTC

Download ppt "Experimenting with Shared Generation of RSA Keys Michael Malkin Thomas Wu Dan Boneh Stanford University *Supported by DARPA."

Similar presentations

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006.

Factoring of Large Numbers using Number Field Sieve Matrix Step Chandana Anand, Arman Gungor, and Kimberly A. Thomas ECE 646 Fall 2006.
Seeking prime numbers quickly through parallel-computing Daniel J. Wright.

Seeking prime numbers quickly through parallel-computing Daniel J. Wright.
Data Integrity Proofs in Cloud Storage Sravan Kumar R, Ashutosh Saxena Communication Systems and Networks (COMSNETS), 2011 Third International Conference.

Data Integrity Proofs in Cloud Storage Sravan Kumar R, Ashutosh Saxena Communication Systems and Networks (COMSNETS), 2011 Third International Conference.
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.

The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.
1 Comnet 2010 Communication Networks Recitation 11 Security.

1 Comnet 2010 Communication Networks Recitation 11 Security.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.

RSA & F ACTORING I NTEGERS BY: MIKE NEUMILLER & BRIAN YARBROUGH.
Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.

Real-Time Authentication Using Digital Signature Schema Marissa Hollingsworth BOISECRYPT ‘09.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.

Remote Timing Attacks -Rashmi Kukanur. Agenda  Timing Attacks  Case Study : –David Brumley –Dan Boneh  Defenses.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.

1 Lecture #10 Public Key Algorithms HAIT Summer 2005 Shimrit Tzur-David.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

Similar presentations

Ads by Google