Efficient noninteractive certification of RSA moduli and beyond. (English) Zbl 1456.94078
Galbraith, Steven D. (ed.) et al., Advances in cryptology – ASIACRYPT 2019. 25th international conference on the theory and application of cryptology and information security, Kobe, Japan, December 8–12, 2019. Proceedings. Part III. Cham: Springer. Lect. Notes Comput. Sci. 11923, 700-727 (2019).
Summary: In many applications, it is important to verify that an RSA public key \((N, e)\) specifies a permutation over the entire space \(\mathbb{Z}_N\), in order to prevent attacks due to adversarially-generated public keys. We design and implement a simple and efficient noninteractive zero-knowledge protocol (in the random oracle model) for this task. Applications concerned about adversarial key generation can just append our proof to the RSA public key without any other modifications to existing code or cryptographic libraries. Users need only perform a one-time verification of the proof to ensure that raising to the power \(e\) is a permutation of the integers modulo \(N\). For typical parameter settings, the proof consists of nine integers modulo \(N\); generating the proof and verifying it both require about nine modular exponentiations.
We extend our results beyond RSA keys and also provide efficient noninteractive zero-knowledge proofs for other properties of \(N\), which can be used to certify that \(N\) is suitable for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to the recent work of B. Auerbach and B. Poettering [Lect. Notes Comput. Sci. 10770, 403–430 (2018; Zbl 1420.94035)], who provide two-message protocols for similar languages, our protocols are more efficient and do not require interaction, which enables a broader class of applications.
For the entire collection see [Zbl 1428.94010].
We extend our results beyond RSA keys and also provide efficient noninteractive zero-knowledge proofs for other properties of \(N\), which can be used to certify that \(N\) is suitable for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to the recent work of B. Auerbach and B. Poettering [Lect. Notes Comput. Sci. 10770, 403–430 (2018; Zbl 1420.94035)], who provide two-message protocols for similar languages, our protocols are more efficient and do not require interaction, which enables a broader class of applications.
For the entire collection see [Zbl 1428.94010].
MSC:
| 94A60 | Cryptography |
Citations:
Zbl 1420.94035References:
| [1] | Auerbach, B.; Poettering, B.; Abdalla, M.; Dahab, R., Hashing solutions instead of generating problems: on the interactive certification of RSA moduli, Public-Key Cryptography - PKC 2018, 403-430, 2018, Cham: Springer, Cham · Zbl 1420.94035 · doi:10.1007/978-3-319-76581-5_14 |
| [2] | Bernstein, Daniel J., Detecting perfect powers in essentially linear time, Mathematics of Computation, 67, 223, 1253-1284, 1998 · Zbl 0910.11057 · doi:10.1090/S0025-5718-98-00952-1 |
| [3] | Benhamouda, F.; Ferradi, H.; Géraud, R.; Naccache, D.; Foley, SN; Gollmann, D.; Snekkenes, E., Non-interactive provably secure attestations for arbitrary RSA prime generation algorithms, Computer Security - ESORICS 2017, 206-223, 2017, Cham: Springer, Cham · Zbl 1500.94018 · doi:10.1007/978-3-319-66402-6_13 |
| [4] | Boyar, J.; Friedl, K.; Lund, C.; Quisquater, J-J; Vandewalle, J., Practical zero-knowledge proofs: giving hints and using deficiencies, Advances in Cryptology — EUROCRYPT ’89, 155-172, 1990, Heidelberg: Springer, Heidelberg · Zbl 0732.68033 · doi:10.1007/3-540-46885-4_18 |
| [5] | Bernstein, DJ; Lenstra, HW; Pila, J., Detecting perfect powers by factoring into coprimes, Math. Comput., 76, 257, 385-388, 2007 · Zbl 1110.11038 · doi:10.1090/S0025-5718-06-01837-0 |
| [6] | bouncycastle c# api. https://www.bouncycastle.org/csharp/index.html |
| [7] | Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62-73. ACM (1993) |
| [8] | Bellare, Mihir; Yung, Moti, Certifying Permutations: Noninteractive Zero-Knowledge Based on Any Trapdoor Permutation, Journal of Cryptology, 9, 3, 149, 1996 · Zbl 0861.94013 · doi:10.1007/s001459900009 |
| [9] | Camenisch, J.; Michels, M.; Stern, J., Proving in zero-knowledge that a number is the product of two safe primes, Advances in Cryptology — EUROCRYPT ’99, 107-122, 1999, Heidelberg: Springer, Heidelberg · Zbl 0971.94009 · doi:10.1007/3-540-48910-X_8 |
| [10] | Cachin, C.; Micali, S.; Stadler, M.; Stern, J., Computationally private information retrieval with polylogarithmic communication, Advances in Cryptology — EUROCRYPT ’99, 402-414, 1999, Heidelberg: Springer, Heidelberg · Zbl 0932.68042 · doi:10.1007/3-540-48910-X_28 |
| [11] | Tumblebit setup implementation. https://github.com/osagga/TumbleBitSetup |
| [12] | Catalano, Dario; Pointcheval, David; Pornin, Thomas, Trapdoor Hard-to-Invert Group Isomorphisms and Their Application to Password-Based Authentication, Journal of Cryptology, 20, 1, 115-149, 2006 · Zbl 1115.68072 · doi:10.1007/s00145-006-0431-8 |
| [13] | Damgård, I.; Jurik, M.; Kim, K., A Generalisation, a simplification and some applications of Paillier’s probabilistic public-key system, Public Key Cryptography, 119-136, 2001, Heidelberg: Springer, Heidelberg · Zbl 0987.94032 · doi:10.1007/3-540-44586-2_9 |
| [14] | Faust, S.; Kohlweiss, M.; Marson, GA; Venturi, D.; Galbraith, S.; Nandi, M., On the non-malleability of the Fiat-Shamir transform, Progress in Cryptology - INDOCRYPT 2012, 60-79, 2012, Heidelberg: Springer, Heidelberg · Zbl 1295.94063 · doi:10.1007/978-3-642-34931-7_5 |
| [15] | Fiat, A.; Shamir, A.; Odlyzko, AM, How to prove yourself: practical solutions to identification and signature problems, Advances in Cryptology — CRYPTO’ 86, 186-194, 1987, Heidelberg: Springer, Heidelberg · Zbl 0636.94012 · doi:10.1007/3-540-47721-7_12 |
| [16] | Goldwasser, S.; Micali, S., Probabilistic encryption, J. Comput. Syst. Sci., 28, 2, 270-299, 1984 · Zbl 0563.94013 · doi:10.1016/0022-0000(84)90070-9 |
| [17] | Gennaro, R., Micciancio, D., Rabin, T.: An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In: Gong, L., Reiter, M.K. (eds.) CCS 19, Proceedings of the 5th ACM Conference on Computer and Communications Security, San Francisco, CA, USA, 3-5 November 1998, pp. 67-72. ACM (1998). http://eprint.iacr.org/1998/008 |
| [18] | Heilman, E., Alshenibr, L., Baldimtsi, F., Scafuro, A. and Goldberg, S.: Tumblebit: an untrusted bitcoin-compatible anonymous payment hub. In: 24th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society (2017). https://eprint.iacr.org/2016/575.pdf |
| [19] | Hazay, C.; Mikkelsen, GL; Rabin, T.; Toft, T.; Dunkelman, O., Efficient RSA key generation and threshold paillier in the two-party setting, Topics in Cryptology - CT-RSA 2012, 313-331, 2012, Heidelberg: Springer, Heidelberg · Zbl 1292.94074 · doi:10.1007/978-3-642-27954-6_20 |
| [20] | Hoeffding, W., Probability inequalities for sums of bounded random variables, J. Am. Stat. Assoc., 58, 301, 13-30, 1963 · Zbl 0127.10602 · doi:10.1080/01621459.1963.10500830 |
| [21] | Kakvi, SA; Kiltz, E.; May, A.; Wang, X.; Sako, K., Certifying RSA, Advances in Cryptology - ASIACRYPT 2012, 404-414, 2012, Heidelberg: Springer, Heidelberg · Zbl 1292.94087 · doi:10.1007/978-3-642-34961-4_25 |
| [22] | Lindell, Y.; Katz, J.; Shacham, H., Fast secure two-party ECDSA signing, Advances in Cryptology - CRYPTO 2017, 613-644, 2017, Cham: Springer, Cham · Zbl 1410.94091 · doi:10.1007/978-3-319-63715-0_21 |
| [23] | Lysyanskaya, A.; Micali, S.; Reyzin, L.; Shacham, H.; Cachin, C.; Camenisch, JL, Sequential aggregate signatures from trapdoor permutations, Advances in Cryptology - EUROCRYPT 2004, 74-90, 2004, Heidelberg: Springer, Heidelberg · Zbl 1122.94385 · doi:10.1007/978-3-540-24676-3_5 |
| [24] | Moriarty, K., Kaliski, B., Jonsson, J., Rusch, A.: RFC 8017: PKCS #1: RSA Cryptography Specifications Version 2.2. Internet Engineering Task Force (IETF) (2016). https://tools.ietf.org/html/rfc8017 |
| [25] | MacKenzie, P.; Patel, S.; Swaminathan, R.; Okamoto, T., Password-authenticated key exchange based on RSA, Advances in Cryptology — ASIACRYPT 2000, 599-613, 2000, Heidelberg: Springer, Heidelberg · Zbl 0974.94018 · doi:10.1007/3-540-44448-3_46 |
| [26] | Micali, S., Rabin, M.O., Vadhan, S.P.: Verifiable random functions. In: 40th Annual Symposium on Foundations of Computer Science, FOCS 1999, 17-18 October 1999, New York, NY, USA, pp. 120-130. IEEE Computer Society (1999) |
| [27] | Tumblebit implementation in.net core. https://github.com/NTumbleBit/NTumbleBit/ |
| [28] | Shoup, V.: A Computational Introduction to Number Theory and Algebra, 2nd edn. Cambridge University Press (2009). http://www.shoup.net/ntb/ntb-v2.pdf · Zbl 1196.11002 |
| [29] | Stratis Blockchain: Bitcoin privacy is a breeze: tumblebit successfully integrated into breeze, August 2017. https://stratisplatform.com/2017/08/10/bitcoin-privacy-tumblebit-integrated-into-breeze/ |
| [30] | Wong, DS; Chan, AH; Zhu, F.; Johansson, T.; Maitra, S., More efficient password authenticated key exchange based on RSA, Progress in Cryptology - INDOCRYPT 2003, 375-387, 2003, Heidelberg: Springer, Heidelberg · Zbl 1123.94365 · doi:10.1007/978-3-540-24582-7_28 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
