 Hello, I'm Jack Durner, coming before you today with my pandemic hair to talk about multi-party generation of RSA Moduli. This is joint work with Megan Chen, Ron Cohen, Yashvanth Khande, Issa Lee, Shula Rosefield, and Abhi Shalat. And you can find our paper online as IACREPrintNumber2020-370. In this work, we introduce a new protocol for distributed RSA modulus sampling with malicious security against a dishonest majority in the UC model. RSA modulus is the first such protocol from only oblivious transfer and the factoring assumption to supporting an arbitrary number of parties, and so far as we know, the first to achieve cubic complexity or better in the length of the modulus. An RSA modulus, usually designated by the variable n, is the product of two large randomly chosen primes, which we call P and Q. We call such numbers bioprimes, and in this talk I will use the terms bioprime and RSA modulus interchangeably. This is one of the oldest public key assumptions we have that factoring such numbers is hard. And when used as the modulus, they form multiplicative groups wherein finding the group order is equivalent to factoring. This makes RSA Moduli useful for a huge range of applications. Of course they can be used to construct signature schemes and various kinds of encryption, but they're also useful for building advanced primitives, such as, for example, cryptographic accumulators, and time lock puzzles and verifiable delay functions. And recently, some kinds of highly efficient zero-knowledge argument systems. This list is far from exhaustive. Amazingly, although RSA is one of the seminal asymmetric cryptosystems, many of these applications are very recent. In fact, all of the ones I've highlighted here were published within the last two years. They all use RSA Moduli as part of their trusted setup. However, there's no way that we know of to sample a bioprime for which nobody knows the factors using only public randomness. So the remaining option is to distribute sampling along many parties using multi-party computation. This isn't merely a theoretical concern, by the way. The Ethereum Foundation has publicly announced an intention to migrate to RSA-based verifiable delay functions, which means that they need secure bioprime sampling in the real world, and they needed to be efficient for many parties. It's not surprising to find that the history of secure bioprime sampling mirrors the history of its applications. A great deal of initial interest, and a recent resurgence. Boney and Franklin wrote the seminal paper on the subject in 1997, and pretty much all of the subsequent works follow their basic layout, including ours. I'm going to skip most of the history which focused on semi-honest or honest majority constructions, and talk only about the most recent works, which are those of Hizay and Nicholson, Robin, Toft and Nicolosi, and Fredrickson, Lindel, O'Shitter and Pincus. I'd also like to point out that there is already a follow-up to our work, which uses some of the techniques we introduced, and achieves a really astonishing performance in the aggregator model. That paper is on ePrint now, and it will appear at S&P in 2021. After I talk about these prior works and the general shape of the problem, I'll introduce our protocol itself, and after that, I'll show you why it's efficient. Now, I claim that generating an RSA bioprime using a multi-party protocol is uniquely difficult relative to a multi-party key generation for other kinds of crypto systems, because we sample bioprimes by rejection. That is, we pick a k-bit number, where k is a security parameter, test whether it's prime, and throw it away if it's not. When we find two primes, p and q, we multiply them together to form a 2k-bit bioprime n. Primality is usually determined via the Miller-Robin test. I won't show it to you in detail, but the important thing to know is that it requires us to repeatedly take a random base a to sum secret power modulo p. Turning this into a multi-party protocol naively would require many secure modular exponentiations with large secret moduli, and this is very, very far from practical. Bonet and Franklin were the first to recognize this, and in the seminal paper on this topic, they devised a more efficient test in the semi-honest setting. Rather than testing the primality of two individual numbers, they devised a direct bioprimality test that only used the product of the two primes, which is to say the candidate bioprime n. For some statistical parameter number of iterations, they choose a random base a with Jacobi symbol 1 and take it to the power of n-p-q plus 1 modulo n. If this is equal to plus or minus 1 in all iterations, then the test passes. For technical reasons, they also require a GCD test, but we won't worry about this for now. The key here is that the modulus n is the public output of the protocol. This means that we can cut the factors p and q into integer shares, one share of each for every party, and then rewrite the test as the product of terms that the parties can compute locally. An integer sharing in this case is simply a set of randomly chosen positive integers that add up to the shared value. This style of sharing is important because it yields a natural method for reconstructing p and q modulo phi of n in the exponent, where phi of n is the order of the multiplicative group modulo n. If you know one or more integer shares of a value, then you know both upper and lower bounds on that value. In other words, integer shares leak some information. Bonet and Franklin provide a proof that this leakage doesn't grant an adversary any meaningful advantage in factoring the bioprimes that their protocol produces. Although the Bonet-Franklin test itself is efficient, the downside is that it requires us to guess two long prime numbers simultaneously in order to succeed, instead of just one, as in the case of individual primality testing. To increase the probability of success, Bonet and Franklin try to filter out some of the candidate p's and q's that are obviously not prime before running the test. Each candidate factor is divided by a sequence of small primes and rejected if it divides evenly. This is known as trial division. They show that if a k-bit candidate prime is sampled uniformly and it passes trial division by all primes up to some bound B, then it's prime with probability in omega of log of B over k. The probability that the bioprimality test succeeds is the square of that. And if you repeat the whole protocol until you successfully sample a bioprime, then the number of times that you have to repeat it is in expectation of k squared over log squared B. Now, as I said, I'm going to skip forward a bit. 15 years later, the HMRT protocol was the first to support an arbitrary number of parties and achieve malicious security against a dishonest majority. In order to do this, they use homomorphic encryption and take a GMW-like approach to achieving security. That is, each party proves that each operation on a cipher text was performed correctly. This is conceptually straightforward, but it leads to a somewhat complex security analysis. And because the HMRT protocol relies specifically on both PAE encryption and ELGAMAL encryption, we are forced to accept both the decisional composite resduosity and decisional Diffie-Hellman assumptions. Furthermore, proving statements about PAE and ELGAMAL cipher texts in zero knowledge is very expensive. Even without the zero knowledge proofs in semi-honest mode with two parties, they report taking no less than 15 minutes to sample a bioprime, mostly due to the computational cost of homomorphic encryption. On the other hand, the FLOP protocol focuses on the two-party case exclusively, and it's the first malicious secure protocol with concrete efficiency, which they demonstrated by implementing it. Instead of homomorphic encryption, it uses one of an oblivious transfer to implement trial division, and it uses one of two oblivious transfer to build a malicious Gilboa-style multiplier for multiplying P and Q together. Rather than taking the GMW-style approach of proving each step correct as it occurs, the authors instead introduce what they call a proof of honesty, a single proof that's run at the end only if the bioprimality test passes, which verifies a few key algebraic relationships among values used in the protocol. They do also evaluate a symmetric key relation, but this can somewhat easily be removed, so I won't count it against them. Regardless, this approach has both advantages and disadvantages. Trading OT as a black box allows flexibility with respect to which assumptions are required, and the FLOP protocol is concretely fast by comparison to the HMRT protocol. Fredericks and Adol report being able to sample a bioprime with malicious security in roughly two and a half minutes when using high-performance hardware. On the other hand, their OT-based trial division method leaks some bits of the candidate primes. This is selective leakage on the part of an adversary and not merely a natural byproduct of using integer shares. Furthermore, while their proof of honesty framework frees them from the costs of the GMW approach, they only run it when the bioprimality test succeeds, which means it's possible for a malicious adversary to force failures covertly. The adversary can combine this ability with the leakage I mentioned before to reject candidates selectively, and the only way to prevent the adversary from engaging in a denial of service attack is to run so many instances of the sampling procedure that a bioprime should be produced with overwhelming probability. Thus, a malicious adversary can slow their protocol down by a factor of up to the statistical security parameter. In the wake of these two works, then we have an open question. Can one build a protocol with support for an arbitrarily many parties and malicious security against a dishonest majority, which has flexible assumptions, doesn't require homomorphic encryption, doesn't use expensive zero knowledge over cryptographic statements, and gives the adversary no extra leakage or denial of service ability? In this work, we answer in the affirmative. We do require one specific assumption, which is the assumption that it's hard to factor bioprimes from our protocol's underlying sample distribution, but we view this as acceptable since it's precisely the assumption required to use the protocol's output, and without it, the whole exercise is pointless. Beyond these things, we also provide a modular security analysis, whereas previous works have proven their protocol somewhat monolithically. We hope this will make it easy to interchange primitives and potentially prove new security guarantees in the future. Finally, our protocol improves asymptotically on the FLOP protocol by a factor of the security parameter in terms of communication cost. We don't have an asymptotic analysis of the HMRT protocol's communication cost, so I don't wanna make a specific comparative complexity claim, but I will point out that we know HMRT to be much more expensive than FLOP concretely. So now we come to the protocol itself. For the sake of clarity and time, I'm going to explain a drastically simplified version. For the most part, I'll only talk about two parties, though hopefully you can imagine how everything can be generalized. I also won't always talk about how malicious security can be achieved, but I'll try to let you know where I make important omissions. Our protocol has a simple layout. First, it securely samples candidate factors P and Q, then it securely multiplies those factors to produce a candidate by prime, which it subjects to the Bonnet-Franklin by-primality test. And finally, it runs a retroactive consistency check to ensure no malicious behavior occurred during the previous phases. The first three parts of this layout are common among almost all by-prime sampling protocols. They come from Bonnet and Franklin. Our consistency check is new, but it can be thought of as somewhat analogous to the proof of honesty used by Fredrickson et al. I'll talk about the techniques we use to implement each step of this layout in turn, starting with sampling. Our sampling technique is based on the Chinese remainder theorem, so let's recall that quickly. If we have a vector of the first L unique primes, which we'll call a primorial vector, here represented by the letter M, and we have the product of those primes, which is the ELF primorial number, then the Chinese remainder theorem says that there is an isomorphism between the product of fields modulo, the individual primes, and the ring modulo, the corresponding primorial number. We'll talk about values in these spaces a lot, so I'm going to color code them to make it easier. Values in the product of the fields modulo, the individual primes will be magenta. We call this the CRT form. Values in the ring modulo, the primorial number will be teal, and we'll call this standard form. The Chinese remainder theorem also gives us another important fact. A set of values in CRT form, which we'll call X, mapped to a value in standard form, we'll call this value P, if and only if the jth element of X is congruent to P modulo the jth prime for all j. This means that if you select a CRT form vector X with no zero elements, then the corresponding standard form value P will not be divisible by any of the primes in the primorial vector. Thus, we sample probable primes without trial division. We call this constructive sampling. If we had only one party, our sampling algorithm would be simple. Choose a CRT form value randomly, test to make sure all of its elements are non-zero, then find the corresponding standard form value and interpret it as an integer, which is our candidate prime P. It turns out that if we want to distribute this algorithm, we can do so by instructing the parties to run the algorithm individually and locally to generate integer shares of the candidate prime P. And instead of performing local zero tests, we instruct them to jointly test the modular sums of their CRT form elements in each small prime field or non-zero. I'm going to gloss over how this works for the moment. We show that if they do this, then the integer sum of their shares of P will be indivisible by all of the primes in the primorial vector. And of course, they can repeat the process to sample Q. The integer shares here are important, by the way. We need them for compatibility with the Bonnet-Franklin test, which we're going to run later. Now, once the parties have shares of P and Q, they must multiply them together to form shares of a bi prime N. This is where all prior works have encountered a bottleneck in the form of multiplication protocols over length K inputs. Typically, OT-based multi-party multiplication protocols have at least quadratic computation and communication complexity in the bit length of their inputs. Homomorphic encryption-based multiplication protocols like the ones used by HMRT have better communication complexity, but worse computation complexity. For example, HMRT used PIA encryption, which requires modular exponentiation with a modulus of length proportionate to K. We take the OT-based approach, but we leverage the Chinese remainder theorem once again to improve our result relative to naive multiplication. Once again, consider the single-party case. We observe that if we take two CRT form values, X and U, defined with respect to the same primorial vector M of length L, then the product of their corresponding standard form values, P and Q, modulo the lth primorial number, corresponds to the element-wise modular product of X and U. Here, I'm using the circle dot to represent element-wise multiplication. This means that if we want the standard form product of P and Q, we can multiply the CRT form values X and U element by element, then evaluate the mapping instead of evaluating the mapping before multiplication. We can show that if a primorial number has K bits, then the length of the largest prime in the corresponding primorial vector is an O of log K, and also that L, the length of the primorial vector, is an O of K over log K. Consequently, if our fundamental multiplication complexity is quadratic, then we can multiply two K bit numbers in CRT form in complexity O of K log K, as opposed to O of K squared if we did it naively. The zero-testing operation, which I glossed over earlier, is done using this distributed CRT multiplication technique. But unfortunately, we can't immediately use the same technique to compute N from the candidate primes P and Q that I showed you how to sample a moment ago, because the technique computes the product modulo, the primorial number, whereas we need to compute the integer product. This is not, however, a dead end. Fortunately, we can show that there is a way to expand a CRT representation to new prime fields without changing its semantic value. This allows us to enlarge the standard form ring to the point that there is no wrapping when a modular multiplication is performed, which makes the result equivalent to an integer multiplication. Before we move on, I should mention that because this CRT extension operation is local, corrupt parties can do whatever they want. Also, because there's no authentication on the output shares of our element-wise multiplication, corrupt parties can lie about the shares that they got. I haven't taken pains to show you how we achieve malicious security, so it's important to know that even in the malicious version of our protocol, this sort of cheat is still possible, and we have to account for it later in our consistency check. I'm only going to talk briefly about the bi-primality test, since our protocol follows mostly from prior work. The interesting thing is that we prove it realizes a standalone functionality. Here I have a simplified version of it. It takes the candidate by prime N as a common input and integer shares of the candidate factors P and Q from each party, and an output success only if both N is a bi-prime and N is really the product of the input factors. The adversary can also force failures, but it can't force successes, which means that this functionality has no false positives. The functionality is clean and free of protocol artifacts such as authentication primitives, and it allows corrupt parties to use whatever shares they like. Notice, however, that if N really is a bi-prime, then there are only two possible pairs of factors P and Q that would make the functionality succeed. One follows from the honest protocol execution, and we show that finding the other is as hard as factoring N. This is an important and subtle case that is essential to our simulation argument. Finally, we come to the consistency check. So far, every part of the protocol that you've seen has been composed of simple non-cryptographic operations, and the only functionalities involved have been a multiplication functionality and a bi-primality testing functionality. Our retroactive consistency check ensures that the local operations are performed correctly and that the inputs to the functionalities have the right relationships. We show that there exists a simple algebraic predicate involving only the modulus N and the expanded CRT form shares of P and Q. Here again, I'm showing it to you in the two-party setting, which is sufficient to guarantee security against malicious behavior. If the bi-primality test passed, then N might be our output, so we evaluate this predicate securely. In the current version of the paper, we use generic MPC for a canonical instantiation, but it's conceivable that this can be improved with tailored protocols. This can be comparatively slow, but we only have to do it when we succeed. If the bi-primality test failed, then either N isn't a bi-prime or some party cheated. Regardless, there's no need for privacy, and so the parties open up their values to one another and verify the predicate locally, which is much faster. There are a lot of details that I'm sweeping under the rug here. For example, we have to enforce that the inputs to the multiplication functionality are opened or loaded into the generic MPC faithfully, but this is the essence of it. Of course, the paper gives a rigorous simulation-based proof, so for the details, I invite you to look there. Now, before I close, I want to talk a little bit about efficiency. I've been quantifying my complexity statements throughout this talk by saying that they hold if multiplication has a quadratic cost. In the malicious setting, we instantiate our multiplication functionality using an OT-based construction derived from multipliers introduced by recent works on secure ECDSA signing. As a basis, we use the silent OT extension scheme introduced last year by Boyle, Cato, Gilboa, Ishae, Cole, and Scholl, which has almost no overhead when amortized. But the multiplier construction itself requires a special encoding scheme, which means that it has communication cost in O of nx squared plus nsx per party for n parties and x-bit inputs, where s is the statistical parameter. This leads to an overall communication complexity in O of nsk for sampling and modulus construction. As an aside, if we use the OT extension protocol of Keller, Orsini, and Scholl instead of silent OT extension, then this cost goes up by a factor of s over log k, which is concretely something like four to eight. Our bioprimerality test has different costs depending on whether it reports a failure or a success. In failed instances, it also costs an O of nsk in terms of communication. But in successful instances where it determines that n is a bioprime, it costs in this term, which you don't need to worry about because it will be subsumed by something else later. Our consistency check also has different costs depending on whether or not n is thought to be a bioprime. If n is thought to be a bioprime, then we use generic NPC to evaluate the predicate securely. If we instantiate this with the authenticated garbling protocol of Wang, Rana Lu, Xi, and Katz, then it has communication complexity in O of n squared sk squared over log of nk. If n is thought not to be a bioprime, then we reveal everything and evaluate the predicate locally. And the reveal operation costs O of nsk overall. If we repeat the whole protocol until a success occurs, we need O of k squared over log squared of k repetitions and expectation, which follows from Bonet and Franklin's theorem. All but one of these repetitions will be failures. So we pay the smaller cost for both the bioprimality test and the consistency check. And only in the last repetition do we pay the larger costs. Putting everything together finally gives us an overall expected communication complexity per party for sampling a bioprime, which you can see here. Now, I know my protocol descriptions and security arguments have been rather loose, but this is exactly the cost of the real protocol as presented in the paper. There are a few more lemmas that I won't show you, which allow us to conclude that this is strictly less than O of nsk cubed over log of nk. To conclude, I hope that this talk has convinced you that distributive bioprime sampling is a challenge. I've shown you how the Chinese remainder theorem can be used to optimize the sampling of candidate primes and how it can be used to optimize multiplying those candidates together. And I've shown you how an algebraic predicate can be used to tie everything together without homomorphic encryption or proofs over cryptographic statements. In the paper, of course, everything is presented in much more rigor and there are a few additional results. We show how to achieve a constant round count and we give a concrete cost analysis. We also present a semi-honest variant of the protocol with perfect security in the same hybrid model as the main protocol and we give a modular security analysis of the main protocol with some informal discussion of how various modules can be substituted to achieve stronger security guarantees such as adaptive security or identifiable abort. That's all for today though. Thank you for listening.