mersenneforum.org - Double-checking PRP

mersenneforum.org (https://www.mersenneforum.org/index.php)

- Math (https://www.mersenneforum.org/forumdisplay.php?f=8)

- - Double-checking PRP (https://www.mersenneforum.org/showthread.php?t=23669)

Double-checking PRP

A longstanding problem is how to get rid of the expensive double-checking for PRP.

Let's assume that PRP with GEC is "perfect" i.e. produces no errors, ever.

Now the double-checking is still needed against attackers who intentionally fake it: they submit bogus results; they put significant effort in manufacturing genuine-looking fake results; they read the double-checking source code and mersenneforum.org and attempt to work-around any checks and tricks there.

We'd like to find a technique allowing to reliably detect a fake with less effort then the effort that was put into manufacturing the fake.

So here it comes:

The server chooses a *special* iteration number, fixed, let's say K=36756720, and asks the user to send the "bits" at that iteration. i.e. for m==M(p)==2^p - 1, to send
R = 3^(2^K) %m together with the result. (the cost: no additional computation cost as the user anyway computes that, but network transfer cost for m bits, and storage cost (m bits) on the server until validation).

Validation:
The server chooses, randomly, a set of primes p_i such that
(p_i - 1) | K

Computes X = 3^product(p_i)

Computes S = R/3 = 3^(2^K - 1) %m (which can be trivially computed from R)

And verifies that X divides S (e.g. by checking that GCD(X, S)==X).

In addition, the server chooses a value L < K, as large as practical,
and verifies that 3^(2^L) | R

The thesis is that the cheapest way for the attacker to reliably pass the test is to actually compute 3^(2^K) (there's no easy way to fake it); And the server can do the verification much cheaper than that.

[QUOTE=preda;496647]
The server chooses, randomly, a set of primes p_i such that
(p_i - 1) | K
[/QUOTE]

In fact the allowable set of p_i is: any p such that z(p) | K,

where z is the "multiplicative order of 2 mod p", i.e. 2^z==1 mod p. z | (p - 1)

There are 742 (!) primes such that z(p) | 36756720.
See attached.

[QUOTE=preda;496652]There are 742 (!) primes such that z(p) | 36756720.
See attached.[/QUOTE]

And the *sorted* list of primes:

[QUOTE=preda;496652]There are 742 (!) primes such that z(p) | 36756720.
See attached.[/QUOTE]

What happens if the attacker computes 3^((prod P_i)+1) ?

[QUOTE=axn;496654]What happens if the attacker computes 3^((prod P_i)+1) ?[/QUOTE]

It fails 3^(2^L)

[QUOTE=preda;496655]It fails 3^(2^L)[/QUOTE]

ok, so they can compute (3^((prod p_i)+1)*(3^2^L) [L as large as practical to effectively fake residue]?

EDIT:- Scratch that. I think it needs to be 3^((prod p_i)*C+1), such that 2^L | ((prod p_i)*C+1). Should be doable - C will be appr. L bits

I think my initial idea doesn't work at all. I did some huge mistakes in my initial write-up. My apologies. Maybe a moderator could delete the whole thread, thanks!

[QUOTE=preda;496657]I think my initial idea doesn't work at all.[/QUOTE]

Yep. The mod Mp destroys the structure and the GCD(X,S) wouldn't work :doh!:

[QUOTE=axn;496658]Yep. The mod Mp destroys the structure and the GCD(X,S) wouldn't work :doh!:[/QUOTE]

Yes, that's one of them huge mistakes :)

I was hypoglycemic or hypercaffeinated or underslept or worse.

[QUOTE=preda;496659]Yes, that's one of them huge mistakes :)

I was hypoglycemic or hypercaffeinated or underslept or worse.[/QUOTE]

It happens to the best ones :-)