Abstract
RSA public keys are central to many cryptographic applications; hence their validity is of primary concern to the scrupulous cryptographer. The most relevant properties of an RSA public key \((n, e)\) depend on the factors of \(n\): are they properly generated primes? are they large enough? is \(e\) co-prime with \(\phi (n)\)? etc. And of course, it is out of question to reveal \(n\)’s factors.
Generic non-interactive zero-knowledge (NIZK) proofs can be used to prove such properties. However, NIZK proofs are not practical at all. For some very specific properties, specialized proofs exist but such ad hoc proofs are naturally hard to generalize.
This paper proposes a new type of general-purpose compact non-interactive proofs, called attestations, allowing the key generator to convince any third party that \(n\) was properly generated. The proposed construction applies to any prime generation algorithm, and is provably secure in the Random Oracle Model.
As a typical implementation instance, for a 138-bit security, verifying or generating an attestation requires \(k=1024\) prime generations. For this instance, each processed message will later need to be signed or encrypted 14 times by the final users of the attested moduli.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
When provided with an RSA public key \(n\), establishing that \(n\) is hard to factor might seem challenging: indeed, most of \(n\)’s interesting properties depend on its secret factors, and even given good arithmetic properties (large prime factors, etc.) a subtle backdoor may still be hidden in \(n\) or \(e\) [1, 27, 28, 30, 31].
Several approaches, mentioned below, focused on proving as many interesting properties as possible without compromising \(n\). However, such proofs are limited in two ways: first, they might not always be applicable — for instance [2, 3, 19] cannot prove that \((n, e)\) define a permutation when \(e\) is too small. In addition, these ad hoc proofs are extremely specialized. If one wishes to prove some new property of \(n\)’s factors, that would require modelling this new property and looking for a proper form of proof.
This paper proposes a new kind of general-purpose compact non-interactive proof \(\omega _n\), called attestation. An attestation allows the key generator to convince any third party that \(n\) was properly generated. The corresponding construction, called an attestation scheme, applies to any prime generation algorithm \(\mathcal {G}(1^P,r)\) where \(r\) denotes \(\mathcal {G}\)’s random tape, and \(P\) the size of the generated primes. The method can, for instance, attest that \(n\) is composed of primes as eccentric as those for which \(\lfloor 9393 \sin ^4(p^3)\rfloor =3939\).
More importantly, our attestation scheme provides the first efficient way to prove that \((n,e)\) defines a permutation for a small \(e\), by making \(\mathcal {G}\) only output primes \(p\) such that \(e\) is coprime with \(p-1\).
Our construction is provably secure in the Random Oracle Model.
We present two variants: In the first, a valid attestation \(\omega _n\) ensures that \(n\) contains at least two \(P\)-bit prime factors generated by \(\mathcal {G}\) (if \(n\) is honestly generated, \(n\) must contain \(\ell \) prime factors, for some integer \(\ell \ge 2\) depending on the security parameter). In the second variant, a valid attestation \(\omega _{\mathbf n}\) covers a set of moduli \(\mathbf n = (n_1, \cdots , n_{u})\) and ensures that at least one of these \(n_i\) is a product of two \(P\)-bit prime factors generated by \(\mathcal {G}\).
Both variants are unified into a general attestation scheme (i.e., use several multi-factor moduli) to encompass the entire gamut of tradeoffs offered by the concept.
Prior Work. A long thread of papers deals with proving number-theoretic properties of composite moduli. The most general (yet least efficient) of these use non-interactive zero-knowledge (NIZK) proof techniques [8, 11, 15]. Recent work by Groth [16] establishes that there is a perfect NIZK argument for \(n\) being a properly generated RSA modulus. We distinguish between these generic proofs that can, in essence, prove anything provable [4] and ad hoc methods allowing to prove proper modulus generation in faster ways albeit for very specific \(\mathcal G\)s.
The first ad hoc modulus attestation scheme was introduced by Van de Graff and Peralta [26] and consists in proving that \(n\) is a Blum integer without revealing its factors. Boyar, Friedl and Lund [7] present a proof that \(n\) is square-free. Leveraging [7, 26], Gennaro, Micciancio and Rabin [14] present a protocol proving that \(n\) is the product of two “quasi-safe” primesFootnote 1. Camenisch and Michels [9] give an NIZK proof that \(n\) is a product of two safe primes. Juels and Guajardo [18] introduce a proof for RSA key generation with verifiable randomness. Besides its complexity, [18]’s main drawback is that public parameters must be published by a trustworthy authority (TTP). Several authors [5, 10, 21, 22] describe protocols proving that \(n\) is the product of two primes \(p\) and \(q\), without proving anything on \(p,q\) but their primality. Proving that \(n = p q\) is insufficient to ascertain security (for instance, \(p\) may be too short). Hence, several authors (e.g., [6, 10, 12, 13, 20, 21]) introduced methods allowing to prove that \(p\) and \(q\) are roughly of identical sizes.
This work takes an entirely different direction: Given any generation procedure \(\mathcal G\), we prove that \(\mathcal G\) has been followed correctly during the generation of \(n\). The new approach requires no TTPs, does not rely on \(n\) having any specific properties and attests that the correct prime generation algorithm has been used — with no restriction whatsoever on how this algorithm works.
As such, the concern of generating proper moduli (e.g. such that \((N,e)\) define a permutation, but what constitutes a “proper” modulus may depend on the application) is entirely captured by the concern of choosing \(\mathcal G\) appropriately. Our work merely attests that \(\mathcal G\) was indeed used.
Cryptographic applications of attested RSA moduli abound. We refer the reader to [14] or [21] for an overview of typical applications of attested moduli. In particular, such concerns are salient in schemes where an authority is in charge of generating \(n\) (e.g., Fiat-Shamir or Guillou-Quisquater) and distributing private keys to users, or in the design of factoring-based verifiable secret-sharing schemes.
Another context in which this work has its place is to protect against the subversion of key generation procedures, as studied in e.g., [27, 29,30,31]. A recent effort in that direction is [24].
2 Outline of the Approach
The proposed attestation method is based on the following idea: fix \(k \ge 2\), generate \(k\) random numbers \(r_1,\ldots ,r_k\) and define \(h_i=\mathcal H(i,r_i)\) where \(\mathcal H\) denotes a hash function. Let \(p_i=\mathcal G(h_i)\) and:
Define \((X_1,X_2)=\mathcal {H}'_{2}(N)\), where \(\mathcal {H}'_{2}\) is a hash function which outputs two indices \(1\le X_1<X_2 \le k\). We later show how to construct such an \(\mathcal {H}'_{2}\). This defines \(n = p_{X_1} \times p_{X_2}\) and
Here, a star symbol (\(\star \)) denotes a placeholder used to skip one index. The data \(\omega _n\) is called the attestation of \(n\). The algorithm \(\mathcal A\) used to obtain \(\omega _n\) is called an attestator.
The attestation process is illustrated in Fig. 1: the choice of the \(r_i\) determines \(N\), which is split into two parts: \(n\) and \(N/n\). Splitting is determined by \(d\), which is the digest of \(N\), and is hence unpredictable for the opponent.
Verifying the validity of such an attestation \(\omega _n\) is performed as follows: all (non-star) values \(r_i\) in \(\omega _n\) are fed to \(\mathcal G\) to generate primes, that are multiplied together and by \(n\). This gives back \(N\). If by hashing \(N\) and reading, as earlier, the digest of \(N\) (denoted \(d\)) as two values \(X_1\) and \(X_2\), we get the two exact starred positions \(X_1\) and \(X_2\) in \(\omega _n\), then \(\omega _n\) is valid; else \(\omega _n\) is invalid. The algorithm \(\mathcal V\) we just described is called a validator. It is very similar to the attestator \(\mathcal A\) mentioned above.
For a subtle reason, the \(r_i\)’s are pre-processed into a set of values \(h_i\) before being fed into \(\mathcal G\). The values \(h_i\) are generated by hashing the input \(r_i\)s with their positions \(i\). This serves two purposes: first, the hash welds together \(r_i\) and its position \(i\) in the list, which prevents the opponent from shuffling the \(p_i\)s to his advantage; second, hashing prevents the opponent from manipulating the \(r_i\)’s to influence \(\mathcal G\)’s output.
Evidently, as presented here, the method requires a very large \(k\) to achieve a high enough security level. The attacker, who chooses \(X_1, X_2\), is expected to perform \(k(k-1)/2\) operations to succeed. We circumvent this limitation using two techniques:
-
The first technique uses \(\ell \) indices \(X_1,\ldots ,X_{\ell }\) and not only \(\ell = 2\). In RSA, security depends on the fact that \(n\) contains at least two properly formed prime factors. Hence we can afford to shorten \(k\) by allowing more factors in \(n\). The drawback of using \(\ell \)-factor moduli is a significant user slow-down as most factoring-based cryptosystems run in \(O(\log ^3 n)\). Also, by doing so, we prove that \(n\) contains a properly formed modulus rather than that \(n\) is a properly formed modulus.
-
A second strategy consists in using \(2u\) indices to form \(u\) moduli \(n_1,\ldots ,n_u\). Here, each user will be given \(u\) moduli and will processFootnote 2 each message \(u\) times. Thereby, total signature size and slow-down are only linear in \(\ell \). Encryption is more tricky: while for properly signing a message it suffices that at least one \(n_i\) is secure, when encrypting a message all \(n_i\) must be secure. Hence, to encrypt, the sender will pick \(u\) session keys \(\kappa _i\), encrypt each \(\kappa _i\) using \(n_i\), and form the global session-key \(\kappa =\kappa _1\oplus \ldots \oplus \kappa _u\). The target message will then be encrypted (using a block-cipher) using \(\kappa \). In other words, it suffices to have at least one factoring-resistant \(n_i\) to achieve message confidentiality. Interestingly, to be secure a signature conceptually behaves as a logical “or”, while encryption behaves as a logical “and”.
The size of \(\omega _n\) is also a concern in this simple outline. Indeed, as presented here \(\omega _n\) is \(O(kR)\) bits large, where \(R\) represents the bitsize of the \(r_i\) Footnote 3. Given the previous remark on \(k\) being rather large, this would result in very large attestations. Luckily, it turns out that attestation size can be reduced to \(O(R\log {k})\) using hash trees, as we explain in Sect. 5.
Note. Multiplication in \(\mathbb {N}\) is one implementation option. All we need is a completely multiplicative operation. For instance, as we have:
the hash of the product of the Jacobi symbols of the \(p_i\) with respect to the first primes \(a_j=2,3,5,\ldots \) Footnote 4 can equally serve as an index generator.
Before we proceed note that when generating a complete RSA key pair \((n, e)\), it is important to ascertain that \(\gcd (e, \phi (n)) = 1\). This constraint is easy to integrate into \(\mathcal G\) Footnote 5. All in all, what we prove is that with high probability, the key was generated by the desired algorithm \(\mathcal G\), whichever this \(\mathcal G\) happens to be.
3 Model and Analysis
3.1 Preliminaries and Notations
We now formally introduce the tools necessary to rigorously describe and analyse the method sketched in Sect. 2.
Throughout this paper, \(\lambda \) will denote a security parameter. The expression polynomial time will always refer to \(\lambda \). The construction uses two cryptographic hash functions: a classical hash function \(\mathcal H : \{0, 1\}^* \rightarrow \{0, 1\}^{R}\) and a second hash function \(\mathcal {H}'_{d} : \{0,1\}^* \rightarrow \mathcal {S}_d\) where \(\mathcal {S}_d\) is the set of subsets of \(\{1, \cdots , k\}\) of size \(d\) (for some positive integer \(d\) and \(k\)). \(\mathcal {H}'_{}\) can be constructed from a classical hash function using an unranking function [25] (see full version of this paper). Both hash functions will be modelled as random oracles in the security analysis.
Let \(k \ge 2\). Moreover our attestation and validation algorithms always implicitly take \(\lambda \) as input. We denote by \(\left| a\right| \) the bitsize of \(a\).
Let \(\mathcal {G}(1^P,r)\) be a polynomial-time algorithm which, on input of a unary size \(P\) and of a random seed \(r \in \{0,1\}^{R}\) produces a prime or a probably prime \(p\) of size \(P\). The argument \(1^P\) is often omitted, for the sake of simplicity. The size \(P\) of the primes is supposed to be a function of \(\lambda \). We write \(r_1 \mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^R\) to indicate that the seed \(r_1\) is chosen uniformly at random from \(\{0,1\}^R\).
An attestation scheme for \(\mathcal {G}\) is a pair of two algorithms \((\mathcal {A},\mathcal {V})\), where
-
\(\mathcal {A}\) is an attestation algorithm which takes as input \(k\) random entries (\((r_1, \cdots , r_k) \in \{0, 1\}^{R}\), in the sequel) and which outputs a tuple of moduli \(\mathbf {n}=(n_1, \cdots , n_{u})\) along with a bitstring \(\omega _{\mathbf n}\), called an attestation; \(u\) and \(k\) are integer parameters depending on \(\lambda \); when \(u = 1\), \(n_1\) is denoted \(n\);
-
\(\mathcal {V}\) is a validation algorithm which takes as input a tuple of moduli \(\mathbf n = (n_1, \cdots , n_{u})\) together with an attestation \(\omega _{\mathbf n}\). \(\mathcal V\) checks \(\omega _{\mathbf n}\), and outputs \(\mathsf {True}\) or \(\mathsf {False}\).
An attestation scheme must comply with the following properties:
-
Randomness. If \(r_1, \cdots , r_k\) are independent uniform random values, \(\mathcal {A}(1^\lambda \), \(r_1\), \(\cdots \), \(r_k)\) should output a tuple of moduli \(\mathbf n = (n_1, \cdots , n_u)\) where each \(n_i\) is the product of \(\ell \) random primes generated by \(\mathcal {G}\). The positive integer \(\ell \ge 2\) is a parameter depending on \(\lambda \). More formally the two following distributions should be statistically indistinguishable:
-
Correctness. The validator \(\mathcal {V}\) always accepts an attestation honestly generated by the attestator \(\mathcal {A}\). More precisely, for all \(r_1, \cdots , r_k\):
$$\begin{aligned} \mathcal {V} \left( \mathcal {A}(1^\lambda ,r_1, \cdots , r_k)\right) = \mathsf {True}. \end{aligned}$$ -
Soundness. No polynomial-time adversary \(\mathcal {F}\) can output (with non-negligible probability) a tuple \(\mathbf n =(n_1, \cdots , n_u)\) and a valid attestation \(\omega _{\mathbf n}\) such that no \(n_i\) contains at least two prime factors generated by \(\mathcal {G}\) with two distinct random seeds. More formally, for any polynomial-time adversary \(\mathcal {F}\), the soundness advantage \(\mathsf {Adv}^{\text {snd}}(\mathcal {F})\) defined as
is negligible in \(\lambda \).
-
Non-revealing. We formalise the property than an attestation does not leak sensitive information about the attested modulus as follows: An attestation algorithm \(\mathcal A\) is said to be non-revealing if, for any \(\mathbf n\), any PPT adversary \(\mathcal F\) and any computable property \(P(\mathbf n) \in \{0,1\}\) of \(\mathbf n\) alone, the advantage of \(\mathcal F\) in computing \(P(\mathbf n)\) knowing the output \(\omega _{\mathbf n}\) of \(\mathcal A\) is at most negligibly higher than without knowing \(\omega _{\mathbf n}\).
We remark that when it is hard to find two seeds \(s_1\) and \(s_2\) such that \(\mathcal {G}(s_1) = \mathcal {G}(s_2)\), then soundness basically means that one of the \(n_i\)’s contains a product of two distinct primes generated by \(\mathcal {G}\). In addition, when \(\ell =2\), if \(\mathcal {V}\) rejects moduli of size different from \(2P\) (the size of an honestly generated modulus), one of the \(n_i\)’s is necessarily exactly the product of two prime factors generated by \(\mathcal {G}\).
Table 1 summarizes the various parameters used in our construction (all are assumed to be function of \(\lambda \)). We now describe the following two variants:
-
The multi-prime variant, where \(\mathcal {A}\) only outputs one modulus (i.e., \(u = 1\));
-
The multi-modulus variant, where \(\mathcal {A}\) outputs \(u \ge 2\) two-factor moduli (i.e., \(\ell = 2\)).
3.2 Multi-prime Attestation Scheme (\(u=1\))
We now describe the algorithms \(\mathcal {A}\) and \(\mathcal {V}\) that generate and verify, respectively, an attestation along with an RSA public key, when \(u =1\) (only one modulus is generated). Algorithms in this Section are given for \(\ell = 2\) (corresponding to the common case where \(n = pq\)) for the sake of clarity and as a warm-up.
Algorithms for arbitrary \(\ell \) are particular cases of the general algorithms described in Sect. 3.4.
In Algorithms 1 and 2, a star symbol (\(\star \)) denotes a placeholder used to skip one index.
Generating an Attestation. The attestator \(\mathcal {A}\) is described in Algorithm 1. \(\mathcal A\) calls \(\mathcal H\) and \(\mathcal {G}\).
In this setting, the attestation has size \(k\). This size is reduced to \(\log k\) using hash trees as described in Sect. 5.
Verifying an Attestation. The validator \(\mathcal {V}\) is described in Algorithm 2.
Correctness: The \(h_i\)s are generated deterministically, therefore so are the \(p_i\)s, and their product times \(n\) yields the correct value of \(N\).
Randomness: In the Random Oracle Model (for \(\mathcal {H}\)), the scheme’s randomness is proven later in Sect. 4.1, as a particular case of the general scheme’s soundness (see Sect. 3.4).
3.3 Multi-modulus Attestation Scheme (\(u \ge 2\), \(\ell = 2\))
The second variant consists in generating in a batch \(u = \ell /2\) bi-factor moduli. The corresponding attestator and validator are given in Algorithms 3 and 4.
3.4 General Attestation Scheme
Algorithms 5 and 6 describe our general attestation scheme, for any \(u \ge 1\) and \(\ell \ge 2\). The previous multi-prime and multi-modulus schemes are illustrative particular cases of this scheme.
The correctness and randomness arguments are similar to those of Sect. 3.2. In addition, the attestation has size \(k\). This size is brought down to \(\ell u \log k\) using hash-trees as described in Sect. 5.
4 Security and Parameter Choice
4.1 Security
In this section, we prove that for correctly chosen parameters \(u,\ell ,k\), the general attestation scheme defined in Sect. 3.4 (Algorithms 5 and 6) is sound. We recall that the two other properties required by an attestation scheme (namely correctness and randomness) were proven in previous sections.
More formally, we have the following theorem:
Theorem 1
In the Random Oracle Model, the soundness advantage of an adversary making \(q_{\mathcal {H}}\) queries to \(\mathcal {H}\) and \(q_{\mathcal {H}'_{}}\) queries to \(\mathcal {H}'_{}\) is at most:
where \(p_{\mathcal {G}\mathrm {-col}}\) is the probability that \(\mathcal {G}(r) = \mathcal {G}(s)\), when \(r,s \mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^R\).
We point out that \(p_{\mathcal {G}\mathrm {-col}}\) must be small, otherwise the generated primes are unsafe in any case.
Proof
First, we denote by \(S_i\) the set of all prime numbers \(\rho = \mathcal {G}(\mathcal {H}(i,r))\), for which \((i,r)\) has been queried to \(\mathcal {H}\) (for \(i=1, \cdots , k\)). We remark that the probability that two such primes \(\rho \) are equal is at most \(\frac{q_{\mathcal {H}} \cdot (q_{\mathcal {H}}-1)}{2} \cdot p_{\mathcal {G}\mathrm {-col}}\). This is the second term in the security bound.
In the sequel, we suppose that there are no collisions between the primes. Thus the sets \(S_i\) are pairwise disjoint.
Now assume that the adversary \(\mathcal F\) has been able to forge a valid attestation \(\omega _{\mathbf n}\) for \(\mathbf n = (n_1, \cdots , n_u)\) and let \(N = \beta \prod _{i=1}^u n_i\), where \(\beta \) stands for the product of all the primes generated from the elements of \(\omega _{\mathbf n}\). As the attestation is valid, \(\left| n_1\right| = \dots = \left| n_u\right| = \ell P\). Let \(N = \prod _{i=1}^L \rho _i\) be the prime decomposition of \(N\). Up to reordering the sets \(S_i\), there exists an integer \(t\) such that:
-
none of \(S_1, \cdots , S_t\) contains a factor \(\rho _i\);
-
each of \(S_{t+1}, \cdots , S_k\) contains a factor \(\rho _i\). We arbitrarily choose a prime \(p_i \in S_i\) for \(i = t+1, \cdots , k\).
We distinguish two cases:
-
if \(t < (\ell -1) \cdot u\), then this means that \(N\) is divisible by \(m = p_{t+1} \times \cdots \times p_k\). But we also know that \(N\) is divisible by \(n_1 \times \cdots \times n_u\). As \(\left| n_1 \times \cdots \times n_u\right| = \ell u P\), \(\left| m\right| = (k-t) P \ge kP - (\ell -1) u P + P\), and \(\left| N\right| = k P\), we have
$$\begin{aligned} \left| \gcd (n_1 \cdots n_u, m)\right| \ge \left| n_1\cdots n_u\right| + \left| m\right| - \left| N\right| \ge (u+1) P. \end{aligned}$$This implies that \(n_1 \times \cdots \times n_u\) is divisible by at least \(u+1\) distinct primes among \(p_{t+1}, \cdots , p_k\). By the pigeon-hole principle, at least one of the \(n_i\)’s is divisible by two distinct primes generated as \(\mathcal {G}(r_i)\) for two distinct seeds \(r_i\) (seeds have to be distinct, otherwise the two primes would be equal).
-
if \(t \ge (\ell -1) \cdot u\), the adversary will only be able to generate a valid attestation if none of the indices \(X_1, \cdots , X_{u \ell }\) (obtained by \(\mathcal {H}'_{u \ell }(N)\)) falls in \(\{1, \cdots , t\}\). As \(\{ 1, \cdots , k \} \setminus \{X_1, \cdots , X_{u\ell }\}\) is a random subset of \(\{1, \cdots , k\}\) with \(k-\ell u\) elements, the previous bad event (\(\mathcal F\) is able to generate a valid attestation) corresponds to this set being a subset of \(\{t+1, \cdots , k\}\) and happens with probability:
$$\begin{aligned} \frac{\left( {\begin{array}{c}k-t\\ k-\ell u\end{array}}\right) }{\left( {\begin{array}{c}k\\ k-\ell u\end{array}}\right) }&= \frac{(k-t) \cdot (k-t-1) \cdots (k- \ell u + 1)}{k \cdot (k-1) \cdots (k-\ell u +1)} \cdot \frac{(\ell u)!}{(\ell u - t)!} \\&\le \frac{1}{(k-t+1)^t} \cdot (\ell u)^t \le {\left( \frac{\ell u}{k-(\ell -1) u + 1} \right) }^{(\ell -1) \cdot u} \;. \end{aligned}$$Since \(\mathcal F\) makes \(q_{\mathcal {H}'_{}}\) queries to \(\mathcal {H}'_{}\), we get the theorem’s bound (where the \(+1\) corresponds to the query necessary to verify \(\mathcal F\)’s attestation if he did not do it himself). \(\square \)
Theorem 2
In the programmable random oracle model, our attestations are non-revealing.
Proof
The proof strategy consists in replacing the hash functions by a random oracle, resulting in attestations which are in particular completely unrelated to the modulus’ factorization. We give the proof in the multi-prime \(\ell = 2\) case. The more general case is similar.
Let \(n\) be an RSA modulus, and let \(\omega _n = (r_1, \cdots , r_k)\), where there are exactly two values \(r_{X_1} = r_{X_2} = \star \), be an attestation.
Assume that there exists a PPT adversary \(\mathcal A\) that can compute some property \(P(n)\) from the knowledge of \(n\) and \(\omega _n\), with access to the hash functions \(\mathcal H\) and \(\mathcal H_2'\), with non-negligible advantage. Since \(\mathcal A\) uses \(\mathcal H_2'\) as a black box, we can replace \(\mathcal H_2'\) by a programmable random oracle as follows.
We compute
Now \(\mathcal H_2'\) is replaced by a random oracle that returns \(\{X_1, X_2\}\) if its input equals \(N\), and a couple of random distinct integers in \(\{1, \cdots , k\}\) otherwise. In particular, note that \(\mathcal H_2'\) is not given the factorization of \(n\). With this choice of \(\mathcal H_2'\), \(\omega _n\) is a valid attestation for \(n\).
However, by design, \(\omega _n\) is chosen independently from \(n\). Thus it is clear that if \(\mathcal A\) can compute \(P(n)\) from the knowledge of \(n\) and \(\omega _n\), in fact \(\mathcal A\) can compute \(P(n)\) from \(n\) alone. \(\square \)
4.2 Typical Parameters and Complexity Analysis
Algorithms 5 and 6 have the following properties:
-
Attestation size \(\left| \omega _n\right| = 2u \ell R\log k\), using the hash-tree compression technique in Sect. 5
-
\(\lambda \)-bit security approximatively when:
$$\begin{aligned} {\left( \frac{\ell u}{k - (\ell -1) u + 1} \right) }^{(\ell -1)u} \le 2^{-\lambda } \end{aligned}$$(according to the soundness bound given by Theorem 1, omitting the second part, which is negligible in practice);
-
Attestation and validation times mostly consist in generating (or re-generating) the \(k\) primes. Validation time is very slightly faster than attestation time.
5 Compressing the Attestation
As mentioned above, providing an attestation \(\omega _n\) “as is” might be cumbersome, as it grows linearly with \(k\). However, it is possible to drastically reduce \(\omega _n\)’s size using the following technique.
The tree of Fig. 2 is constructed as follows: Let \(h\) be some public hash function. Each non-leaf node \(C\) of the tree has two children, whose value is computed by \(r_{x0} \leftarrow h(r_x, 0)\) and \(r_{x1} \leftarrow h(r_x, 1)\) for the left child and the right child respectively, where \(r_x\) is the value of \(C\). Given a root seed \(r\), one can therefore reconstruct the whole tree. The leaf values can now be used as \(r_i\)’s for the attestation procedure.
To compress \(\omega _n\) we proceed as follows:
-
Get the indices \(X_1\) and \(X_2\) from the attestation procedure;
-
Identify the paths from \(X_1\) up to the root, and mark them;
-
Identify the paths from \(X_2\) up to the root, and mark them;
-
Send the following information:
$$\begin{aligned} \omega _n = \{ \text {for all leaves L, highest-ranking unmarked parent of L} \} \end{aligned}$$
This requires revealing at most \(2\log _2 k\) intermediate higher-rank hashesFootnote 6 instead of the \(k-2\) values required to encode \(\omega _n\) when naively sending the seeds directly.
Generalization to \(u\ell \ge 2\) is straightforward.
6 Parameter Settings
Table 2 shows typical parameter values illustrating different tradeoffs between security (\(\lambda \)), attestation size (\(2u \ell R\log k\)), modulus size (\(\ell \)), the number of required moduli (\(u\)), and the work factors of \(\mathcal A\) and \(\mathcal V\) (\(kt_{\mathcal {G}}\) where \(t_{\mathcal {G}}\) is \(\mathcal G\)’s average running time). Table 3 provides the same information for the multi-modulus variant.
We (arbitrarily) consider that reasonable attestations and validations should occur in less than ten minutes using standard HSM such as the IBM 4764 PCI-X Cryptographic Coprocessor [17] or Oracle’s Sun Crypto Accelerator SCA 6000 [23]. When run with 7 threads in the host application, the 4764 generates on average \(2.23\) key-pairs per second (1,024 bits). The SCA 6000 (for which average key generation figures are not available) is about 11 times faster than the 4764 when processing RSA 1,024-bit keys. Hence we can assume that the SCA 6000 would generate about 24 key-pairs per second. We thus consider that average-cost current-date HSMs generate 10 key-pairs per second, i.e., 20 primes per second.
Spending ten minutes to generate or validate an attestation might not be an issue given that attestation typically occurs only once during \(n\)’s lifetime. This means that a “reasonable” attestation implementation would use \(k = 10 \times 60 \times 20 =~\)12,000. This gives \(\ell = 10\) and \(\ell = 6\) for the multi-prime and multi-modulus \(\mathcal A\) (respectively) for \(\lambda = 128\).
Note that in practical field deployments an attestation would be verified once by a trusted Attestation Authority and replaced by a signature on \(n\) (or \(\mathbf {n}\)).
According to the bounds of Theorem 1, we have
Table 2 is read as follows: we can see that taking for instance \(\ell = 10\) and \(\log _2 k = 13\) with the multi-factor version gives 156-bit security. In Table 3, taking \(\ell =10\) and \(\log _2 k = 13\) with the multi-modulus version gives 285-bit security.
7 Conclusion and Further Research
The construction described in this paper attests in a non-interactive way that \(n\) was properly generated using an arbitrary (publicly known) prime generator \(\mathcal G\). The attestation is compact and publicly verifiable. As a result, any entity can convince herself of the modulus’ validity before using it. Even though computation times may seem unattractive, we stress that attestation generation and verification only need to be performed once.
This work raises a number of interesting questions.
Committing to the primes \(p_i\)’s might also be achieved using more involved tools such as pairings. For instance, given the commitments \(g^{p_1}\) and \(g^{p_2}\), it is easy to check that \(e(g^{p_1}, g^{p_2}) = e(g, g)^n\).
An interesting research direction consists in hashing \(N \bmod v\) (instead of \(N\)) for some public \(v\), to speed-up calculations. However, the condition \(v>n\) must be enforced by design to prevent an opponent from using \(\omega _n\) as the “attestation” of \(n+tv\) for some \(t\in \mathbb {N}\). Note that we did not adapt our security proof to this (overly?) simplified variant.
In general, any strategy allowing to reduce \(k\) without impacting \(\lambda \) would yield more efficient attestators. Also, generalizing and applying this approach to the parameter generation of other cryptographic problems, such as the discrete logarithm, may prove useful.
Finally, to date, no attestation method proves (without resorting to TTPs) that the random tape used for forming the primes was properly drawn. Like all other prior work articles cited in Sect. 1, we do not address this issue and assume that the random number that feeds \(\mathcal G\) was not biased by the attacker.
Notes
- 1.
A prime \(p\) is “quasi-safe” if \(p=2 u^a+1\) for a prime \(u\) and some integer \(a\).
- 2.
Sign, verify, encrypt, or decrypt.
- 3.
Because \(\mathcal G\) may destroy entropy, \(R\) must be large enough to make the function \(\mathcal G(\mathcal H(i,r))\) collision resistant.
- 4.
This product is actually an \(a_j\)-wise exclusive-or.
- 5.
A simple way to do so consists in re-running \(\mathcal G\) with \(r_i \Vert j\) (instead of \(r_i\)) for \(j = 1, 2, \cdots \) until \(\gcd (p_i - 1, e) = 1\).
- 6.
I.e., we essentially only publish co-paths.
References
Anderson, R.: Practical RSA trapdoor. Electron. Lett. 29(11), 995–995 (1993)
Bellare, M., Yung, M.: Certifying cryptographic tools: the case of trapdoor permutations. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 442–460. Springer, Heidelberg (1993). doi:10.1007/3-540-48071-4_31
Bellare, M., Yung, M.: Certifying permutations: noninteractive zero-knowledge based on any trapdoor permutation. J. Cryptology 9(3), 149–166 (1996)
Ben-Or, M., Goldreich, O., Goldwasser, S., Håstad, J., Kilian, J., Micali, S., Rogaway, P.: Everything provable is provable in zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 37–56. Springer, New York (1990). doi:10.1007/0-387-34799-2_4
Boneh, D., Franklin, M.: Efficient generation of shared RSA keys (extended abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 425–439. Springer, Heidelberg (1997). doi:10.1007/BFb0052253
Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000). doi:10.1007/3-540-45539-6_31
Boyar, J., Friedl, K., Lund, C.: Practical zero-knowledge proofs: giving hints and using deficiencies. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 155–172. Springer, Heidelberg (1990). doi:10.1007/3-540-46885-4_18
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
Camenisch, J., Michels, M.: Separability and efficiency for generic group signature schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 413–430. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_27
Chan, A., Frankel, Y., Tsiounis, Y.: Easy come — easy go divisible cash. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 561–575. Springer, Heidelberg (1998). doi:10.1007/BFb0054154
Cramer, R., Damgård, I.: Zero-knowledge proofs for finite field arithmetic, or: can zero-knowledge be for free? In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 424–441. Springer, Heidelberg (1998). doi:10.1007/BFb0055745
Fujisaki, E., Okamoto, T.: Statistical zero knowledge protocols to prove modular polynomial relations. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 16–30. Springer, Heidelberg (1997). doi:10.1007/BFb0052225
Fujisaki, E., Okamoto, T.: A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 32–46. Springer, Heidelberg (1998). doi:10.1007/BFb0054115
Gennaro, R., Micciancio, D., Rabin, T.: An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In: ACM CCS 1998, pp. 67–72. ACM Press, San Francisco, 2–5 November 1998
Goldreich, O., Micali, S., Wigderson, A.: How to prove all NP-statements in zero-knowledge, and a methodology of cryptographic protocol design. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 171–185. Springer, Heidelberg (1987)
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). doi:10.1007/11761679_21
IBM: 4764 PCI-X Cryptographic Coprocessor. http://www-03.ibm.com/security/cryptocards/pcixcc/overperformance.shtml
Juels, A., Guajardo, J.: RSA key generation with verifiable randomness. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 357–374. Springer, Heidelberg (2002). doi:10.1007/3-540-45664-3_26
Kakvi, S.A., Kiltz, E., May, A.: Certifying RSA. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 404–414. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_25
Liskov, M., Silverman, B.: A statistical-limited knowledge proof for secure RSA keys (1998) (manuscript)
Mao, W.: Verifiable partial sharing of integer factors. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 94–105. Springer, Heidelberg (1999). doi:10.1007/3-540-48892-8_8
Micali, S.: Fair public-key cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 113–138. Springer, Heidelberg (1993). doi:10.1007/3-540-48071-4_9
Oracle: Sun Crypto accelerator SCA 6000. http://www.oracle.com/us/products/servers-storage/036080.pdf
Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part II. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53890-6_2
Stanton, D., White, D.: Constructive Combinatorics. Springer, New York (1986)
van de Graaf, J., Peralta, R.: A simple and secure way to show the validity of your public key. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 128–134. Springer, Heidelberg (1988). doi:10.1007/3-540-48184-2_9
Young, A., Yung, M.: The dark side of “Black-Box” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_8
Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_6
Young, A., Yung, M.: The prevalence of kleptographic attacks on discrete-log based cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 264–276. Springer, Heidelberg (1997). doi:10.1007/BFb0052241
Young, A., Yung, M.: Malicious cryptography: kleptographic aspects (invited talk). In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 7–18. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30574-3_2
Young, A., Yung, M.: A space efficient backdoor in RSA and its applications. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 128–143. Springer, Heidelberg (2006). doi:10.1007/11693383_9
Acknowledgements
The first author was supported by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No.W911NF-15-C-0236.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Benhamouda, F., Ferradi, H., Géraud, R., Naccache, D. (2017). Non-interactive Provably Secure Attestations for Arbitrary RSA Prime Generation Algorithms. In: Foley, S., Gollmann, D., Snekkenes, E. (eds) Computer Security – ESORICS 2017. ESORICS 2017. Lecture Notes in Computer Science(), vol 10492. Springer, Cham. https://doi.org/10.1007/978-3-319-66402-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-66402-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66401-9
Online ISBN: 978-3-319-66402-6
eBook Packages: Computer ScienceComputer Science (R0)