Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz University of California, Berkeley.

Published byPauline Doyle Modified over 9 years ago

Similar presentations

Presentation on theme: "Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz University of California, Berkeley."— Presentation transcript:

1 Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz emilong@cs.berkeley.edu University of California, Berkeley

2 Motivation Several multi-party algorithms need or benefit from using safe primes Usually, for RSA moduli (e.g. Shoup’s RSA signature scheme) In many of these algorithms, the safe primes must be shared secrets to preserve security

3 Generating safe primes as shared secrets: Prior Work Algesheimer, Camenish, and Shoup (CRYPTO ’00) Developed several novel mechanisms for modular arithmetic  Honest-but-curious model

4 Our contribution A safe prime generation method which is robust and “efficient” Use a robust form of distributed sieving to find safe prime candidates Provide optimized methods for multiparty modular arithmetic

5 High Level Overview 1. Find a safe prime candidate Sieve for rough numbers – those without small prime factors Ensure the number is 2. Test the compositeness via a distributed Miller-Rabin test

6 1. Each player finds a random “rough” integer (i.e. one relatively prime to the product of the first b primes, ) 2. The players generate additive shares such that 3. Players choose a random 4. Locally compute to obtain an additive share of Distributed Sieving (Malkin, Wu, and Boneh, NDSS’99)

7 1. Each player finds a random “rough” integer (i.e. one relatively prime to the product of the first b primes, ) Need to prove each is genuinely rough 2. The players generate additive shares such that Prefer threshold (polynomial) sharing 3. Players choose a random Need to share the polynomially, prove their size 4. Locally compute to obtain an additive share of Making Distributed Sieving Robust

8 1. Each player finds a random “rough” integer Each is shared polynomially along with a ZK proof 2. The are multiplied using the usual method (Ben-Or, Goldwasser, and Wigderson) 3. Players choose a random and share them polynomially, along with a proof of size 4. Locally compute to obtain an additive share of Robust Distributed Sieving

9 High Level Overview 1. Find a safe prime candidate Sieve for rough numbers – those without small prime factors Ensure the number is 2. Test the compositeness via a distributed Miller-Rabin test

10 Distributed Miller-Rabin Input: Secret shares of prime candidate 1. Locally compute e = (φ – 1) / 2 2. Repeat m times: a. Choose a random g (0 ≤ g ≤ φ - 1) b. Compute shares of g e mod φ c. If g e mod φ, output failure 3. Output success

11 Modular exponentiation (Algesheimer, Camenish, and Shoup, CRYPTO ‘00) Compute shares of g e mod φ 1. Reshare the bits of e as β 1,…, β n 2. c=(g-1)* β n +1 3. For i=n-1 downto 1, Do 1. d=(g-1)*β i + 1 2. c=((c 2 mod φ) * d) mod φ 4. Output c Note that

12 Optimization: Lookup tables Alternate perspective: is a “lookup” of a 2 element table: 1 and g Problem: Sharing bits of a secret can be expensive Idea: Try to optimize by doing a lookup in an arbitrarily sized table Break the exponent into larger pieces than bits → fewer shares

13 Compute shares of g e mod φ 1. Precompute g 0 mod φ, g 1 mod φ, …, g η-1 mod φ 2. Reshare e in base-η as η 1,…,η ω (ω=n/η) 3. c=LOOKUP(η ω ) 4. For i=ω-1 downto 1, Do 1. d=LOOKUP(η i ) 2. c=((c η mod φ) * d) mod φ 5. Output c Result: The number of modular multiplications is reduced from 2log 2 e to log 2 e+ω Generalized Modular Exponentiation

14 Input: g 0 mod φ, g 1 mod φ, …, g η-1 mod φ, For i=0 to η-1, do Locally compute Normalization ( Adapted from Bar-Ilan and Beaver, PODC 1989 ): Lookup procedure

15 Summary Robust distributed sieving for safe prime candidate selection Improvements to modular arithmetic in the multiparty setting Current work: implementation

16 Conclusions and Lessons Modular arithmetic optimizations can be useful in general Safe prime generation is still slow (up to 5 minutes locally) The algorithm is non-trivial to implement If possible, avoid safe primes for now while we optimize further ☺

17 Thank you! Check our website soon for an extended version of the paper: http://oceanstore.cs.berkeley.edu

Download ppt "Optimizing Robustness while Generating Shared Secret Safe Primes Emil Ong and John Kubiatowicz University of California, Berkeley."

Similar presentations

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.

Number Theory Algorithms and Cryptography Algorithms Prepared by John Reif, Ph.D. Analysis of Algorithms.
Lecture 11-12 Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.

Lecture Implementations. The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number.
Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes.

Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes.
Cryptography and Network Security

Cryptography and Network Security
Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.

Chapter 8 – Introduction to Number Theory. Prime Numbers prime numbers only have divisors of 1 and self –they cannot be written as a product of other.
Lecture 8: Primality Testing and Factoring Piotr Faliszewski

Lecture 8: Primality Testing and Factoring Piotr Faliszewski
COM 5336 Cryptography Lecture 7a Primality Testing

COM 5336 Cryptography Lecture 7a Primality Testing
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
Scott CH Huang COM5336 Cryptography Lecture 14 XTR Cryptosystem Scott CH Huang COM 5336 Cryptography Lecture 10.

Scott CH Huang COM5336 Cryptography Lecture 14 XTR Cryptosystem Scott CH Huang COM 5336 Cryptography Lecture 10.
The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.

The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:

Cryptography Lecture 11: Oct 12. Cryptography AliceBob Cryptography is the study of methods for sending and receiving secret messages. adversary Goal:
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.

Similar presentations

Ads by Google