Certi cation of Secure RSA Keys 1 Introduction

0 downloads 0 Views 161KB Size Report
May 6, 1999 - to be secure. Secondly, it is di cult for a user to e ciently prove to the CA. 2 ... De nition 3 A polynomial time RSA generator (U; C) is secure against user .... U proves to C that N is a product of two primes; see van de Graaf and.
Certi cation of Secure RSA Keys S.R. Blackburn and Steven D. Galbraithy Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom [email protected] [email protected]

May 6, 1999 Abstract

In environments using RSA schemes, a Certi cation Authority (CA) is often used to bind a user's public key to their identity. The paper proposes a method of RSA key generation which convinces the CA that a user's key has been well generated, i.e. that the resulting RSA problem is hard with overwhelming probability. This is achieved by involving both the user and the CA in the key generation process in such a way that the CA does not obtain signi cant information about the user's secret RSA decryption key.

1 Introduction This paper is concerned with RSA key generation in the following situation. Suppose we have a collection of users that wish to encrypt and/or sign messages using RSA. Further, suppose that every user relies on a Certi cation Authority (CA) to validate public RSA keys.  y

This author is an EPSRC Advanced Fellow This author thanks the EPSRC for support

1

Classically, the CA is only used to bind users to their keys. In some situations it would be desirable for the CA to assure more than this. For instance, suppose a user A is sending valuable information to user B using the public key of B . If the public key of B is chosen badly then there is a heightened risk of a third party intercepting and decrypting this communication. If the CA is able to assure A that the public key of B was well generated then A has more con dence in the security of the system. Of course, such an assurance can never safeguard against a user B who reveals their private key (or the contents of a message) to a third party. By a well generated RSA key, we simply mean a key chosen by a method that produces secure RSA keys with overwhelming probability. This paper proposes a practical RSA key generation method whereby a user and a CA can interact to produce an RSA key (N; e) such that 1. the user knows the corresponding secret key d; 2. the knowledge gained by the CA does not help in breaking the resulting RSA problem; 3. the CA is convinced that the pair (N; e) has been well generated. This is achieved by forcing e and the two factors of N to be chosen almost uniformly at random. The protocol we will describe depends on the assumption that uniformly chosen primes and exponents suce to generate secure RSA keys; see Silverman [10] and Menezes, van Oorschot and Vanstone [7, Section 8.2.3]. There have been concerns about ` rst party attacks' on RSA signatures, where a user deliberately chooses a weak key; see the ANSI X9.31 standard [1, Section C.2] and Pinch [9]. Property 3 of our generation method will guard against such attacks. To help guard against rst party attacks, it has been proposed [1] that the factors of an RSA modulus should always be chosen to be strong primes. This restriction on the modulus is not helpful in the situation we are considering in this paper, for two reasons. Firstly, it is possible that a user could choose their modulus to be the product of two strong primes that can be factored by a special purpose factoring algorithm. Therefore the fact that moduli are of a restricted form does not guarantee that the resulting RSA key is likely to be secure. Secondly, it is dicult for a user to eciently prove to the CA 2

in Zero Knowledge that the modulus is a product of two strong primes; see Gennaro et al [5] and Camenisch and Michels [3] for some protocols which will help in this situation. Alternative methods of key generation that address the issues we are considering in this paper include  Requiring users' RSA keys to be generated by a trusted party and not allowing any user to choose their own RSA key.  Requiring that all users' RSA moduli be generated using a xed method and a xed random number generator. In this case a user's modulus would be determined by the initial value of the seed. A problem with the rst method is that the users must trust another entity to both generate and transmit the private keys securely. A problem with the second method is that the only known practical way to verify that the process of key generation has been performed correctly reveals the secret key to the CA or an arbitrator. The remainder of the paper is organised as follows. We give a more precise description of our security model in Section 2. The protocol itself is outlined in Section 3. We analyse the security of the protocol in Section 4. Finally, in Section 5, we discuss ways in which the protocol may be modi ed to improve its eciency in practice.

2 Security Model In this section we give a formal de nition of our security model. Our protocol involves two parties which communicate over a public authentic channel. We model this situation by a pair of linked interactive Turing machines (U; C ). The following two de nitions formalise the notion of a two party protocol to generate secure RSA parameters for one of the parties when both parties are honest. De nition 1 A pair (U; C ) of linked interactive Turing machines is a polynomial time RSA generator (for U ) if with non-negligible probability (U; C ) terminates in polynomial time and outputs a pair (N; e) of positive integers where 3

 N is a product of two distinct primes,  gcd(e; (N )) = 1, and  a representation of e?1 (mod (N )) is a private output of U . De nition 2 A polynomial time RSA generator (U; C ) produces secure pa-

rameters if, for all polynomial time Turing machines M , the probability that M outputs x 2 Z=N Z when presented with ((N; e); xe (mod N )) is negligible, where (N; e) is generated by (U; C ) and x 2 Z=N Z is chosen uniformly at random. The next two de nitions formalise the security we require from our generation process in the case where one of the parties deviates from the protocol. If the user deviates from the protocol we require that the generation process still produces secure RSA parameters. If the CA deviates from the protocol we require, in addition, that the CA learns no information that can be used to its advantage in solving the resulting RSA problem.

De nition 3 A polynomial time RSA generator (U; C ) is secure against user adversaries if, for all Turing machines U  such that (U ; C ) is a polynomial time RSA generator, (U ; C ) produces secure parameters. De nition 4 A polynomial time RSA generator (U; C ) is secure against CA adversaries if, for all Turing machines C  and M 0 such that (U; C ) is a polynomial time RSA generator, the probability that M 0 outputs x 2 Z=N Z in polynomial time when presented with ((N; e); T (C ); xe (mod N )) is negligible, where (N; e) is generated by (U; C ), T (C ) is the transcript of the point of view of C  during the generation of (N; e), and x 2 Z=N Z is chosen uniformly at random.

3 The Protocol We rst give a high level overview of the protocol. The protocol generates a sequence of n-bit integers of the form ui + ci where the integers ui are chosen by U and where the public integers ci are constructed jointly and uniformly at random by U and C . The modulus N is de ned to be the product of the 4

rst two integers ui + ci which are prime. The user U proves to C that the ui are the right size, that N is a product of two primes of the form ui + ci and that none of the earlier ui + ci are prime. Finally, an encryption exponent e is constructed jointly and uniformly at random. Provided U or C acts honestly, the integers ci are chosen uniformly at random and so the resulting modulus is an almost uniform product of two primes. Since C does not learn any useful information about the integers ui from the protocol, C cannot break the resulting RSA problem. We now provide further details of the protocol. The protocol makes use of a bit commitment scheme and various zero-knowledge proof systems. We discuss the choice of these components below. With reference to the security model of Section 2, we assume that the protocol fails to terminate if any of the zero-knowledge proofs fail. The protocol also requires that both parties have access to a mutually trusted source of randomness. This can be simulated by both parties publishing commitments to random bit streams and, whenever a random bit is required, each party opening a commitment and XORing the resulting two bits. 1. U chooses a sequence fu1; u2; : : : ; uk g of integers, uniformly and independently in the interval [2n?2 ; 2n?1 ? 1], subject to ui  1 mod 2. The integer k should be chosen to be larger than twice the expected number of trials of random n-bit integers until a prime is encountered. (Taking k = n should be sucient.) U publishes commitments i to the values ui using the bit commitment scheme. 2. U and C extract k integers c1; c2; : : :; ck 2 [2n?2; 2n?1 ? 1] such that ci  0 mod 2 from the trusted source of randomness. 3. For each i 2 f1; 2; : : : ; kg in turn, U checks whether ui + ci is prime until two primes have been found. If two primes cannot be found, then U opens all the commitments to the integers ui, C checks that the commitments i were correctly made and that there is at most one prime of the form ui + ci and both parties restart the protocol. 4. Let i1 and i2 be the two smallest indices corresponding to primes, where i1 < i2. Let p = ui1 + ci1 and q = ui2 + ci2 . U calculates the integer N , where N = pq. 5

5. For j 2 fi1; i2g, U proves to C that the uj are (n ? 1)-bit integers and that uj  1 mod 2 using a zero-knowledge proof system. 6. U publishes a commitment  to N and U proves that this commitment is the product of p and q. 7. U and C extract a random odd integer e 2 [1; N ] from the trusted source of randomness. U determines whether e is coprime to (N ). If not, then all commitments are revealed and checked, and the protocol is restarted. 8. U opens the commitments i for i 2 f1; 2; : : : ; kg n fi1; i2g and the commitment . C checks that the commitments were correctly made. C checks that ui+ci is not prime whenever i < i2 and i 6= i1. C checks that 22n?2  N < 22n. C checks that e and (N ) are coprime by asking U to sign messages taken from the trusted source of randomness. Finally, U proves to C that N is a product of two primes; see van de Graaf and Peralta [6], Gennaro, Micciancio and Rabin [5] and Camenisch and Michels [3], for example. If all these checks succeed, the pair (N; e) is accepted as the user's RSA key. There are several known ecient protocols which can be used for the bit commitment schemes and zero knowledge proofs. The choice of protocol depends on which security assumptions are desirable together with the relative eciency of the various options. All the bit commitment schemes and zero knowledge proofs we require can be chosen (see Cramer and Damgard [4]) so that their security relies only on an RSA assumption. Therefore, our protocol can be designed to rely entirely on RSA security assumptions. We could also use schemes due to Okamoto [8] that are based on a discrete logarithm security assumption. The major advantage of this approach is that there is a more ecient zero knowledge proof that a committed integer lies in an interval.

4 Security Analysis The security of our protocol depends crucially on the following assumption. 6

RSA security assumption: Let  be a positive constant. There is no poly-

nomial time Turing machine M which outputs x with non-negligible probability on input ((N; e); xe (mod N )) where N is the product of two primes each chosen uniformly in the interval [2n? ; 2n+ ], and where x 2 Z=N Z and e 2 (Z=N Z) are chosen uniformly at random. This assumption is in accordance with the position stated in Silverman [10] and Menezes, Van Oorschot and Vanstone [7, Section 8.2.3]. We now analyse the security of our protocol. It is clear that the protocol satis es De nition 1. The moduli produced by our protocol are products of primes which are not quite uniformly distributed. Nevertheless, our RSA security assumption implies that De nition 2 is satis ed, since the distribution of factors produced by our protocol is suciently close to uniform. (See Boneh and Franklin [2, Lemma 1].) In our discussion of why the protocol satis es De nitions 3 and 4 we assume that all zero-knowledge protocols and commitment schemes function as intended. In particular, we assume that the zero-knowledge property of the protocols is not lost when they are used in series, even though the rigorous proofs only show that they are zero-knowledge when used in isolation. We now argue that the protocol is secure against user adversaries. As long as C adheres to the protocol (and so veri es any proofs), U  must prove that the ui are of the right size, that N = (ui1 + ci1 )(ui2 + ci2 ) where both factors are prime, (ui + ci) is not prime for 1  i < i2 and i 6= i1 and nally that e is coprime to (N ). Therefore, the only way that U  can in uence the protocol is by choosing the integers ui with respect to a distribution that is not uniform. Now, the integers ci1 and ci2 are chosen uniformly at random and independently of ui1 and ui2 , and so the distribution of pairs (N; e) is close to uniform. An argument similar to that mentioned above establishes that our protocol is secure against user adversaries. Finally, we argue that our protocol is secure against CA adversaries.

Lemma 1 Suppose there exist C  and M 0 that satisfy De nition 4. Then we may assume that C  = C .

Proof: Let C  and M 0 be as in De nition 4. Since C  has no in uence over the public source of randomness, the values of (N; e) cannot be manipulated by C . However, C  can skew the output distribution of the protocol by falsely declaring that one of the proofs has failed. Nevertheless, since (U; C ) is a

7

polynomial time RSA generator, C  must accept a non-negligible proportion  of pairs (N; e). Thus, given a pair (N; e) generated by (U; C ) there is a nonnegligible probability  that this pair could have been generated by (U; C ). Now, given (N; e) generated by (U; C ) and an associated transcript T (C ), it is possible to compute, in polynomial time and with success probability , a transcript T (C ) of a run of (U; C ) that generates (N; e). Thus M 0 may be converted into a machine that satis es De nition 4 when C  is replaced by C | this machine converts T (C ) to T (C ), and then applies M 0. 2 The only remaining issue is to show that T (C ) gives no useful information for solving the resulting RSA problem. This is a consequence of the following Lemma.

Lemma 2 Under our RSA security assumption there does not exist a Turing

machine M 0 as in De nition 4 in the case where C  = C .

Proof: Suppose a Turing machine M 0 exists as in De nition 4. Then there is some t such that M 0 solves the RSA problem with probability at least 1=nt for suciently large n. We will show that the existence of such an M 0 implies that (U; C ) does not produce secure parameters. This contradiction proves the result. We construct a Turing machine M which tries to simulate a transcript of the protocol from the point of view of C and then applies M 0. On input (N; e), M constructs n2t+2 \simulations" Ti;j (where 0  i; j < nt+1) of the view of C during the generation of (N; e) as follows. It is trivial to simulate the zero knowledge proofs and commitments used in the protocol. The only diculty arises when choosing ci1 and ci2 in such a way that companion values ui exist in the correct range. To overcome this M chooses two integers r1; r2 uniformly from [2n?2; 2n?2 + 2n?2 =nt+1 ? 1]. Simulation Ti;j is constructed so that ci1 = r1 + i2n?1 =nt+1 and ci2 = r2 + j 2n?1 =nt+1. M then applies M 0 to each of these transcripts in parallel. Let X be the set of all RSA moduli N having both factors in the range n?1 [2 + 2n?1 =nt+1 ; 2n?2 ? 2n?1 =nt+1 ? 1]. The protocol produces pairs (N; e) such that N 62 X with probability at most 1?(1?2=nt+1 )2 = 4=nt+1 ?4=n2t+2. In particular, this implies that N lies in X with non-negligible probability. Furthermore, the probability that M succeeds when given a modulus N 2 X is at least (1=nt ? 4=nt+1 + 4=n2t+2)=(1 ? 4=nt+1 + 4=n2t+2 ) which is nonnegligible. Provided that N lies in X then at least one of the Ti;j is a

8

simulation of a run of the protocol with output (N; e) and therefore M will solve the RSA problem in polynomial time with non-negligible probability. 2

5 Practical Eciencies The protocol we describe above is already practical. In this section, we discuss ways in which the protocol can be modi ed to improve its eciency. We believe that these modi cations maintain the security of the protocol. We may remove the need for a public source of randomness as follows. The random source is used to generate the integers ci. In practice these values can be chosen by C . The source is also used to generate the public exponent e. This exponent could also be chosen by C or could be xed in advance. The only other occasion where the public source of randomness is used is to generate test messages to show that e is coprime to (N ). It is possible to x these messages in advance. Alternatively this test may be omitted entirely if the application is such that U does not gain any advantage from having e not coprime to (N ). Another modi cation which would improve eciency would be to generate each pair (ui; ci) in turn, rather than making k commitments in advance. This would mean that ui2 might be dependent on ui1 + ci1 , but this should not be a problem as long as the integers ci cannot be predicted by U . In the protocol as presented, the integers ui and ci are chosen so that ui + ci is always odd. To increase the probability of primality, stronger constraints on the congruences satis ed by these integers could be imposed. The zero knowledge proof systems would have to be modi ed to check these constraints. The systems we have suggested above can be easily modi ed to achieve this.

References [1] ANSI X9.31, `American National Standard | Digital signatures using reversible public key cryptography for the nancial services industry (rDSA)', Draft Standard, March 1998. [2] D. Boneh, M. Franklin, `Ecient generation of shared RSA keys', in B.S. Kaliski, Jr., editor, Advances in Cryptology { CRYPTO '97, Lecture 9

Notes in Computer Science Vol. 1294, Springer-Verlag, 1997, pp. 425{ 439.

[3] J. Camenisch and M. Michels, `Proving in zero knowledge that a number is the product of two safe primes', in J. Stern, editor, Advances in Cryptology { EUROCRYPT '99, Lecture Notes in Computer Science Vol. 1592, Springer-Verlag, 1999, pp. 106{121. [4] R. Cramer and I. Damgard, `Zero-knowledge proofs for nite eld arithmetic , or: can zero-knowledge be for free', in H. Krawczyk, editor, Advances in Cryptology { CRYPTO '98, Lecture Notes in Computer Science Vol. 1462, Springer-Verlag, 1998, pp. 424{441. [5] R. Gennaro, D. Micciancio and T. Rabin, `An ecient non-interactive statistical zero-knowledge proof system for quasi-safe prime products', Proc. 5th ACM Conference on Computer and Communications Security, 1998, to appear. [6] J. van de Graaf and R. Peralta, `A simple and secure way to show the validity of your public key', in C. Pomerance, editor, Advances in Cryptology { CRYPTO '87, Lecture Notes in Computer Science Vol. 293, Springer-Verlag, 1988, pp. 128-134. [7] A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of applied cryptography, CRC Press, 1997. [8] T. Okamoto, `An ecient divisible electronic cash scheme', in D. Coppersmith, editor, Advances in Cryptology { CRYPTO '95, Lecture Notes in Computer Science Vol. 963, Springer-Verlag, 1995, pp. 438-451. [9] R.G.E. Pinch, `On using Carmichael numbers for public key encryption systems', in M. Darnell, editor, Cryptography and coding, 6th IMS conference, Cirencester, Lecture Notes in Computer Science Vol. 1355, Springer-Verlag, 1997, pp. 265{269. [10] R.D. Silverman, `Fast generation of random, strong RSA primes', CryptoBytes, 3, No. 1, 1997, pp. 9{13.

10