论文学习笔记 Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority
Introduction
What is an RSA Modulus? Answer:N=pq
这里引入一个新的概念Biprime,若N为biprime则其为两个素数的乘积
Biprime - product of exactly two primes
RSA History
- 1977 - RSA Public-Key Encryption
- 1999 - Paillier Public-Key Encryption
- 2001 - CRS for UC setting
- 2018 - Verifiable Delay Functions (VDF)
(1)The properties of VDF
(2)VDF Construction
1996 - Rivest-Shamir-Wagner timelock puzzle
y = g 2 T m o d N y=g^{2^T}\ mod\ N y=g2T mod N
2018 - VDF constructions by Pietrzak, Wesolowski
Scheme
Goal
1、参与者交互选取一个biprime N。
2、1024 parties + (n-1) active security
步骤1: 设计安全的协议以对抗被动敌手
步骤2:扩展到对抗活跃敌手
Step 1: Scalable Passive Protocol
Boneh-Franklin Framework[BF97]
- 参与者随机选取 p i , q i p_i, q_i pi,qi
- 参与者协作计算 N = ∑ i p i ⋅ ∑ i q i N=\sum_i{p_i} \cdot \sum_i{q_i} N=∑ipi⋅∑iqi
- 检验 N N N是否为两个素数的乘积
Overview of techniques
Approach
- Sieve first
- construct later[CCD+20]
下面为2020年Crypto上论文Multiparty Generation of an RSA Modulus中阐述预筛选方法来源(证明?),主要涉及中国剩余定理。若感兴趣可查看相关论文。
下面为2020年Crypto上论文Multiparty Generation of an RSA Modulus中阐述中国剩余定理与用户选取数求和的相关等式,也是Diogenes: Lightweight Scalable RSA Modulus Generation with a Dishonest Majority中最后构造活跃协议的产生 N N N的方法来源(证明),主要涉及中国剩余定理和乘法三元组技术(Mutiplication triple technique)。
Threshold Homomorphic Encryption
- Distributed key generation
Public key: P K PK PK Secret keys: s k 1 , … , s k n sk_1, … , sk_n sk1,…,skn - Encryption
E n c P K ( m ) Enc_{PK}(m) EncPK(m) - Distributed decryption
m = D e c s k 1 ( c ) + ⋯ + D e c s k n ( c ) m = Dec_{sk_1} (c) + ⋯ + Dec_{sk_n} (c) m=Decsk1(c)+⋯+Decskn(c) - Addition under encryption
E n c P K ( m 1 ) + E n c P K ( m 2 ) = E n c P K ( m 1 + m 2 ) Enc_{PK}(m_1) + Enc_{PK}(m_2) = Enc_{PK}(m_1 + m_2) EncPK(m1)+EncPK(m2)=EncPK(m1+m2) - Scalar multiplication under encryption
a ⋅ E n c P K ( m ) = E n c P K ( a ⋅ m ) a ⋅ Enc_{PK}(m) = Enc_{PK}(a ⋅ m) a⋅EncPK(m)=EncPK(a⋅m)
Generation process
[BF97]’s Distributed Biprimality Test
Please refer to Overview of techniques —BI-PRIMALITY TEST.
Step 2: Security against Active Adversaries
Beaver’s triple
Given a random triple [a], [b], [c], each party
P
i
P_i
Pi inputs
[
x
]
i
[x]_i
[x]i and
[
y
]
i
[y]_i
[y]i. Finally,
P
i
P_i
Pi can obtain
[
x
y
]
i
[xy]_i
[xy]i, where
x
y
xy
xy=
∑
i
x
i
∑
i
y
i
\sum_i{x_i} \sum_i{y_i}
∑ixi∑iyi.
More details are described as follows.
PROTOCOL Π ( R S A − M L ) Π_{(RSA-ML)} Π(RSA−ML)
- Notations
- Triples generation
- Pre-sieving
- CRT reconstruction
- Candidate generation=Deconstruct+ Triple technique in pre-sieving+ CRT reconstruction
- Jacobi test(normal)GCD test=Triple technique in pre-sieving +GCD test(normal)
- Certification (in triple technique) and Σ-protocol(in Jacobi test)
- Output phase
Pre-sieving
CRT reconstruction
Candidate generation—Deconstruct
Σ-protocol
Summary
- Key Setup Generate threshold keys
- Generate Candidates Sample pre-approved primes
- Compute Products Use TAHE to compute candidates
- Biprimality test BF biprimality test
- Certification Ligero ZK + Sigma