A Performant, Misuse-Resistant API for Primality Testing

Primality testing is a basic cryptographic task. But developers today are faced with complex APIs for primality testing, along with documentation that fails to clearly state the reliability of the tests being performed. This leads to the APIs being incorrectly used in practice, with potentially disastrous consequences. In an effort to overcome this, we present a primality test having a simplest-possible API: the test accepts a number to be tested and returns a Boolean indicating whether the input was composite or probably prime. For all inputs, the output is guaranteed to be correct with probability at least 1 − 2−128. The test is performant: on random, odd, 1024-bit inputs, it is faster than the default test used in OpenSSL by 17%. We investigate the impact of our new test on the cost of random prime generation, a key use case for primality testing. The OpenSSL developers have adopted our suggestions in full; our new API and primality test are scheduled for release in OpenSSL 3.0. CCS CONCEPTS •Mathematics of computing→Randomnumber generation; • Security and privacy→Mathematical foundations of cryptography; • Software and its engineering→ Software libraries and repositories.

[1]  Christopher Patton,et al.  Partially Specified Channels: The TLS 1.3 Record Layer without Elision , 2018, IACR Cryptol. ePrint Arch..

[2]  Atle Selberg An Elementary Proof of the Prime-Number Theorem , 1949 .

[3]  Kenneth G. Paterson,et al.  Prime and Prejudice: Primality Testing Under Adversarial Conditions , 2018, IACR Cryptol. ePrint Arch..

[4]  Mira Mezini,et al.  "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs? , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[5]  Tanja Lange,et al.  The Security Impact of a New Cryptographic Library , 2012, LATINCRYPT.

[6]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[7]  Sebastian Möller,et al.  Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse , 2018, SOUPS @ USENIX Security Symposium.

[8]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  Alfred Menezes,et al.  Handbook Of Applied Cryptography Crc Press , 2015 .

[10]  François Arnault The Rabin-Monier theorem for Lucas pseudoprimes , 1997, Math. Comput..

[11]  Ivan Damgård,et al.  On Generation of Probable Primes By Incremental Search , 1992, CRYPTO.

[12]  Kenneth G. Paterson,et al.  Safety in Numbers: On the Need for Robust Diffie-Hellman Parameter Validation , 2019, IACR Cryptol. ePrint Arch..

[13]  Daniel Bleichenbacher,et al.  Breaking a Cryptographic Protocol with Pseudoprimes , 2005, Public Key Cryptography.

[14]  Peter Gutmann,et al.  Lessons Learned in Implementing and Deploying Crypto Software , 2002, USENIX Security Symposium.

[15]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[16]  Michelle L. Mazurek,et al.  You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users , 2016, 2016 IEEE Cybersecurity Development (SecDev).

[17]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[18]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[19]  Juraj Somorovsky,et al.  Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS , 2016, WOOT.

[20]  Achim Jung,et al.  Implementing the RSA cryptosystem , 1987, Comput. Secur..

[21]  Yehuda Lindell,et al.  AES-GCM-SIV: Specification and Analysis , 2017, IACR Cryptol. ePrint Arch..

[22]  Matthew Smith,et al.  Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study , 2017, CCS.

[23]  Gary L. Miller,et al.  Riemann's Hypothesis and tests for primality , 1975, STOC.

[24]  U. Maurer Fast generation of prime numbers and secure public-key cryptographic parameters , 1995, Journal of Cryptology.

[25]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[26]  Carl Pomerance,et al.  The pseudoprimes to 25⋅10⁹ , 1980 .

[27]  Xi Wang,et al.  Why does cryptographic software fail?: a case study and open problems , 2014, APSys.

[28]  Franz Mertens,et al.  Ein Beitrag zur analytischen Zahlentheorie. , 1874 .

[29]  Paul C. van Oorschot,et al.  The developer is the enemy , 2009, NSPW '08.

[30]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[31]  J. Spencer,et al.  The Elementary Proof of the Prime Number Theorem , 2009 .

[32]  Britta Hale,et al.  From Stateless to Stateful: Generic Authentication and Authenticated Encryption Constructions with Application to TLS , 2015, CT-RSA.

[33]  Kenneth G. Paterson,et al.  Data Is a Stream: Security of Stream-Based Channels , 2015, CRYPTO.

[34]  M. Rabin Probabilistic algorithm for testing primality , 1980 .

[35]  I. Damgård,et al.  Average case error estimates for the strong probable prime test , 1993 .

[36]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[37]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[38]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.