1 / 28

Robust Threshold DSS Signatures using Secure Distributed Key Generation

Robust Threshold DSS Signatures using Secure Distributed Key Generation. Private : x : secret key k  R Z q *. DSS signature scheme. A discrete-log based signature algorithm. Public: p : large prime (512-1024 bit). q : 160 bit prime so that q|p-1 g : element of order q in Z p *

palma
Download Presentation

Robust Threshold DSS Signatures using Secure Distributed Key Generation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robust Threshold DSS SignaturesusingSecure Distributed Key Generation

  2. Private : • x : secret key • k R Zq* DSS signature scheme • A discrete-log based signature algorithm. • Public: • p : large prime (512-1024 bit). • q : 160 bit prime so that q|p-1 • g : element of order q in Zp* • m : SHA-1 hashed message • y : gx mod p • Signature : • r = (gk-1mod p) mod q • s = k(m+xr) mod q • Verification : • r =?(gms-1yrs-1 mod p) mod q

  3. Calculate without revealing k Threshold DSS • Main issues : • Distribute a secret key x • Jointly generate k, uniformly distributed in Zq without a trusted party • r = (gk-1mod p) mod q • s = k(m+xr) mod q • Combine shares of x and k to generate shares of the s part of the signature without reconstructing neither x nor k Proof required: If DSS is secure, the threshold scheme is secure

  4. Communication Model • n players – Polynomial randomized Turing machines • Private PTP channels • Dedicated broadcast channel • Pseudo synchronous channel.

  5. Eavesdropping adversary Halting adversary Malicious adversary Adversary Model

  6. Distributed Key Generation Protocol Joint Shamir RSS – a method to collectively choose shares of a (t,n) random secret.

  7. f1(z) = a0+ a1z+ a2z2+ a3z3+…+ atzt f1(z) = a0+ a1z+ a2z2+ a3z3+…+ atzt f2(z) = a0+ a1z+ a2z2+ a3z3+…+ atzt f2(z) = a0+ a1z+ a2z2+ a3z3+…+ atzt 0 11 0 P1 0 12 P1 P1 P1 P1 P1 P1 P1 P1 P1 21 22 P2 Pn P2 P2 P2 P2 P2 P2 P2 P2 P2 1n Pn Pn Pn Pn Pn Pn Pn Pn Pn 2n 0 23 13 0 P3 1n-1 P3 P3 P3 P3 P3 P3 P3 P3 P3 2n-1 Pn-1 Pn-1 Pn-1 Pn-1 Pn-1 Pn-1 Pn-1 Pn-1 Pn-1 Pn-1 24 14 2j 1j P4 0 P4 P4 P4 P4 P4 P4 P4 P4 P4 P… P… P… P… P… P… P… P… P… P… Joint Shamir RSS

  8.   = = = P1 P1 P1 P1 11 11 11 11 21 21 21 21 … … … … i1 i1 i1 i1 … … … … n1 n1 n1 n1 1 1 1  = P1   11 21 … i1 … n1 = = 1 P2 P2 P2 P2 12 12 12 12 22 22 22 22 … … … … i2 i2 i2 i2 … … … … n2 n2 n2 n2 2 2  = = P2  12 22 … i2 … n2 2 Pi Pi Pi Pi 1i 1i 1i 1i 2i 2i 2i 2i … … … … ii ii ii ii … … … … ni ni ni ni i =  Pi  1i 2i … ii … ni = i Pn Pn Pn Pn 1n 1n 1n 1n 2n 2n 2n 2n … … … … in in in in … … … … nn nn nn nn n  = Pn 1n 2n … in … nn n Joint Shamir RSS cont. Joint secret = f(0)

  9. In order to locally compute r, every player must have . Computing Reciprocals Threshold DSS Any knowledge of k or k-1 is not allowed to any group of t or less players.

  10. The multiplication of the shares will give a share of ka , on a 2t degree polynomial: It Works ! Is it safe? Multiplication of 2 Secrets Assume each player j holds shares kj , aj of k and a, respectively:

  11. Example: is a 2t degree polynomial (t=1), But is not a product of 2 t-degree polynomials. Multiplication Security The resulted 2t-degree polynomial should be random for security. A product of 2 t-degree polynomials is not a random polynomial ! So the distribution of the 2t polynomials is biased (non uniform).

  12. Joint Shamir ZSS A method to collectively choose shares of a (t,n) zero “secret”. The protocol is the same as Joint Shamir RSS, but instead of choosing n random secrets, the players choose polynomials with the constraint: fi(0) = 0 Adding shares of a Zero secret to a shared secret, achieves randomization of shares, without changing the secret.

  13. Example: is a 2t degree polynomial (t=1), But is not a product of 2 t-degree polynomials. Solution: Add a share bj of a 2t-degree polynomial distributed by Joint Shamir ZSS, and the total secret will be: Now, on a random 2t-degree polynomial: Multiplication Security The resulted 2t-degree polynomial should be random for security. A product of 2 t-degree polynomials is not a random polynomial ! So the distribution of the 2t polynomials is biased (non uniform).

  14. (c) Player Pi broadcasts gk-1 Secure Calculation Each player already holds a share ki of the random secret k. • Execute Joint Shamir ZSS to get shares bi of a random 2t-degree polynomial with constant term 0. • The players generate a random value, a using Joint Shamir RSS – shares ai are on a t-degree polynomial. (d) Player Pi locally computes :   Interpolate(v1,…,vn) mod q [= ka mod q] (min.2t +1 players)   Exp-Interpolate(w1,…,wn) mod q [= ga mod q] r  -1 mod p mod q [= (ga) -1 = gk-1 mod p mod q (a-1 =k-1 mod q)

  15. k 3) Locally compute as mentioned before. r DSS Signature - Protocol 1 • Generate k, uniform random secret • using Joint Shamir RSS • (t-degree polynomial) . 2) Generate random polynomial with constant term 0 using Joint Shamir ZSS (2t-degree polynomial) Shares: {ci}i{1…n}.

  16. 4) Generate s=k(m+xr)modq : (a) Pi broadcasts si=ki(m+xir)+cimodq 5) Output : (r,s) the signature of m. s DSS Protocol 1 contd. (b) Each player locally computes : s  Interpolate (s1,…,sn) mod q

  17. Out ! t+1 Complaints and Disqualifications Pi disqualification criteria : 1) More than t players complain against Pi

  18. Ai0,…,Ait= Si(j)=a0+a1j+…+atjt Not about this you fool! gao,…, gat j I did not have sex with that woman! complaint 2) After Pj complains, Pi should reveal si(j) share, which satisfies the verification values Aik .A failure in any of the suspicious si(j) leads to disqualification of Pi. …Oh, I’m OK, I gave him this si(j) , check for yourselves.

  19. We denote QUAL to be the set of non-disqualified players. QUAL

  20. Robust Distributed Key Generation Protocol Joint Shamir RSS – ? Problem: Does not allow shares consistency check. Joint Feldman VSS – Every player i broadcasts values yik = gaik mod p for k = 0,…,t aik is the kth coefficient of Pi polynomial . Then, every player i verifies his Pj shares (total of n-1) by: gji = tk=0(yjk)ik mod p, ji is the share Pj -> Pi Problem: Not Secure Against A Malicious Adversary !

  21. How Adversary computes : Attack Against Joint Feldman An adversary can influence the result distribution to be non-uniform. By affecting the decision about QUAL . Assume adversary prefers keys y=g so that lsb(y)=0 . Faulty P1 gives P3,…,Pt+2 (total of t) inconsistent shares. t complaints are submitted against P1 . If  ends with a 0, P2 will do nothing . If  ends with 1 the adversary forces P2 tocomplain against P1 and disqualifies him.

  22. i=f(i) i =f’(i) Unconditionally Secure VSS(Pedersen) • Parameters: • p,q,g as in DSS. • h  Zp* | h  {gu mod q} (u is unknown and hard to compute) f(z) = a0+ a1z+ a2z2+ a3z3+…+ atzt f ’(z) = b0+ b1z+ b2z2+ b3z3+…+ btzt

  23. Unconditionally Secure VSS cont. • Parameters: • p,q,g as in DSS. • h  Zp* | h  {gu mod q} (u is unknown and hard to compute) • dealer : • choose t degree polynomials: f(z), f’(z) • Send player Pi : i=f(i), i =f’(i) • Commits to each coefficient by broadcasting Aj = gajhbj • Player : • Verify : if gi h i =j(Aj)ij mod p ? • Wrong? Complain. More than t complaints? Disqualify! • For each complaint, the dealer broadcasts i and i .

  24. Unconditionally Secure VSS cont. Why is it secure? For any i’ there exists only one bi’ so that Ai=gi’ hbi’ i.e,in finding such a pair, one can calculate u, the discrete log of h!

  25. k 3) Locally compute as mentioned before? r DSS Signature - Protocol 2 • Generate k, uniform random secret • using Joint Unconditional RSS • (t-degree polynomial) . 2) Generate random polynomial with constant term 0 using Joint Unconditional ZSS (2t-degree polynomial) Shares: {ci}i{1…n}.

  26. gk-1 Secure Calculation Each player already holds a share ki of the random secret k. • Execute Joint Shamir ZSS to get shares bi of a random 2t-degree polynomial with constant term 0. • The players generate a random value, a using Joint Shamir RSS – shares ai are on a t-degree polynomial. (c) Player Pi broadcasts (d) Player Pi locally computes :   Interpolate(v1,…,vn) mod q [= ka mod q] (min.2t +1 players)   Exp-Interpolate(w1,…,wn) mod q [= ga mod q] r  -1 mod p mod q [= (ga) -1 = gk-1 mod p mod q (a-1 =k-1 mod q)

  27. Joint EXP VSS • If  is the secret, in this case we’ll want to publish the value of g. • The problem : • Feldman DKG is not secure. • Pedersen protocol does not reveal g . • The Solution: • Run Pedersen Joint Unc.VSS protocol to produce a distributed key. • Set the group of non disqualified players as GOOD. • Run Feldman Joint VSS using the same polynomials, on group GOOD in order to publish g. • For each complaint, run Pedersen reconstruction phase to reconstruct the the bad players’ contribution.

  28. 4) Generate s=k(m+xr)modq : (a) Pi broadcasts si=ki(m+xir)+cimodq 5) Output : (r,s) the signature of m. s DSS Protocol 2 cont. (b) Each player locally computes : s EC-Interpolate (s1,…,sn) mod q

More Related