search

niclabs / dtc

PKCS11-compatible Distributed Threshold Criptography Library, written in Go with Cgo
Other
4 stars 1 forks source link

About RSA algorithm and threshold signature #12

Open itachiliu opened 3 years ago

itachiliu commented 3 years ago

The key parameters of RSA algorithm are P,Q and E, you create key by function func NewKey(bitSize int, k, l uint16, args *KeyMetaArgs) (shares KeyShareList, meta *KeyMeta, err error). Then I assign values to the args.Pand args.Q, recompile and run. The error occured: cannot create RRSig: pkcs11: 0xC0: CKR_SIGNATURE_INVALID. Retrying... I check this problem. I found that your main parameters are P, Q, E, Pr and Qr.They have relationship as follow:

*1. P = 2 Pr +1

  1. Q= 2 * Qr +1
  2. P, Q, Pr, Qr must be primes**

the question is the relationship between P and Pr(Q and Qr) is necessary? Can I break the relationship? If the answer is no,can you explain the effect of Pr and Qr (about threshold signature).

this is your code. My code as follows:

    …
    args.P , _ = new(big.Int).SetString("11412879881261784034341875847556879290386586673811980422472038049071203164497810274017917803536267218219969053848641800960281780069534399041656149390689081", 10)
    args.Q , _ = new(big.Int).SetString("11308172758222196531824125862641498135187285652645845194187882846704990728143368707278921853970069922413307739946193961641311362159501349419905193007290891", 10)
     if args.P != nil {
                if !args.P.ProbablyPrime(c) {
                        err = fmt.Errorf("p should be prime, but it's not")
                        return
                }
                p.Set(args.P)
                pr.Sub(p, big.NewInt(1)).Div(pr, big.NewInt(2))
        } else {
                if p, pr, err = generateSafePrimes(pPrimeSize, rand.Reader); err != nil {
                        return
                }
     }

     if args.Q != nil {
                if !args.Q.ProbablyPrime(c) {
                        err = fmt.Errorf("q should be prime, but it's not")
                        return
                }
                q.Set(args.Q)
                qr.Sub(q, big.NewInt(1)).Div(qr, big.NewInt(2))
        } else {
                if q, qr, err = generateSafePrimes(qPrimeSize, rand.Reader); err != nil {
                        return
                }
    }

    n.Mul(p, q)
    m.Mul(pr, qr)

    meta.PublicKey.N = n
    fmt.Println("meta.PublicKey.N:", meta.PublicKey.N)

    lBig.SetUint64(uint64(l))
    …
eriverosr commented 3 years ago

Hello,

According to Victor Schoup's paper (tcrsa is an implementation of that paper), you need an N composed by two large primes (P and Q), and each prime must satisfy the constraint that its value minus one and then halved is also prime (Pr and Qr in the code).

If you do not satisfy the constraint, you are not following the construction from the paper, and then you are exposed to the risk that your secret key could be insecure (I am not completely fluent on the topic, but I assume the probability of choosing a generator of a small subgroup for Z_m is considerably higher if Pr and Qr are not primes). In any case, I recommend you to check the paper and the construction of the cryptosystem to understand better why Pr and Qr should be primes.

itachiliu commented 3 years ago

Hello,

According to Victor Schoup's paper (tcrsa is an implementation of that paper), you need an N composed by two large primes (P and Q), and each prime must satisfy the constraint that its value minus one and then halved is also prime (Pr and Qr in the code).

If you do not satisfy the constraint, you are not following the construction from the paper, and then you are exposed to the risk that your secret key could be insecure (I am not completely fluent on the topic, but I assume the probability of choosing a generator of a small subgroup for Z_m is considerably higher if Pr and Qr are not primes). In any case, I recommend you to check the paper and the construction of the cryptosystem to understand better why Pr and Qr should be primes.

Thanks for your relay. I will read this paper.