Keywords

1 Introduction

When provided with an RSA public key \(n\), establishing that \(n\) is hard to factor might seem challenging: indeed, most of \(n\)’s interesting properties depend on its secret factors, and even given good arithmetic properties (large prime factors, etc.) a subtle backdoor may still be hidden in \(n\) or \(e\) [1, 27, 28, 30, 31].

Several approaches, mentioned below, focused on proving as many interesting properties as possible without compromising \(n\). However, such proofs are limited in two ways: first, they might not always be applicable — for instance [2, 3, 19] cannot prove that \((n, e)\) define a permutation when \(e\) is too small. In addition, these ad hoc proofs are extremely specialized. If one wishes to prove some new property of \(n\)’s factors, that would require modelling this new property and looking for a proper form of proof.

This paper proposes a new kind of general-purpose compact non-interactive proof \(\omega _n\), called attestation. An attestation allows the key generator to convince any third party that \(n\) was properly generated. The corresponding construction, called an attestation scheme, applies to any prime generation algorithm \(\mathcal {G}(1^P,r)\) where \(r\) denotes \(\mathcal {G}\)’s random tape, and \(P\) the size of the generated primes. The method can, for instance, attest that \(n\) is composed of primes as eccentric as those for which \(\lfloor 9393 \sin ^4(p^3)\rfloor =3939\).

More importantly, our attestation scheme provides the first efficient way to prove that \((n,e)\) defines a permutation for a small \(e\), by making \(\mathcal {G}\) only output primes \(p\) such that \(e\) is coprime with \(p-1\).

Our construction is provably secure in the Random Oracle Model.

We present two variants: In the first, a valid attestation \(\omega _n\) ensures that \(n\) contains at least two \(P\)-bit prime factors generated by \(\mathcal {G}\) (if \(n\) is honestly generated, \(n\) must contain \(\ell \) prime factors, for some integer \(\ell \ge 2\) depending on the security parameter). In the second variant, a valid attestation \(\omega _{\mathbf n}\) covers a set of moduli \(\mathbf n = (n_1, \cdots , n_{u})\) and ensures that at least one of these \(n_i\) is a product of two \(P\)-bit prime factors generated by \(\mathcal {G}\).

Both variants are unified into a general attestation scheme (i.e., use several multi-factor moduli) to encompass the entire gamut of tradeoffs offered by the concept.

Prior Work. A long thread of papers deals with proving number-theoretic properties of composite moduli. The most general (yet least efficient) of these use non-interactive zero-knowledge (NIZK) proof techniques [8, 11, 15]. Recent work by Groth [16] establishes that there is a perfect NIZK argument for \(n\) being a properly generated RSA modulus. We distinguish between these generic proofs that can, in essence, prove anything provable [4] and ad hoc methods allowing to prove proper modulus generation in faster ways albeit for very specific \(\mathcal G\)s.

The first ad hoc modulus attestation scheme was introduced by Van de Graff and Peralta [26] and consists in proving that \(n\) is a Blum integer without revealing its factors. Boyar, Friedl and Lund [7] present a proof that \(n\) is square-free. Leveraging [7, 26], Gennaro, Micciancio and Rabin [14] present a protocol proving that \(n\) is the product of two “quasi-safe” primesFootnote 1. Camenisch and Michels [9] give an NIZK proof that \(n\) is a product of two safe primes. Juels and Guajardo [18] introduce a proof for RSA key generation with verifiable randomness. Besides its complexity, [18]’s main drawback is that public parameters must be published by a trustworthy authority (TTP). Several authors [5, 10, 21, 22] describe protocols proving that \(n\) is the product of two primes \(p\) and \(q\), without proving anything on \(p,q\) but their primality. Proving that \(n = p q\) is insufficient to ascertain security (for instance, \(p\) may be too short). Hence, several authors (e.g., [6, 10, 12, 13, 20, 21]) introduced methods allowing to prove that \(p\) and \(q\) are roughly of identical sizes.

This work takes an entirely different direction: Given any generation procedure \(\mathcal G\), we prove that \(\mathcal G\) has been followed correctly during the generation of \(n\). The new approach requires no TTPs, does not rely on \(n\) having any specific properties and attests that the correct prime generation algorithm has been used — with no restriction whatsoever on how this algorithm works.

As such, the concern of generating proper moduli (e.g. such that \((N,e)\) define a permutation, but what constitutes a “proper” modulus may depend on the application) is entirely captured by the concern of choosing \(\mathcal G\) appropriately. Our work merely attests that \(\mathcal G\) was indeed used.

Cryptographic applications of attested RSA moduli abound. We refer the reader to [14] or [21] for an overview of typical applications of attested moduli. In particular, such concerns are salient in schemes where an authority is in charge of generating \(n\) (e.g., Fiat-Shamir or Guillou-Quisquater) and distributing private keys to users, or in the design of factoring-based verifiable secret-sharing schemes.

Another context in which this work has its place is to protect against the subversion of key generation procedures, as studied in e.g., [27, 29,30,31]. A recent effort in that direction is [24].

2 Outline of the Approach

The proposed attestation method is based on the following idea: fix \(k \ge 2\), generate \(k\) random numbers \(r_1,\ldots ,r_k\) and define \(h_i=\mathcal H(i,r_i)\) where \(\mathcal H\) denotes a hash function. Let \(p_i=\mathcal G(h_i)\) and:

$$\begin{aligned} N=\prod _{i=1}^k p_i \end{aligned}$$

Define \((X_1,X_2)=\mathcal {H}'_{2}(N)\), where \(\mathcal {H}'_{2}\) is a hash function which outputs two indices \(1\le X_1<X_2 \le k\). We later show how to construct such an \(\mathcal {H}'_{2}\). This defines \(n = p_{X_1} \times p_{X_2}\) and

$$\begin{aligned} \omega _n= \{r_1,r_2,\ldots ,r_{X_1-1},\star ,r_{X_1+1},\ldots ,r_{X_2-1},\star ,r_{X_2+1},\ldots ,r_k\} \end{aligned}$$

Here, a star symbol (\(\star \)) denotes a placeholder used to skip one index. The data \(\omega _n\) is called the attestation of \(n\). The algorithm \(\mathcal A\) used to obtain \(\omega _n\) is called an attestator.

The attestation process is illustrated in Fig. 1: the choice of the \(r_i\) determines \(N\), which is split into two parts: \(n\) and \(N/n\). Splitting is determined by \(d\), which is the digest of \(N\), and is hence unpredictable for the opponent.

Fig. 1.
figure 1

The approach used to generate and validate an attestation.

Full size image

Verifying the validity of such an attestation \(\omega _n\) is performed as follows: all (non-star) values \(r_i\) in \(\omega _n\) are fed to \(\mathcal G\) to generate primes, that are multiplied together and by \(n\). This gives back \(N\). If by hashing \(N\) and reading, as earlier, the digest of \(N\) (denoted \(d\)) as two values \(X_1\) and \(X_2\), we get the two exact starred positions \(X_1\) and \(X_2\) in \(\omega _n\), then \(\omega _n\) is valid; else \(\omega _n\) is invalid. The algorithm \(\mathcal V\) we just described is called a validator. It is very similar to the attestator \(\mathcal A\) mentioned above.

For a subtle reason, the \(r_i\)’s are pre-processed into a set of values \(h_i\) before being fed into \(\mathcal G\). The values \(h_i\) are generated by hashing the input \(r_i\)s with their positions \(i\). This serves two purposes: first, the hash welds together \(r_i\) and its position \(i\) in the list, which prevents the opponent from shuffling the \(p_i\)s to his advantage; second, hashing prevents the opponent from manipulating the \(r_i\)’s to influence \(\mathcal G\)’s output.

Evidently, as presented here, the method requires a very large \(k\) to achieve a high enough security level. The attacker, who chooses \(X_1, X_2\), is expected to perform \(k(k-1)/2\) operations to succeed. We circumvent this limitation using two techniques:

  • The first technique uses \(\ell \) indices \(X_1,\ldots ,X_{\ell }\) and not only \(\ell = 2\). In RSA, security depends on the fact that \(n\) contains at least two properly formed prime factors. Hence we can afford to shorten \(k\) by allowing more factors in \(n\). The drawback of using \(\ell \)-factor moduli is a significant user slow-down as most factoring-based cryptosystems run in \(O(\log ^3 n)\). Also, by doing so, we prove that \(n\) contains a properly formed modulus rather than that \(n\) is a properly formed modulus.

  • A second strategy consists in using \(2u\) indices to form \(u\) moduli \(n_1,\ldots ,n_u\). Here, each user will be given \(u\) moduli and will processFootnote 2 each message \(u\) times. Thereby, total signature size and slow-down are only linear in \(\ell \). Encryption is more tricky: while for properly signing a message it suffices that at least one \(n_i\) is secure, when encrypting a message all \(n_i\) must be secure. Hence, to encrypt, the sender will pick \(u\) session keys \(\kappa _i\), encrypt each \(\kappa _i\) using \(n_i\), and form the global session-key \(\kappa =\kappa _1\oplus \ldots \oplus \kappa _u\). The target message will then be encrypted (using a block-cipher) using \(\kappa \). In other words, it suffices to have at least one factoring-resistant \(n_i\) to achieve message confidentiality. Interestingly, to be secure a signature conceptually behaves as a logical “or”, while encryption behaves as a logical “and”.

The size of \(\omega _n\) is also a concern in this simple outline. Indeed, as presented here \(\omega _n\) is \(O(kR)\) bits large, where \(R\) represents the bitsize of the \(r_i\) Footnote 3. Given the previous remark on \(k\) being rather large, this would result in very large attestations. Luckily, it turns out that attestation size can be reduced to \(O(R\log {k})\) using hash trees, as we explain in Sect. 5.

Note. Multiplication in \(\mathbb {N}\) is one implementation option. All we need is a completely multiplicative operation. For instance, as we have:

$$\begin{aligned} \Bigg (\frac{a}{N}\Bigg ) = \left( \frac{a}{p_1}\right) \left( \frac{a}{p_2}\right) \cdots \left( \frac{a}{p_k}\right) , \end{aligned}$$

the hash of the product of the Jacobi symbols of the \(p_i\) with respect to the first primes \(a_j=2,3,5,\ldots \) Footnote 4 can equally serve as an index generator.

Before we proceed note that when generating a complete RSA key pair \((n, e)\), it is important to ascertain that \(\gcd (e, \phi (n)) = 1\). This constraint is easy to integrate into \(\mathcal G\) Footnote 5. All in all, what we prove is that with high probability, the key was generated by the desired algorithm \(\mathcal G\), whichever this \(\mathcal G\) happens to be.

3 Model and Analysis

3.1 Preliminaries and Notations

We now formally introduce the tools necessary to rigorously describe and analyse the method sketched in Sect. 2.

Throughout this paper, \(\lambda \) will denote a security parameter. The expression polynomial time will always refer to \(\lambda \). The construction uses two cryptographic hash functions: a classical hash function \(\mathcal H : \{0, 1\}^* \rightarrow \{0, 1\}^{R}\) and a second hash function \(\mathcal {H}'_{d} : \{0,1\}^* \rightarrow \mathcal {S}_d\) where \(\mathcal {S}_d\) is the set of subsets of \(\{1, \cdots , k\}\) of size \(d\) (for some positive integer \(d\) and \(k\)). \(\mathcal {H}'_{}\) can be constructed from a classical hash function using an unranking function [25] (see full version of this paper). Both hash functions will be modelled as random oracles in the security analysis.

Let \(k \ge 2\). Moreover our attestation and validation algorithms always implicitly take \(\lambda \) as input. We denote by \(\left| a\right| \) the bitsize of \(a\).

Let \(\mathcal {G}(1^P,r)\) be a polynomial-time algorithm which, on input of a unary size \(P\) and of a random seed \(r \in \{0,1\}^{R}\) produces a prime or a probably prime \(p\) of size \(P\). The argument \(1^P\) is often omitted, for the sake of simplicity. The size \(P\) of the primes is supposed to be a function of \(\lambda \). We write \(r_1 \mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^R\) to indicate that the seed \(r_1\) is chosen uniformly at random from \(\{0,1\}^R\).

An attestation scheme for \(\mathcal {G}\) is a pair of two algorithms \((\mathcal {A},\mathcal {V})\), where

  • \(\mathcal {A}\) is an attestation algorithm which takes as input \(k\) random entries (\((r_1, \cdots , r_k) \in \{0, 1\}^{R}\), in the sequel) and which outputs a tuple of moduli \(\mathbf {n}=(n_1, \cdots , n_{u})\) along with a bitstring \(\omega _{\mathbf n}\), called an attestation; \(u\) and \(k\) are integer parameters depending on \(\lambda \); when \(u = 1\), \(n_1\) is denoted \(n\);

  • \(\mathcal {V}\) is a validation algorithm which takes as input a tuple of moduli \(\mathbf n = (n_1, \cdots , n_{u})\) together with an attestation \(\omega _{\mathbf n}\). \(\mathcal V\) checks \(\omega _{\mathbf n}\), and outputs \(\mathsf {True}\) or \(\mathsf {False}\).

An attestation scheme must comply with the following properties:

  • Randomness. If \(r_1, \cdots , r_k\) are independent uniform random values, \(\mathcal {A}(1^\lambda \), \(r_1\), \(\cdots \), \(r_k)\) should output a tuple of moduli \(\mathbf n = (n_1, \cdots , n_u)\) where each \(n_i\) is the product of \(\ell \) random primes generated by \(\mathcal {G}\). The positive integer \(\ell \ge 2\) is a parameter depending on \(\lambda \). More formally the two following distributions should be statistically indistinguishable:

  • Correctness. The validator \(\mathcal {V}\) always accepts an attestation honestly generated by the attestator \(\mathcal {A}\). More precisely, for all \(r_1, \cdots , r_k\):

    $$\begin{aligned} \mathcal {V} \left( \mathcal {A}(1^\lambda ,r_1, \cdots , r_k)\right) = \mathsf {True}. \end{aligned}$$

  • Soundness. No polynomial-time adversary \(\mathcal {F}\) can output (with non-negligible probability) a tuple \(\mathbf n =(n_1, \cdots , n_u)\) and a valid attestation \(\omega _{\mathbf n}\) such that no \(n_i\) contains at least two prime factors generated by \(\mathcal {G}\) with two distinct random seeds. More formally, for any polynomial-time adversary \(\mathcal {F}\), the soundness advantage \(\mathsf {Adv}^{\text {snd}}(\mathcal {F})\) defined as

    is negligible in \(\lambda \).

  • Non-revealing. We formalise the property than an attestation does not leak sensitive information about the attested modulus as follows: An attestation algorithm \(\mathcal A\) is said to be non-revealing if, for any \(\mathbf n\), any PPT adversary \(\mathcal F\) and any computable property \(P(\mathbf n) \in \{0,1\}\) of \(\mathbf n\) alone, the advantage of \(\mathcal F\) in computing \(P(\mathbf n)\) knowing the output \(\omega _{\mathbf n}\) of \(\mathcal A\) is at most negligibly higher than without knowing \(\omega _{\mathbf n}\).

We remark that when it is hard to find two seeds \(s_1\) and \(s_2\) such that \(\mathcal {G}(s_1) = \mathcal {G}(s_2)\), then soundness basically means that one of the \(n_i\)’s contains a product of two distinct primes generated by \(\mathcal {G}\). In addition, when \(\ell =2\), if \(\mathcal {V}\) rejects moduli of size different from \(2P\) (the size of an honestly generated modulus), one of the \(n_i\)’s is necessarily exactly the product of two prime factors generated by \(\mathcal {G}\).

Table 1 summarizes the various parameters used in our construction (all are assumed to be function of \(\lambda \)). We now describe the following two variants:

  • The multi-prime variant, where \(\mathcal {A}\) only outputs one modulus (i.e., \(u = 1\));

  • The multi-modulus variant, where \(\mathcal {A}\) outputs \(u \ge 2\) two-factor moduli (i.e., \(\ell = 2\)).

Table 1. Summary of the various parameters
Full size table

3.2 Multi-prime Attestation Scheme (\(u=1\))

We now describe the algorithms \(\mathcal {A}\) and \(\mathcal {V}\) that generate and verify, respectively, an attestation along with an RSA public key, when \(u =1\) (only one modulus is generated). Algorithms in this Section are given for \(\ell = 2\) (corresponding to the common case where \(n = pq\)) for the sake of clarity and as a warm-up.

Algorithms for arbitrary \(\ell \) are particular cases of the general algorithms described in Sect. 3.4.

In Algorithms 1 and 2, a star symbol (\(\star \)) denotes a placeholder used to skip one index.

Generating an Attestation. The attestator \(\mathcal {A}\) is described in Algorithm 1. \(\mathcal A\) calls \(\mathcal H\) and \(\mathcal {G}\).

figure a

In this setting, the attestation has size \(k\). This size is reduced to \(\log k\) using hash trees as described in Sect. 5.

Verifying an Attestation. The validator \(\mathcal {V}\) is described in Algorithm 2.

figure b

Correctness: The \(h_i\)s are generated deterministically, therefore so are the \(p_i\)s, and their product times \(n\) yields the correct value of \(N\).

Randomness: In the Random Oracle Model (for \(\mathcal {H}\)), the scheme’s randomness is proven later in Sect. 4.1, as a particular case of the general scheme’s soundness (see Sect. 3.4).

3.3 Multi-modulus Attestation Scheme (\(u \ge 2\), \(\ell = 2\))

The second variant consists in generating in a batch \(u = \ell /2\) bi-factor moduli. The corresponding attestator and validator are given in Algorithms 3 and 4.

figure c

3.4 General Attestation Scheme

Algorithms 5 and 6 describe our general attestation scheme, for any \(u \ge 1\) and \(\ell \ge 2\). The previous multi-prime and multi-modulus schemes are illustrative particular cases of this scheme.

The correctness and randomness arguments are similar to those of Sect. 3.2. In addition, the attestation has size \(k\). This size is brought down to \(\ell u \log k\) using hash-trees as described in Sect. 5.

figure d

4 Security and Parameter Choice

4.1 Security

In this section, we prove that for correctly chosen parameters \(u,\ell ,k\), the general attestation scheme defined in Sect. 3.4 (Algorithms 5 and 6) is sound. We recall that the two other properties required by an attestation scheme (namely correctness and randomness) were proven in previous sections.

More formally, we have the following theorem:

Theorem 1

In the Random Oracle Model, the soundness advantage of an adversary making \(q_{\mathcal {H}}\) queries to \(\mathcal {H}\) and \(q_{\mathcal {H}'_{}}\) queries to \(\mathcal {H}'_{}\) is at most:

$$\begin{aligned} (q_{\mathcal {H}'_{}}+1) \cdot {\left( \frac{\ell u}{k - (\ell -1) u + 1} \right) }^{(\ell -1)u} + \frac{q_{\mathcal {H}} \cdot (q_{\mathcal {H}}-1)}{2} \cdot p_{\mathcal {G}\mathrm {-col}}\;, \end{aligned}$$

where \(p_{\mathcal {G}\mathrm {-col}}\) is the probability that \(\mathcal {G}(r) = \mathcal {G}(s)\), when \(r,s \mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^R\).

We point out that \(p_{\mathcal {G}\mathrm {-col}}\) must be small, otherwise the generated primes are unsafe in any case.

Proof

First, we denote by \(S_i\) the set of all prime numbers \(\rho = \mathcal {G}(\mathcal {H}(i,r))\), for which \((i,r)\) has been queried to \(\mathcal {H}\) (for \(i=1, \cdots , k\)). We remark that the probability that two such primes \(\rho \) are equal is at most \(\frac{q_{\mathcal {H}} \cdot (q_{\mathcal {H}}-1)}{2} \cdot p_{\mathcal {G}\mathrm {-col}}\). This is the second term in the security bound.

In the sequel, we suppose that there are no collisions between the primes. Thus the sets \(S_i\) are pairwise disjoint.

Now assume that the adversary \(\mathcal F\) has been able to forge a valid attestation \(\omega _{\mathbf n}\) for \(\mathbf n = (n_1, \cdots , n_u)\) and let \(N = \beta \prod _{i=1}^u n_i\), where \(\beta \) stands for the product of all the primes generated from the elements of \(\omega _{\mathbf n}\). As the attestation is valid, \(\left| n_1\right| = \dots = \left| n_u\right| = \ell P\). Let \(N = \prod _{i=1}^L \rho _i\) be the prime decomposition of \(N\). Up to reordering the sets \(S_i\), there exists an integer \(t\) such that:

  • none of \(S_1, \cdots , S_t\) contains a factor \(\rho _i\);

  • each of \(S_{t+1}, \cdots , S_k\) contains a factor \(\rho _i\). We arbitrarily choose a prime \(p_i \in S_i\) for \(i = t+1, \cdots , k\).

We distinguish two cases:

  • if \(t < (\ell -1) \cdot u\), then this means that \(N\) is divisible by \(m = p_{t+1} \times \cdots \times p_k\). But we also know that \(N\) is divisible by \(n_1 \times \cdots \times n_u\). As \(\left| n_1 \times \cdots \times n_u\right| = \ell u P\), \(\left| m\right| = (k-t) P \ge kP - (\ell -1) u P + P\), and \(\left| N\right| = k P\), we have

    $$\begin{aligned} \left| \gcd (n_1 \cdots n_u, m)\right| \ge \left| n_1\cdots n_u\right| + \left| m\right| - \left| N\right| \ge (u+1) P. \end{aligned}$$

    This implies that \(n_1 \times \cdots \times n_u\) is divisible by at least \(u+1\) distinct primes among \(p_{t+1}, \cdots , p_k\). By the pigeon-hole principle, at least one of the \(n_i\)’s is divisible by two distinct primes generated as \(\mathcal {G}(r_i)\) for two distinct seeds \(r_i\) (seeds have to be distinct, otherwise the two primes would be equal).

  • if \(t \ge (\ell -1) \cdot u\), the adversary will only be able to generate a valid attestation if none of the indices \(X_1, \cdots , X_{u \ell }\) (obtained by \(\mathcal {H}'_{u \ell }(N)\)) falls in \(\{1, \cdots , t\}\). As \(\{ 1, \cdots , k \} \setminus \{X_1, \cdots , X_{u\ell }\}\) is a random subset of \(\{1, \cdots , k\}\) with \(k-\ell u\) elements, the previous bad event (\(\mathcal F\) is able to generate a valid attestation) corresponds to this set being a subset of \(\{t+1, \cdots , k\}\) and happens with probability:

    $$\begin{aligned} \frac{\left( {\begin{array}{c}k-t\\ k-\ell u\end{array}}\right) }{\left( {\begin{array}{c}k\\ k-\ell u\end{array}}\right) }&= \frac{(k-t) \cdot (k-t-1) \cdots (k- \ell u + 1)}{k \cdot (k-1) \cdots (k-\ell u +1)} \cdot \frac{(\ell u)!}{(\ell u - t)!} \\&\le \frac{1}{(k-t+1)^t} \cdot (\ell u)^t \le {\left( \frac{\ell u}{k-(\ell -1) u + 1} \right) }^{(\ell -1) \cdot u} \;. \end{aligned}$$

    Since \(\mathcal F\) makes \(q_{\mathcal {H}'_{}}\) queries to \(\mathcal {H}'_{}\), we get the theorem’s bound (where the \(+1\) corresponds to the query necessary to verify \(\mathcal F\)’s attestation if he did not do it himself).   \(\square \)

Theorem 2

In the programmable random oracle model, our attestations are non-revealing.

Proof

The proof strategy consists in replacing the hash functions by a random oracle, resulting in attestations which are in particular completely unrelated to the modulus’ factorization. We give the proof in the multi-prime \(\ell = 2\) case. The more general case is similar.

Let \(n\) be an RSA modulus, and let \(\omega _n = (r_1, \cdots , r_k)\), where there are exactly two values \(r_{X_1} = r_{X_2} = \star \), be an attestation.

Assume that there exists a PPT adversary \(\mathcal A\) that can compute some property \(P(n)\) from the knowledge of \(n\) and \(\omega _n\), with access to the hash functions \(\mathcal H\) and \(\mathcal H_2'\), with non-negligible advantage. Since \(\mathcal A\) uses \(\mathcal H_2'\) as a black box, we can replace \(\mathcal H_2'\) by a programmable random oracle as follows.

We compute

$$\begin{aligned} N = n \times \prod _{i = 1, i \ne X_1, X_2}^{k} \mathcal G\left( \mathcal H\left( i, r_i \right) \right) . \end{aligned}$$

Now \(\mathcal H_2'\) is replaced by a random oracle that returns \(\{X_1, X_2\}\) if its input equals \(N\), and a couple of random distinct integers in \(\{1, \cdots , k\}\) otherwise. In particular, note that \(\mathcal H_2'\) is not given the factorization of \(n\). With this choice of \(\mathcal H_2'\), \(\omega _n\) is a valid attestation for \(n\).

However, by design, \(\omega _n\) is chosen independently from \(n\). Thus it is clear that if \(\mathcal A\) can compute \(P(n)\) from the knowledge of \(n\) and \(\omega _n\), in fact \(\mathcal A\) can compute \(P(n)\) from \(n\) alone.    \(\square \)

4.2 Typical Parameters and Complexity Analysis

Algorithms 5 and 6 have the following properties:

  • Attestation size \(\left| \omega _n\right| = 2u \ell R\log k\), using the hash-tree compression technique in Sect. 5

  • \(\lambda \)-bit security approximatively when:

    $$\begin{aligned} {\left( \frac{\ell u}{k - (\ell -1) u + 1} \right) }^{(\ell -1)u} \le 2^{-\lambda } \end{aligned}$$

    (according to the soundness bound given by Theorem 1, omitting the second part, which is negligible in practice);

  • Attestation and validation times mostly consist in generating (or re-generating) the \(k\) primes. Validation time is very slightly faster than attestation time.

5 Compressing the Attestation

As mentioned above, providing an attestation \(\omega _n\) “as is” might be cumbersome, as it grows linearly with \(k\). However, it is possible to drastically reduce \(\omega _n\)’s size using the following technique.

The tree of Fig. 2 is constructed as follows: Let \(h\) be some public hash function. Each non-leaf node \(C\) of the tree has two children, whose value is computed by \(r_{x0} \leftarrow h(r_x, 0)\) and \(r_{x1} \leftarrow h(r_x, 1)\) for the left child and the right child respectively, where \(r_x\) is the value of \(C\). Given a root seed \(r\), one can therefore reconstruct the whole tree. The leaf values can now be used as \(r_i\)’s for the attestation procedure.

To compress \(\omega _n\) we proceed as follows:

  • Get the indices \(X_1\) and \(X_2\) from the attestation procedure;

  • Identify the paths from \(X_1\) up to the root, and mark them;

  • Identify the paths from \(X_2\) up to the root, and mark them;

  • Send the following information:

    $$\begin{aligned} \omega _n = \{ \text {for all leaves L, highest-ranking unmarked parent of L} \} \end{aligned}$$

This requires revealing at most \(2\log _2 k\) intermediate higher-rank hashesFootnote 6 instead of the \(k-2\) values required to encode \(\omega _n\) when naively sending the seeds directly.

Generalization to \(u\ell \ge 2\) is straightforward.

Fig. 2.
figure 2

Compressing \(\omega _n\) using a hash tree.

Full size image

6 Parameter Settings

Table 2 shows typical parameter values illustrating different tradeoffs between security (\(\lambda \)), attestation size (\(2u \ell R\log k\)), modulus size (\(\ell \)), the number of required moduli (\(u\)), and the work factors of \(\mathcal A\) and \(\mathcal V\) (\(kt_{\mathcal {G}}\) where \(t_{\mathcal {G}}\) is \(\mathcal G\)’s average running time). Table 3 provides the same information for the multi-modulus variant.

We (arbitrarily) consider that reasonable attestations and validations should occur in less than ten minutes using standard HSM such as the IBM 4764 PCI-X Cryptographic Coprocessor [17] or Oracle’s Sun Crypto Accelerator SCA 6000 [23]. When run with 7 threads in the host application, the 4764 generates on average \(2.23\) key-pairs per second (1,024 bits). The SCA 6000 (for which average key generation figures are not available) is about 11 times faster than the 4764 when processing RSA 1,024-bit keys. Hence we can assume that the SCA 6000 would generate about 24 key-pairs per second. We thus consider that average-cost current-date HSMs generate 10 key-pairs per second, i.e., 20 primes per second.

Spending ten minutes to generate or validate an attestation might not be an issue given that attestation typically occurs only once during \(n\)’s lifetime. This means that a “reasonable” attestation implementation would use \(k = 10 \times 60 \times 20 =~\)12,000. This gives \(\ell = 10\) and \(\ell = 6\) for the multi-prime and multi-modulus \(\mathcal A\) (respectively) for \(\lambda = 128\).

Note that in practical field deployments an attestation would be verified once by a trusted Attestation Authority and replaced by a signature on \(n\) (or \(\mathbf {n}\)).

Table 2. Some typical parameters for multi-factor attestation (\(u = 2\)). Each table entry contains \(\lambda \) for the corresponding choice of \(k\) and \(\ell \).
Full size table
Table 3. Some typical parameters for multi-modulus attestation (\(u = \ell /2\)). Each cell contains \(\lambda \) for the corresponding choice of \(k\) and \(\ell \). Some choices of parameters are incompatible and are hence indicated by a dash.
Full size table

According to the bounds of Theorem 1, we have

$$\begin{aligned} \lambda \ge - (\ell - 1) u \log _2\left( \frac{\ell u}{k-(\ell -1)u +1}\right) \end{aligned}$$

Table 2 is read as follows: we can see that taking for instance \(\ell = 10\) and \(\log _2 k = 13\) with the multi-factor version gives 156-bit security. In Table 3, taking \(\ell =10\) and \(\log _2 k = 13\) with the multi-modulus version gives 285-bit security.

7 Conclusion and Further Research

The construction described in this paper attests in a non-interactive way that \(n\) was properly generated using an arbitrary (publicly known) prime generator \(\mathcal G\). The attestation is compact and publicly verifiable. As a result, any entity can convince herself of the modulus’ validity before using it. Even though computation times may seem unattractive, we stress that attestation generation and verification only need to be performed once.

This work raises a number of interesting questions.

Committing to the primes \(p_i\)’s might also be achieved using more involved tools such as pairings. For instance, given the commitments \(g^{p_1}\) and \(g^{p_2}\), it is easy to check that \(e(g^{p_1}, g^{p_2}) = e(g, g)^n\).

An interesting research direction consists in hashing \(N \bmod v\) (instead of \(N\)) for some public \(v\), to speed-up calculations. However, the condition \(v>n\) must be enforced by design to prevent an opponent from using \(\omega _n\) as the “attestation” of \(n+tv\) for some \(t\in \mathbb {N}\). Note that we did not adapt our security proof to this (overly?) simplified variant.

In general, any strategy allowing to reduce \(k\) without impacting \(\lambda \) would yield more efficient attestators. Also, generalizing and applying this approach to the parameter generation of other cryptographic problems, such as the discrete logarithm, may prove useful.

Finally, to date, no attestation method proves (without resorting to TTPs) that the random tape used for forming the primes was properly drawn. Like all other prior work articles cited in Sect. 1, we do not address this issue and assume that the random number that feeds \(\mathcal G\) was not biased by the attacker.