4,459 research outputs found
Certifying RSA public keys with an efficient NIZK
In many applications, it is important to verify that an RSA public key ( N,e ) specifies a permutation, in order to prevent attacks due to adversarially-generated public keys. We design and implement a simple and efficient noninteractive zero-knowledge protocol (in the random oracle model) for this task. The key feature of our protocol is compatibility with existing RSA implementations and standards. The protocol works for any choice of e. Applications concerned about adversarial key generation can just append our proof to the RSA public key without any other modifications to existing code or cryptographic libraries. Users need only perform a one- time verification of the proof to ensure that raising to the power e is a permutation of the integers modulo N . For typical parameter settings, the proof consists of nine integers modulo N; generating the proof and verifying it both require about nine modular exponentiations.https://eprint.iacr.org/2018/057.pdfFirst author draf
Efficient noninteractive certification of RSA moduli and beyond
In many applications, it is important to verify that an RSA public key (N; e) speci es a
permutation over the entire space ZN, in order to prevent attacks due to adversarially-generated
public keys. We design and implement a simple and e cient noninteractive zero-knowledge
protocol (in the random oracle model) for this task. Applications concerned about adversarial
key generation can just append our proof to the RSA public key without any other modi cations
to existing code or cryptographic libraries. Users need only perform a one-time veri cation of
the proof to ensure that raising to the power e is a permutation of the integers modulo N. For
typical parameter settings, the proof consists of nine integers modulo N; generating the proof
and verifying it both require about nine modular exponentiations.
We extend our results beyond RSA keys and also provide e cient noninteractive zero-
knowledge proofs for other properties of N, which can be used to certify that N is suitable
for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to
the recent work of Auerbach and Poettering (PKC 2018), who provide two-message protocols for
similar languages, our protocols are more e cient and do not require interaction, which enables
a broader class of applications.https://eprint.iacr.org/2018/057First author draf
Near NP-Completeness for Detecting p-adic Rational Roots in One Variable
We show that deciding whether a sparse univariate polynomial has a p-adic
rational root can be done in NP for most inputs. We also prove a
polynomial-time upper bound for trinomials with suitably generic p-adic Newton
polygon. We thus improve the best previous complexity upper bound of EXPTIME.
We also prove an unconditional complexity lower bound of NP-hardness with
respect to randomized reductions for general univariate polynomials. The best
previous lower bound assumed an unproved hypothesis on the distribution of
primes in arithmetic progression. We also discuss how our results complement
analogous results over the real numbers.Comment: 8 pages in 2 column format, 1 illustration. Submitted to a conferenc
A kilobit hidden SNFS discrete logarithm computation
We perform a special number field sieve discrete logarithm computation in a
1024-bit prime field. To our knowledge, this is the first kilobit-sized
discrete logarithm computation ever reported for prime fields. This computation
took a little over two months of calendar time on an academic cluster using the
open-source CADO-NFS software. Our chosen prime looks random, and
has a 160-bit prime factor, in line with recommended parameters for the Digital
Signature Algorithm. However, our p has been trapdoored in such a way that the
special number field sieve can be used to compute discrete logarithms in
, yet detecting that p has this trapdoor seems out of reach.
Twenty-five years ago, there was considerable controversy around the
possibility of back-doored parameters for DSA. Our computations show that
trapdoored primes are entirely feasible with current computing technology. We
also describe special number field sieve discrete log computations carried out
for multiple weak primes found in use in the wild. As can be expected from a
trapdoor mechanism which we say is hard to detect, our research did not reveal
any trapdoored prime in wide use. The only way for a user to defend against a
hypothetical trapdoor of this kind is to require verifiably random primes
- …