DE102022004783A1 - Method for generating two large prime numbers by additive division without a trusted dealer in a communication system with a number of participants - Google Patents

Abstract

The invention relates to a method for generating two large prime numbers by additive division without a trusted dealer in a communication system with a number of participants n. The aim of the invention is to generate two large prime numbers in a cryptosystem by reducing the required computing power so that the generation time is acceptable (< 1 minute). This object is achieved by a method according to claims 1 and 2.

Description

The invention relates to a method for generating the two large prime numbers by additive division without a trusted dealer in a communication system with several participants.

The parties can be any participant in a communications network, such as computers, apps, servers, etc.

Such methods are known from the state of the art. A method called “naive” for generating a prime number is that each party P _i selects a random number p _i ∈ [2 ^k-1 , 2 ^k - 1] such that: $$p_i=\{\begin{array}{cc}{p}_i\equiv 3\left(mOd4\right),& ie\alpha \equiv i\left(mOdn\right)\\ p_i\equiv 0\left(mOd4\right),& ie\alpha \cancel{\equiv }i\left(mOdn\right)\end{array}$$

Another method is the “composite” method. This method of generating secrets for a threshold cryptosystem was proposed by Boneh and Franklin as a way to improve the key generation phase ( Dan Boneh and M. Franklin. Efficient generation of shared RSA keys. Journal of the ACM, 48 (4):702{722, July 2001. doi: 10.1145/502090.502094 .).

berechnet, so dass M ≤ 2^k. Die Parteien wählen dann a_i ∈ R [3, M], a_i ⊥ M und b_i und erhalten: $$\begin{array}{l}a=a_1\times a_2\times \dots a_{n}modM\\ b=b_1\times b_2\times \dots +b_{n}modM\end{array}$$

It is assumed that each party P _i $M={\displaystyle \prod {}_{\varrho \in \mathbb{P}\backslash 2}\varrho }$

calculated so that M ≤ 2 ^k . The parties then choose a _i ∈ R [3, M], a _i ⊥ M and b _i and obtain: $$\begin{array}{l}a=a_1\times a_2\times \dots a_{n}mOdM\\ b=b_1\times b_2\times \dots +b_{n}mOdM\end{array}$$

The most interesting question is how to transform the multiplicative division of a over a ₁ , ..., a _n into an additive division over b ₁ ,..., b _n without revealing a.

Another method is the so-called “Dubner's Sophie Germain primes” method. This approach is based on polynomials introduced by “ Dubner” (Harvey Dubner, Large Sophie Germain primes. Mathematics of Computation, 65(213):393-396, January 1996. doi: 10.1090/s0025-5718-96-00670-9 ). Each party P _i chooses a random number p _i ∈ [2 ^k-1 , 2 ^k - 1] where p _i is defined as: $$p_i=\{\begin{array}{cc}\left(r\times 3003\right)-\mathrm{1,}& iei\equiv 1\\ r\times \mathrm{3003,}& iei\cancel{\equiv }1\end{array}$$

The methods known from the state of the art are not suitable for generating two large prime numbers in an acceptable time with generally available, common computing power.

The aim of the invention is to generate two large prime numbers in a cryptosystem by reducing the required computing power so that the generation time is acceptable (< 1 minute).

A cryptosystem requires a way to generate distributed primes p and q without revealing them. To achieve this, the inventive method uses the additive distribution of each prime. Each party selects a random number that is distributed over the integers via a secret division scheme, which is a variant of the Shamir division scheme. Each party P _i selects two numbers p _i and q _i and creates two polynomials p _i (x) and q _i (x). Then each party P _j receives the values of p _i (j) and q _i (j) from every other party P _i via a secure channel. The only reason for using a secure channel here is to avoid the need to generate the values p and q. Each party should only send the i -th element to party P _i . This allows party P _i to construct the value N _i , which is then sent. By using the BGW protocol, the n parties can obtain the value N = pq without revealing p and q: $$N=pq={\displaystyle \sum _{i=1}^n\left({\displaystyle \sum _{j=1}^n{p}_j\left(i\right)\times {\displaystyle \sum _{j=1}^n{q}_j\left(i\right)}}\right)}$$

This method allows avoiding a trusted dealer, but it cannot be used with a standard screening technique. In addition, a way had to be found to avoid to generate divided prime numbers that are secure prime numbers. These are referred to as T-primes in the sense of the invention. They are the key element of the invention.

gibt, wobei $\varrho$

das Produkt aus den ersten T-Primzahlen und r eine gerade Zufallszahl ist. Mit dieser Methode kann man p ∈ [2^k-1, 2^k - 1] generieren, wenn $r{\in }_R\left[2^{k-1-lo{g}_2\varrho }{\mathrm{,2}}^{k-lo{g}_2\varrho }-1\right]$

ist.They are based on the assumption that there are many large secure primes of the form $p=\left(r\times \varrho \right)-1$

where $\varrho$

is the product of the first T primes and r is an even random number. With this method, one can generate p ∈ [2 ^k-1 , 2 ^k - 1] if $r{\in }_R\left[2^{k-1-lO{G}_2\varrho }{\mathrm{,2}}^{k-lO{G}_2\varrho }-1\right]$

is.

Jede P_i definiert eine Primzahl p_i: $$p_i=\{\begin{array}{cc}\left(r\times \varrho \right)-\mathrm{1,}& ifi\equiv 1\\ r\times \varrho ,& ifi\cancel{\equiv }1\end{array}$$

This assumption naturally supports additive division and allows us to define the prime number as $p={\displaystyle \sum {}_{i=1}^n}{p}_i.$

Each P _i defines a prime number p _i : $$p_i=\{\begin{array}{cc}\left(r\times \varrho \right)-\mathrm{1,}& iei\equiv 1\\ r\times \varrho ,& iei\cancel{\equiv }1\end{array}$$

The subject of the invention is the question of how to determine the best T. The inventive method uses a dynamic value that depends on k over Υ: $$T=max\left\{t\in \mathbb{N},\rho \in \mathbb{P}|lO{G}_2\left({\displaystyle \prod _{i=1}^t\rho }\right)\le k\times \Upsilon \right\}$$

In the key generation phase, the parties may need to perform some iterations, called trials, to produce a value N that passes the biprimality test, which confirms that it is the product of two unknown primes. A simple way to satisfy this condition and increase the entropy of this phase is to set the following condition α ≡ i(mod n) for the ith party, where α is the number of trials.

Boneh and Franklin ( Dan Boneh and M. Franklin. Efficient generation of shared RSA keys. Journal of the ACM, 48 (4):702{722, July 2001. doi: 10.1145/502090.502094 .) showed how the parties can use the Miller-Rabin primality test to verify that the value N is the product of two prime numbers p and q without revealing them.

wählt, so dass δ teilerfremd ist zu N und das Jacobi-Symbol $\frac{\delta }{N}=1$

sind. Dann errechnen sie Q_i als: $$Q_i=\{\begin{array}{cc}{\delta }^{\left(N+1-p_i-q_i\right)/4},& if\alpha \equiv i\left(modn\right)\\ {\delta }^{\left(-p_i-q_i\right)/4},& if\alpha \not\equiv i\left(modn\right)\end{array}$$

It is assumed that a party $\delta {\in }_R\mathbb{N}{*}_N$

such that δ is relatively prime to N and the Jacobi symbol $\frac{\delta }{N}=1$

Then calculate Q _i as: $$Q_i=\{\begin{array}{cc}{\delta }^{\left(N+1-p_i-q_i\right)/4},& ie\alpha \equiv i\left(mOdn\right)\\ {\delta }^{\left(-p_i-q_i\right)/4},& ie\alpha \not\equiv i\left(mOdn\right)\end{array}$$

This allows the party to perform the biprimality test: $${\displaystyle \prod _{i=1}^{\mathrm{<figure-callout\; id="1"\; label="n\; Q"\; filenames="DE102022004783A1\_0050.png"\; state="\{\{state\}\}">n</figure-callout>}}{Q}_{}{}_1}\stackrel{?}{\equiv }\pm 1\left(mOdN\right)$$

It is therefore clear that this test is based on the assumption that p ≡ q ≡ 3(mod 4). This is also naturally supported by the method according to the invention.

Since it is a Miller-Rabin primality test, the inventive method takes advantage of its property that if the biprimality test holds, then the value N is the product of two strong primes to base δ with a probability of at most 1/4. If the biprimality test is performed l times each time with a new δ and the value N still passes the test, then the value N is the product of two strong primes with a probability of 4 ^-l .

Relaxing the condition for safe prime numbers

The classical RSA modulus is N = pq, where p and q are secure primes. This means that p = 2p' + 1 and q = 2q' + 1, where p' and q' are also primes and gcd(N, ϕ (N)) = 1. The Paillier cryptosystem has adopted this requirement, but following " Rivest and Silverman” (Ronald L. Rivest and Robert Silverman. Are “strong” primes required for RSA? In 1997 RSA Labora tories Seminar Series. Citeseer, 1999 .), " Damgard and Koprowski“ [Ivan Damgard and Maciej Koprowski. Practical threshold RSA signatures without a trusted dealer. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 152{165. Springer, 2001 ) and " Nishide and Sakurai” (Takashi Nishide and Kouichi Sakurai. Distributed Paillier cryptosystem without trusted dealer. In International Workshop on Information Security Applications, pages 44{60. Springer, 2010. doi: 10.1007/978-3-642-17955-6 4 ), a prime number p can be used that satisfies the condition that (p - 1)/2 is not divisible by a prime number less than or equal to n. So the prime number p does not necessarily have to be a sure prime number.

x = n × (3 × 2^k/2-1)/m, m ≤ 2^k/4-1 und K = 2^k/2-1. p'_i und q'_i können dann wie folgt berechnet werden: $$\begin{array}{l}p{\text{'}}_i=\{\begin{array}{cc}\left(p_i-1\right)\times R_{a,i}+m{R}_{b,p\text{'},i}& if\alpha \equiv i\left(modn\right)\\ \left(p_i\right)\times R_{a,i}+m{R}_{b,p\text{'},i}& if\alpha \not\equiv i\left(modn\right)\end{array}\\ q{\text{'}}_i=\{\begin{array}{cc}\left(q_i-1\right)\times R_{a,i}+m{R}_{b,q\text{'},i}& if\alpha \equiv i\left(modn\right)\\ \left(q_i\right)\times R_{a,i}+m{R}_{b,q\text{'},i}& if\alpha \not\equiv i\left(modn\right)\end{array}\end{array}$$

Each party P _i chooses R _a,i ∈ R [0, Kx] and R _b,p',i , R _b,q',i ∈ R [0,K ² x ² ], where $m={\displaystyle \prod {}_{\rho \in \mathbb{P}}^n\rho ,}$

x = n × (3 × 2 ^k/2-1 )/m, m ≤ 2 ^k/4-1 and K = 2 ^k/2-1 . p' _i and q' _i can then be calculated as follows: $$\begin{array}{l}p{\text{'}}_i=\{\begin{array}{cc}\left(p_i-1\right)\times R_{a,i}+m{R}_{b,p\text{'},i}& ie\alpha \equiv i\left(mOdn\right)\\ \left(p_i\right)\times R_{a,i}+m{R}_{b,p\text{'},i}& ie\alpha \not\equiv i\left(mOdn\right)\end{array}\\ q{\text{'}}_i=\{\begin{array}{cc}\left(q_i-1\right)\times R_{a,i}+m{R}_{b,q\text{'},i}& ie\alpha \equiv i\left(mOdn\right)\\ \left(q_i\right)\times R_{a,i}+m{R}_{b,q\text{'},i}& ie\alpha \not\equiv i\left(mOdn\right)\end{array}\end{array}$$

erhalten wurden, ist es einfach zu beweisen, dass γ_p' und γ_q' nicht durch irgendeine Primzahl teilbar sind, die kleiner ist als n: $$\begin{array}{l}gcd\left({\gamma }_{p\text{'}},m\right)\stackrel{?}{\equiv }1\\ gcd\left({\gamma }_{q\text{'}},m\right)\stackrel{?}{\equiv }1\end{array}$$

As soon as ${\gamma }_{p\text{'}}={\displaystyle \sum {}_{i=1}^n}p{\text{'}}_i\text{and}{\gamma }_{q\text{'}}={\displaystyle \sum {}_{i=1}^n}q{\text{'}}_i$

obtained, it is easy to prove that γ _p' and γ _q' are not divisible by any prime number smaller than n: $$\begin{array}{l}Gcd\left({\gamma }_{p\text{'}},m\right)\stackrel{?}{\equiv }1\\ Gcd\left({\gamma }_{q\text{'}},m\right)\stackrel{?}{\equiv }1\end{array}$$

It is clear that (p - 1)/2 and (q - 1)/2 are not divisible by a prime number less than n. As shown, this can be done without revealing p and q if $$P\text{'}>{\left(2\times n^2\times \left(3\times 2^{k-1}\right)\right)}^2$$

However, a good value of N can be discarded.

If so, this leads to: $$m|{\displaystyle \sum _{j=1}^n{R}_{a,i}}$$

• : Leistung zur Erzeugung von T-Primzahlen mit einem erfindungsgemäßen Verfahren
• : Benchmark der Auswirkungen der Wiederverwendung von p und q

The method according to the invention and its effects on the computing time for generating the two large prime numbers are explained in more detail using the figures. These show:

• : Performance for generating T-primes using a method according to the invention
• : Benchmark the impact of reusing p and q

Within the scope of this invention, a benchmark was carried out on the methods known from the state of the art for generating two large prime numbers.

This section supports the decision to use the random value Υ ∈ R [0.2,0.4] for the constant Υ to define the T in the T-prime.

verwendet wird.For benchmarking, the real (hardware) random number generator SwiftRNG Pro was used in each benchmark test: Each participant P _i creates a prime number p _i which is used to calculate $p={\displaystyle \sum {}_1^n}{p}_i$

is used.

It was tried several times until a p was obtained that is a probably prime number and also satisfies the condition that (p - 1)/2 is not divisible by a prime number less than or equal to n. The Miller-Rabin and Lucas-Lehmer primality tests were used to determine whether p is probably is a prime number. In the tests, each technique was used to generate 123 prime numbers that satisfy the requirements for each n ∈ {1, 2, 3, 4, 7, 11, 18, 29, 47, 76, 123} and k ∈ {1024, 2048, 4096, 8192}. The results for Υ ∈ [0.00, 0.99] with step 0.01 and for Υ ∈ R [0.2, 0.4] are shown in the 1a-1d It was assumed that Υ ∈ R [0.2, 0.4] can be used as the optimal value, since it does not reduce the entropy of the primes and also reduces the number of trials to an acceptable level.

The same benchmarks were performed for the three other methods described above (Naive, Composite and Dubners) and T-primes with Υ ∈ R [0.2,0.4]. However, the tests for values of k larger than 2048 bits were not performed because the results of the tests with smaller k were already unacceptable. The results are presented in Table 1 below. It is clear that the inventive method requires much fewer attempts to obtain a good prime. Table 1: Number of attempts by T-primes Υ ∈ R [0.2, 0.4]) and other methods, plus Tukey's whiskers k T-primes Dubner's Composite Naive 1024 2048 4096 8192 1024 2048 4096 1024 2048 1024 2048 Upper whisker 225 433 781 1409 750 1424 2733 3820 11633 3827 7665 3rd quarter 104 198 354 652 339 649 1251 1597 5072 1691 3374 Median 51 98 172 337 155 324 624 407 1997 740 1375 Is quartile 23 41 69 147 65 132 263 115 698 267 513 Lower whiskers 1 1 1 1 1 1 1 2 9 1 1 Mean 75 139 247 468 249 487 949 1422 3809 1277 2509 Skewness 2.45 1.78 1.77 2.11 2.15 2.35 2.19 3.39 2.53 3.18 2.69 Kurtosis 12.91 3.90 4.06 6.70 6.31 8.17 6.86 15.87 8.76 16.94 10.67

Benchmarking the impacts of reuse p and q

This section supports the decision not to reuse p or q when both components of N = pq are prime, but only one of them has satisfied the safe prime condition described above.

The same technique and environment was used for benchmarking, using for each benchmark test a pseudorandom number generator based on the Yarrow and Fortuna algorithms with the BLAKE3 hash function used above to generate 123 different values of N, each of which satisfies all requirements. 2 shows summary statistics of the number of trials for Υ ∈ R [0.2,0 .4]. Various values of k ∈ {1024,2048,4096,8192} and n ∈ [1, 123] were used, where p or q may have been reused in later trials to obtain N. It is clear that reusing p or q has no significant effect on the number of trials to obtain N. Furthermore, the number of trials does not depend on n or the pseudorandom number generator used.

Benchmarking key generation with different n

This section describes the results of a series of benchmarks - using the same pseudorandom number generator as before - performed on an implementation of the described cryptosystem.

For benchmarking, 13 random keys were generated with t = 1, n ∈ {1, 2, 3, 4, 7, 11, 18, 29, 47, 76, 123} and k ∈ {1024, 2048}. For each benchmark, the application created n independent parties. Each generated key was also used to generate n digital signatures from n parts, which were then verified n times. For each of these tests, the zero-knowledge proof was also applied.

All benchmarks were performed on normal hardware that is currently and commonly available. An example of such hardware is the Apple Mac Mini with an M1 CPU and 8 GB RAM. For our cryptosystem, the dynamic binary translator Rosetta was used to run the OpenJDK 64-bit server VM (version 16-ea+24). No network communication was used, which forced the cryptosystem to perform all computations in a single thread. A redundant environment was used to degrade the performance of the inventive implementation, which makes the results even more significant.

The results are shown in Table 2 below. It is clear that the method according to the invention can be used on currently available hardware with an acceptable level of security that is sufficient for the foreseeable future (ie until quantum computers are available). Table 2: Average times in seconds to generate a random key pair. Confidence interval 99.9% k n RUNTIME CI k n RUNTIME CI 1024 1 0.6 0.48 1024 1 0.56 0.47 1024 2 0.45 0.41 1024 2 0.56 0.62 1024 3 1.45 1.44 1024 3 0.65 0.4 1024 4 2.33 1.41 1024 4 0.55 0.51 1024 7 3.58 2.64 1024 7 0.95 0.55 1024 11 6.86 6.51 1024 11 1.8 0.84 1024 18 11.41 10.08 1024 18 3.86 1.55 1024 29 16.75 13.29 1024 29 9.5 4.15 1024 47 30.35 22.99 1024 47 24.16 9.89 1024 76 89.89 83.6 1024 76 61.24 16.85 1024 123 188.23 85.95 1024 123 142.75 22.37 2048 1 6.35 7.17 2048 1 10.04 8.86 2048 2 6.62 6.33 2048 2 5.74 6.16 2048 3 19.37 22.84 2048 3 3.95 2.54 2048 4 20.92 21.62 2048 4 4.78 4.81 2048 7 50.23 53.75 2048 7 13.08 13.93 2048 11 61.06 58.35 2048 11 18.31 14.73 2048 18 128.01 104.38 2048 18 30.97 16.85 2048 29 215.12 232.7 2048 29 52.48 38.6 2048 47 270.78 254.34 2048 47 161.83 77.63 2048 76 602.28 585.96 2048 76 286.1 31.72 2048 123 2,135.56 1,609.16 2048 123 741.35 287.99 (a) Single-thread (b) Eight threads

The workflow of key generation using secure large prime numbers is now explained in more detail:

The key is generated through an iterative process that may require one or more attempts to obtain a key N that can pass the biprimality test:

-Parteien, die neue Schlüsselpaare erzeugen, mit k als Moduluslänge in Bits, mit Schwellenwertparametern $t={\displaystyle \sum {}_{h=0}^l}{t}_l\left(t=max\left(t_l\right),\forall t_l\right)$

und konjunktiven (disjunktiven) Rängen 0,...,l sollten sich auf zwei ungerade Primzahlen P' und P" übereinstimmen, die als Bootstrap- und Secrets-Moduli bezeichnet werden. Diese sollten mindestens den folgenden Anforderungen genügen: $$\begin{array}{l}P\text{'}>{\left(2\times n^2\times \left(3\times 2^{k-1}\right)\right)}^2\\ P\text{'}\text{'}>2^{2k+k/2-1}\end{array}$$

All $n={\displaystyle \sum {}_{H=0}^l}{n}_l$

-Parties generating new key pairs, with k as modulus length in bits, with threshold parameters $t={\displaystyle \sum {}_{H=0}^l}{t}_l\left(t=max\left(t_l\right),\forall t_l\right)$

and conjunctive (disjunctive) ranks 0,...,l should agree on two odd prime numbers P' and P", which are called bootstrap and secrets moduli. These should satisfy at least the following requirements: $$\begin{array}{l}P\text{'}>{\left(2\times n^2\times \left(3\times 2^{k-1}\right)\right)}^2\\ P\text{'}\text{'}>2^{2k+k/2-1}\end{array}$$

welche das Produkt der ersten paar T -Primzahlen darstellt, wobei T definiert ist durch Gleichung [eq:T] mit Υ ∈ R [0.2,0.4]. Jede Partei definiert außerdem Δ = n! und λ_i: $${\lambda }_i=\frac{\Delta \times {\displaystyle \prod {}_{i\text{'}\in S\backslash \left\{i\right\}}-i\text{'}}}{{\displaystyle \prod {}_{i\text{'}\in S\backslash \left\{i\right\}}i-i\text{'}}}$$

Each party chooses a unique i ∈ [1, n], and defines t' = max(0, n - 1) , t'' = max(0, n/2 - 1) and t''' = max(0, n/3 - 1). m is the product of all primes less than or equal to n. Later it is used that M _l = Π _ρ∈ℙ\2 ρ, where ρ > M _l-1 , M ₀ = 3 and M _l ≤ 2 ^k/2-1 , and $\varrho ,$

which is the product of the first few T -primes, where T is defined by equation [eq:T] with Υ ∈ R [0.2,0.4]. Each party also defines Δ = n! and λ _i : $${\lambda }_i=\frac{\Delta \times {\displaystyle \prod {}_{i\text{'}\in S\backslash \left\{i\right\}}-i\text{'}}}{{\displaystyle \prod {}_{i\text{'}\in S\backslash \left\{i\right\}}i-i\text{'}}}$$

Where S ∈ [1, n].

wobei $r{\in }_R\left[2^{k/2-1-lo{g}_2\varrho }{\mathrm{,2}}^{k/2-lo{g}_2\varrho }-1\right]$

gerade ist. Außerdem berechnet die Partei p'_i und q'_i: $$p{\text{'}}_i,q{\text{'}}_i=\{\begin{array}{cc}\left(p_i-\mathrm{1,}{q}_i-1\right),& if\alpha \equiv i\left(modn\right)\\ \left(p_i,q_i\right),& if\alpha \not\equiv i\left(modn\right)\end{array}$$

For each trial α, each party calculates P _i p _i and q _i . $$p_i,q_i=\{\begin{array}{cc}\left(r\times \varrho \right)-\mathrm{1,}& ie\alpha \equiv i\left(mOdn\right)\\ r\times \varrho ,& ie\alpha \cancel{\equiv }i\left(mOdn\right)\end{array}$$

where $r{\in }_R\left[2^{k/2-1-lO{G}_2\varrho }{\mathrm{,2}}^{k/2-lO{G}_2\varrho }-1\right]$

is even. In addition, the party calculates p' _i and q' _i : $$p{\text{'}}_i,q{\text{'}}_i=\{\begin{array}{cc}\left(p_i-\mathrm{1,}{q}_i-1\right),& ie\alpha \equiv i\left(mOdn\right)\\ \left(p_i,q_i\right),& ie\alpha \not\equiv i\left(mOdn\right)\end{array}$$

und Zufallskoeffizienten a, a', b, b', c, d, e ∈ R ℤ_P'. Diese Werte werden in den Polynomen für ∀j, l ∈ [1, n] verwendet: $$\begin{array}{cc}{p}_i\left(x\right)& =p_i+a_{1}x+a_2{x}^2+\dots +a_{t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(modP\text{'}\right)\\ q_i\left(x\right)& =q_i+b_{1}x+b_2{x}^2+\dots +b_{t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(modP\text{'}\right)\\ p{\text{'}}_i\left(x\right)& =p{\text{'}}_i+a{\text{'}}_{1}x+a{\text{'}}_2{x}^2+\dots +a{\text{'}}_{t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(modP\text{'}\right)\\ q{\text{'}}_i\left(x\right)& =q{\text{'}}_i+b{\text{'}}_{1}x+b{\text{'}}_2{x}^2+\dots +b{\text{'}}_{t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(modP\text{'}\right)\\ h_i\left(x\right)& =0+c_{1}x+c_2{x}^2+\dots +c_{t\text{'}}{x}^{t\text{'}}\left(modP\text{'}\right)\\ R_{a,i,l}\left(x\right)& =R_{a,i,l}+d_{i,p\text{'},l\mathrm{,1}}x+e_{i,p\text{'},l\mathrm{,2}}{x}^2+\dots +e_{i,p\text{'},l,t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(modP\text{'}\right)\\ m{R}_{b,p\text{'},i}\left(x\right)& =m{R}_{b,p\text{'},i}+e_{i,p\text{'}\mathrm{,1}}x+e_{i,p\text{'}\mathrm{,2}}{x}^2+\dots +e_{i,p\text{'},t\text{'}}{x}^{t\text{'}}\left(modP\text{'}\right)\\ m{R}_{b,p\text{'},i}\left(x\right)& =m{R}_{b,p\text{'},i}+e_{i,q\text{'}\mathrm{,1}}x+e_{i,q\text{'}\mathrm{,2}}{x}^2+\dots +e_{i,q\text{'},t\text{'}}{x}^{t\text{'}}\left(modP\text{'}\right)\end{array}$$

In addition, each party chooses K = 2 ^k/2-1 , R _a ∈ R [0, Kx] and R _b ∈ R ℤ * _{K 2 x 2} , where x = n × (3 × 2 ^k-1 )/m, $m={\displaystyle \prod {}_{\rho \in \mathbb{P}}^n\rho ,}m\le 2^{k/4-1},$

and random coefficients a, a', b, b', c, d, e ∈ R ℤ _P' . These values are used in the polynomials for ∀j, l ∈ [1, n]: $$\begin{array}{cc}{p}_i\left(x\right)& =p_i+a_{1}x+a_2{x}^2+\dots +a_{t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(mOdP\text{'}\right)\\ q_i\left(x\right)& =q_i+b_{1}x+b_2{x}^2+\dots +b_{t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(mOdP\text{'}\right)\\ p{\text{'}}_i\left(x\right)& =p{\text{'}}_i+a{\text{'}}_{1}x+a{\text{'}}_2{x}^2+\dots +a{\text{'}}_{t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(mOdP\text{'}\right)\\ q{\text{'}}_i\left(x\right)& =q{\text{'}}_i+b{\text{'}}_{1}x+b{\text{'}}_2{x}^2+\dots +b{\text{'}}_{t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(mOdP\text{'}\right)\\ H_i\left(x\right)& =0+c_{1}x+c_2{x}^2+\dots +c_{t\text{'}}{x}^{t\text{'}}\left(mOdP\text{'}\right)\\ R_{a,i,l}\left(x\right)& =R_{a,i,l}+d_{i,p\text{'},l\mathrm{,1}}x+e_{i,p\text{'},l\mathrm{,2}}{x}^2+\dots +e_{i,p\text{'},l,t\text{'}\text{'}}{x}^{t\text{'}\text{'}}\left(mOdP\text{'}\right)\\ m{R}_{b,p\text{'},i}\left(x\right)& =m{R}_{b,p\text{'},i}+e_{i,p\text{'}\mathrm{,1}}x+e_{i,p\text{'}\mathrm{,2}}{x}^2+\dots +e_{i,p\text{'},t\text{'}}{x}^{t\text{'}}\left(mOdP\text{'}\right)\\ m{R}_{b,p\text{'},i}\left(x\right)& =m{R}_{b,p\text{'},i}+e_{i,q\text{'}\mathrm{,1}}x+e_{i,q\text{'}\mathrm{,2}}{x}^2+\dots +e_{i,q\text{'},t\text{'}}{x}^{t\text{'}}\left(mOdP\text{'}\right)\end{array}$$

Each party now calculates the tuples for ∀j, l ∈ [1, n]: $$\begin{array}{cc}\left(p_{i,j}=p_i\left(j\right)\right),q_{i,j}& =q_i\left(j\right),H_{i,j}=H_i\left(j\right))\\ \left(p{\text{'}}_{i,j,l}=p{\text{'}}_i\left(j\right)\right),q{\text{'}}_{i,j,l}& =q{\text{'}}_i\left(j\right),R_{a,i,l,j}=R_{a,i,l}\left(j\right),)\\ (m{R}_{b,p\text{'},i,j}=m{R}_{b,p\text{'},i}\left(j\right),m{R}_{b,q\text{'},i,j}& =m{R}_{b,q\text{'},i}\left(j\right))\end{array}$$

Through a secure channel, each party P _i receives tuples (i, j) from every other party P _j for this trial. This allows them to compute N _i and γ _i,p',l and γ _i,q',l ∀l ∈ [1, n]: $$\begin{array}{c}{N}_i=\left({\displaystyle \sum _{j=1}^n{p}_{j,i}}\times {\displaystyle \sum _{j=1}^n{q}_{j,i}}+{\displaystyle \sum _{j=1}^n{H}_{j,i}}\right)\times {\lambda }_i\left(mOdP\text{'}\right)\\ {\gamma }_{i,p\text{'},l}=\left({\displaystyle \sum _{j=1}^{n}p{\text{'}}_{j,i,l}\times {\displaystyle \sum _{j=1}^n{R}_{a,j,l,i}+{\displaystyle \sum _{j=1}^{n}m{R}_{b,p\text{'},j,i}}}}\right)\times {\lambda }_i\left(mOdP\text{'}\right)\\ {\gamma }_{i,p\text{'},l}=\left({\displaystyle \sum _{j=1}^{n}p{\text{'}}_{j,i,l}\times {\displaystyle \sum _{j=1}^n{R}_{a,j,l,i}+{\displaystyle \sum _{j=1}^{n}m{R}_{b,p\text{'},j,i}}}}\right)\times {\lambda }_i\left(mOdP\text{'}\right)\end{array}$$

These N _i , γ _i,p',l and γ _i,q',l ∀l ∈ [1, n] are passed on to all parties so that they can calculate N and γ _p',l and γ _q',l ∀l ∈ [1, n]: $$\begin{array}{c}N=\left({\displaystyle \sum _{i=1}^n{N}_i}\right)÷\Delta \left(mOdP\text{'}\right)\\ {\gamma }_{p\text{'},l}=\left({\displaystyle \sum _{i=1}^n{\gamma }_{i,p\text{'},l}}\right)÷\Delta \left(mOdP\text{'}\right)\\ {\gamma }_{q\text{'},l}=\left({\displaystyle \sum _{i=1}^n{\gamma }_{i,q\text{'},l}}\right)÷\Delta \left(mOdP\text{'}\right)\end{array}$$

Each party ensures that N is not divisible by a factor of any M _l and that there exists at least l for which γ _p',l and γ _p',l are not divisible by a factor of m: $$\begin{array}{cc}Gcd\left(N,M_l\right)\stackrel{?}{\equiv }1& ,\forall l\in \left[\mathrm{0,}\sqrt{\left(k\right)}\right]\\ Gcd\left({\gamma }_{p\text{'}l},m\right)\stackrel{?}{\equiv }Gcd\left({\gamma }_{q\text{'}l},m\right)\stackrel{?}{\equiv }1& ,\exists l\in \left[\mathrm{1,}n\right]\end{array}$$

If one of the three tests of dualism fails, the parties must make a new attempt.

und δ ⊥ N derart, dass das Jacobi-Symbol $\frac{\delta }{N}=1$

zur Definition von Q_i: $$Q_i=\{\begin{array}{cc}{\delta }^{\left(N+1-p_i-q_i\right)/4},& if\alpha \equiv i\left(modn\right)\\ {\delta }^{\left(-p_i-q_i\right)/4},& if\alpha \not\equiv i\left(modn\right)\end{array}$$

Now each party P _i checks whether N is a product of exactly two prime numbers. The party chooses $\delta {\in }_R\mathbb{N}{*}_N$

and δ ⊥ N such that the Jacobi symbol $\frac{\delta }{N}=1$

to define Q _i : $$Q_i=\{\begin{array}{cc}{\delta }^{\left(N+1-p_i-q_i\right)/4},& ie\alpha \equiv i\left(mOdn\right)\\ {\delta }^{\left(-p_i-q_i\right)/4},& ie\alpha \not\equiv i\left(mOdn\right)\end{array}$$

This allows the party to perform the biprimality test: $${\displaystyle \prod _{i=1}^{\mathrm{<figure-callout\; id="1"\; label="n\; Q"\; filenames="DE102022004783A1\_0050.png"\; state="\{\{state\}\}">n</figure-callout>}}{Q}_{}{}_1}\stackrel{?}{\equiv }\pm 1\left(mOdN\right)$$

If the biprimality test fails, the parties must make a new attempt.

If N passes the biprimality test, the value is used to create the secret key and the public key.

QUOTES INCLUDED IN THE DESCRIPTION

This list of documents listed by the applicant was generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA accepts no liability for any errors or omissions.

Cited non-patent literature

• Dan Boneh and M. Franklin. Efficient generation of shared RSA keys. Journal of the ACM, 48 (4):702{722, July 2001. doi: 10.1145/502090.502094 [0004]
• Dubner" (Harvey Dubner, Large Sophie Germain primes. Mathematics of Computation, 65(213):393-396, January 1996. doi: 10.1090/s0025-5718-96-00670-9 [0007]
• Dan Boneh and M. Franklin. Efficient generation of shared RSA keys. Journal of the ACM, 48 (4):702{722, July 2001. doi: 10.1145/502090.502094 [0016]
• Rivest and Silverman” (Ronald L. Rivest and Robert Silverman. Are “strong” primes required for RSA? In 1997 RSA Laboratories Seminar Series. Citeseer, 1999 [0021]
• Damgard and Koprowski" [Ivan Damgard and Maciej Koprowski. Practical threshold RSA signatures without a trusted dealer. In International Conference on the Theory and Applications of Cryptographic Techniques, pages 152{165. Springer, 2001 [0021]
• Nishide and Sakurai” (Takashi Nishide and Kouichi Sakurai. Distributed Paillier cryptosystem without trusted dealer. In International Workshop on Information Security Applications, pages 44{60. Springer, 2010. doi: 10.1007/978-3-642-17955-6 4 [0021]

Claims (2)

A method for generating two large prime numbers by additive division without a trusted dealer in a communication system with a number of participants n, comprising the following steps: a. For each trial, party P _i chooses random numbers p _i and q _i : $$\left(p_i,q_i\right)=\{\begin{array}{cc}\left(r\times \varrho \right)-\mathrm{1,}& iei\equiv 1\\ r\times \varrho ,& iei\not\equiv 1\end{array}$$

b. $\varrho$

is the product of the first T prime numbers, where T is defined as: $$T=\text{Max}\left\{t\in \mathbb{N},\rho \in \mathbb{P}|{\text{log}}_2\left({\displaystyle \prod _{i=1}^t\rho }\right)\le k\times \Upsilon \right\}$$

c. For each trial, each party chooses a new random rational number Υ between 0 and 1 and selects $r{\in }_R\left[2^{k-1-{\text{log}}_2\varrho }{\mathrm{,2}}^{k-{\text{log}}_2\varrho }-1\right].$

d. To obtain a value N, all parties use an n-out-of-n additive secret sharing scheme to share p _i and q _i as p _i,x = p _i (x) and q _i,x = q _i (x), which allows them to compute N without revealing p or q: $$N={\displaystyle \sum _{i=1}^n\left({\displaystyle \sum _{j=1}^n{p}_{j,i}\times {\displaystyle \sum _{j=1}^n{q}_{j,i}}}\right)}$$

e. Each Party shall perform a biprimality test to confirm that N is the product of two prime numbers, repeating the steps from step (a) in case of a negative test result. Procedure according to Claim 1 , where the biprimality test is carried out as follows: a. a party chooses $\delta {\in }_R\mathbb{N}{*}_N$

such that δ is relatively prime to N, and the Jacobi symbol $\frac{\delta }{N}=1$

then the parties calculate the value Q _i as: $$Q_i=\{\begin{array}{cc}{\delta }^{\left(N+1-p_i-q_i\right)/4},& \text{if}\alpha \equiv i\left(\text{mod}n\right)\\ {\delta }^{\left(-p_i-q_i\right)/4},& \text{if}\alpha \not\equiv i\left(\text{mod}n\right)\end{array}$$

b. This allows the party to perform the biprimality test with: $${\displaystyle \prod _{i=1}^n{Q}_1}\stackrel{?}{\equiv }\pm 1\left(\text{mod}N\right)$$

Images