论文学习笔记 Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority

Introduction

What is an RSA Modulus? Answer:N=pq

这里引入一个新的概念Biprime,若N为biprime则其为两个素数的乘积
Biprime - product of exactly two primes

RSA History

  1. 1977 - RSA Public-Key Encryption
  2. 1999 - Paillier Public-Key Encryption
  3. 2001 - CRS for UC setting
  4. 2018 - Verifiable Delay Functions (VDF)

(1)The properties of VDF
The properties of VDF
(2)VDF Construction
1996 - Rivest-Shamir-Wagner timelock puzzle
y = g 2 T   m o d   N y=g^{2^T}\ mod\ N y=g2T mod N
2018 - VDF constructions by Pietrzak, Wesolowski

Scheme

Goal

1、参与者交互选取一个biprime N。
2、1024 parties + (n-1) active security
步骤1: 设计安全的协议以对抗被动敌手
步骤2:扩展到对抗活跃敌手

Step 1: Scalable Passive Protocol

Boneh-Franklin Framework[BF97]

  1. 参与者随机选取 p i , q i p_i, q_i pi,qi
  2. 参与者协作计算 N = ∑ i p i ⋅ ∑ i q i N=\sum_i{p_i} \cdot \sum_i{q_i} N=ipiiqi
  3. 检验 N N N是否为两个素数的乘积

Overview of techniques

Overview of techniques

Approach

  1. Sieve first
  2. construct later[CCD+20]

下面为2020年Crypto上论文Multiparty Generation of an RSA Modulus中阐述预筛选方法来源(证明?),主要涉及中国剩余定理。若感兴趣可查看相关论文。
Why? Sieve first
Why? Sieve first
Why? Sieve first
Why? Construct latter

下面为2020年Crypto上论文Multiparty Generation of an RSA Modulus中阐述中国剩余定理与用户选取数求和的相关等式,也是Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority中最后构造活跃协议的产生 N N N的方法来源(证明),主要涉及中国剩余定理和乘法三元组技术(Mutiplication triple technique)。

Why? Construct later

Threshold Homomorphic Encryption

  1. Distributed key generation
    Public key: P K PK PK Secret keys: s k 1 , … , s k n sk_1, … , sk_n sk1,,skn
  2. Encryption
    E n c P K ( m ) Enc_{PK}(m) EncPK(m)
  3. Distributed decryption
    m = D e c s k 1 ( c ) + ⋯ + D e c s k n ( c ) m = Dec_{sk_1} (c) + ⋯ + Dec_{sk_n} (c) m=Decsk1(c)++Decskn(c)
  4. Addition under encryption
    E n c P K ( m 1 ) + E n c P K ( m 2 ) = E n c P K ( m 1 + m 2 ) Enc_{PK}(m_1) + Enc_{PK}(m_2) = Enc_{PK}(m_1 + m_2) EncPK(m1)+EncPK(m2)=EncPK(m1+m2)
  5. Scalar multiplication under encryption
    a ⋅ E n c P K ( m ) = E n c P K ( a ⋅ m ) a ⋅ Enc_{PK}(m) = Enc_{PK}(a ⋅ m) aEncPK(m)=EncPK(am)

Generation process

Process

[BF97]’s Distributed Biprimality Test

Please refer to Overview of techniques —BI-PRIMALITY TEST.

Step 2: Security against Active Adversaries

Beaver’s triple

Given a random triple [a], [b], [c], each party P i P_i Pi inputs [ x ] i [x]_i [x]i and [ y ] i [y]_i [y]i. Finally, P i P_i Pi can obtain [ x y ] i [xy]_i [xy]i, where x y xy xy= ∑ i x i ∑ i y i \sum_i{x_i} \sum_i{y_i} ixiiyi.
More details are described as follows.
Beaver’s triple
Triple

PROTOCOL Π ( R S A − M L ) Π_{(RSA-ML)} Π(RSAML)

  1. Notations
  2. Triples generation
  3. Pre-sieving
  4. CRT reconstruction
  5. Candidate generation=Deconstruct+ Triple technique in pre-sieving+ CRT reconstruction
  6. Jacobi test(normal)GCD test=Triple technique in pre-sieving +GCD test(normal)
  7. Certification (in triple technique) and Σ-protocol(in Jacobi test)
  8. Output phase
Pre-sieving

Pre-sieving

CRT reconstruction

CRT reconstruction

Candidate generation—Deconstruct

Candidate generation---Deconstruct

Σ-protocol

Σ-protocol

Summary

  1. Key Setup Generate threshold keys
  2. Generate Candidates Sample pre-approved primes
  3. Compute Products Use TAHE to compute candidates
  4. Biprimality test BF biprimality test
  5. Certification Ligero ZK + Sigma
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值