RSA Key Generation with Verifiable Randomness

We consider the problem of proving that a user has selected and correctly employed a truly random seed in the generation of her RSA key pair. This task is related to the problem of key validation, the process whereby a user proves to another party that her key pair has been generated securely. The aim of key validation is to pursuade the verifying party that the user has not intentionally weakened or reused her key or unintentionally made use of bad software. Previous approaches to this problem have been ad hoc, aiming to prove that a private key is secure against specific types of attacks, e.g., that an RSA modulus is resistant to elliptic-curve-based factoring attacks. This approach results in a rather unsatisfying laundry list of security tests for keys.We propose a new approach that we refer to as key generation with verifiable randomness (KEGVER). Our aim is to show in zero knowledge that a private key has been generated at random according to a prescribed process, and is therefore likely to benefit from the full strength of the underlying cryptosystem. Our proposal may be viewed as a kind of distributed key generation protocol involving the user and verifying party. Because the resulting private key is held solely by the user, however, we are able to propose a protocol much more practical than conventional distributed key generation. We focus here on a KEGVER protocol for RSA key generation.

[1]  Wenbo Mao Veriable Partial Sharing of Integer Factors , 1999 .

[2]  Yiannis Tsiounis,et al.  Easy Come - Easy Go Divisible Cash , 1998, EUROCRYPT.

[3]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[4]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[5]  J. Pintz,et al.  The Difference Between Consecutive Primes , 1996 .

[6]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[7]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[8]  Carsten Lund,et al.  Practical zero-knowledge proofs: Giving hints and using deficiencies , 1988, Journal of Cryptology.

[9]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[10]  Jacques Stern,et al.  Generation of Shared RSA Keys by Two Parties , 1998, ASIACRYPT.

[11]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[12]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[13]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[14]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[15]  Dan Boneh,et al.  Experimenting with Shared Generation of RSA Keys , 1999, NDSS.

[16]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[17]  Giovanni Di Crescenzo,et al.  On monotone formula closure of SZK , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[18]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[19]  Chae Hoon Lim,et al.  Cryptanalysis in Prime Order Subgroups of Z*n , 1998, ASIACRYPT.

[20]  Tal Rabin,et al.  An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products , 1998, CCS '98.

[21]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[22]  Jeroen van de Graaf,et al.  A Simple and Secure Way to Show the Validity of Your Public Key , 1987, CRYPTO.

[23]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[24]  Shai Halevi,et al.  Computing Inverses over a Shared Secret Modulus , 2000, EUROCRYPT.

[25]  Moti Yung,et al.  Robust efficient distributed RSA-key generation , 1998, STOC '98.

[26]  Moti Yung,et al.  Robust efficient distributed RSA-key generation , 1998, STOC '98.

[27]  Tatsuaki Okamoto,et al.  A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications , 1998, EUROCRYPT.

[28]  Robert D. Silverman,et al.  Are 'Strong' Primes Needed for RSA , 2001, IACR Cryptol. ePrint Arch..

[29]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[30]  Daniel M. Gordon,et al.  Designing and Detecting Trapdoors for Discrete Log Cryptosystems , 1992, CRYPTO.

[31]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[32]  Wenbo Mao Verifiable Partial Sharing of Integer Fractions , 1998, Selected Areas in Cryptography.

[33]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[34]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[35]  Ivan Damgård,et al.  An Integer Commitment Scheme based on Groups with Hidden Order , 2001, IACR Cryptol. ePrint Arch..

[36]  J. Littlewood,et al.  Some problems of ‘Partitio numerorum’; III: On the expression of a number as a sum of primes , 1923 .

[37]  Moti Yung,et al.  Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[38]  Kazuo Ohta,et al.  Advances in Cryptology — ASIACRYPT’98 , 2002, Lecture Notes in Computer Science.

[39]  Helmut Maier,et al.  Primes in short intervals. , 1985 .

[40]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[41]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[42]  Matthew K. Franklin,et al.  Efficient Generation of Shared RSA Keys (Extended Abstract) , 1997, CRYPTO.

[43]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[44]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[45]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[46]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[47]  Ivan Damgård,et al.  Parallel Divertibility of Proofs of Knowledge (Extended Abstract) , 1994, EUROCRYPT.

[48]  Robert D. Silverman,et al.  A STATISTICAL LIMITED-KNOWLEDGE PROOF FOR SECURE RSA KEYS , 1998 .

[49]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[50]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[51]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[52]  Matthew K. Franklin,et al.  Efficient generation of shared RSA keys , 2001, JACM.

[53]  Niv Gilboa,et al.  Two Party RSA Key Generation , 1999, CRYPTO.

[54]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[55]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.