310 likes | 431 Views
Two -Efficient and Provably Secure Schemes for Server-Assisted Threshold Signatures. Ravi Sandhu. Joint work with Shouhuai Xu. Roadmap. Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-TSig Related work. Motivation.
E N D
Two-Efficient and Provably Secure Schemes for Server-Assisted Threshold Signatures Ravi Sandhu Joint work with Shouhuai Xu
Roadmap • Motivation • Cryptographic preliminaries • First scheme: TPAKE-HTSig • Second scheme: LW-TSig • Related work
Motivation • Modern cryptography is “key-centric” • Rivest-Shamir-Adleman have no “short cut” in breaking RSA • But you can generate Rivest’s digital signatures once you compromised his private key • This has no counterpart in handwriting signatures • Since compromise will inevitably happen, one can only expect “second to the best” • Minimize the damage
Motivation • So how to protect the private signing keys (or functions) • conveniently • cheaply • efficiently
Our Approach • Assume a set of (>2) servers provide service (e.g., for economic incentives) like threshold signing • Differ from standard threshold signing • only a user can invoke her signing function • compromise of a user’s machine does not necessarily mean her signing function is compromised (i.e., the adversary may still unable to invoke the servers) • compromise of a threshold number of servers does not necessarily mean her signing function is compromised
Our Approach • The core underlying our approach is some convenient, cheap, efficient mechanisms whereby the servers collaboratively authenticate a user • threshold password authenticated key exchange (e.g., [MacKenzie et al. Crypto’02]) • symmetric key-based authentication (e.g., MAC) • Don’t confuse “server-added signature” (which is motivated to provide better efficiency) with our “server-assisted signature” (which is motivated to provide better security) • though they do overlap sometimes
Roadmap • Motivation • Cryptographic preliminaries • First scheme: TPAKE-HTSig • Second scheme: LW-Tsig • Related work
Cryptographic Preliminaries • Message authentication code (MAC) • secure against adaptive chosen message attack • Signature scheme (Sig.Init, Sig.Sig, Sig.Ver) • secure against adaptive chosen message attack • we are interested in a class of signature schemes that have efficient distributed version
Cryptographic Preliminaries • Threshold Signature scheme (TSig.Init, TSig.Sig, TSig.Ver) • secure against adaptive chosen message attack • 2-party Signature scheme (2Sig.Init, 2Sig.Sig, 2Sig.Ver) • secure against adaptive chosen message attack • Hybrid-Threshold Signature scheme, which is a composition of TSig and 2Sig, consists of (HTSig.Init, HTSig.Sig, HTSig.Ver) • a user splits her private key X into two shares X1, X2 • the user holds X1 as in 2Sig • the user shares X2 among the servers as in TSig
Cryptographic Preliminaries • Threshold Password-Authenticated Key Exchange scheme (TPAKE.Init, TPAKE.Login) • a user shares her password among servers via TPAKE.Init • a user authenticates herself to the servers via TPAKE.Login, which may also output a fresh session key with each server • TPAKE.Login is secure against off-line dictionary attack • compromise of no more than a threshold number of servers does not make the password subject to off-line dictionary attack • the first TPAKE is due to [MacKenzie et al. Crypto’02]
Roadmap • Motivation • Cryptographic preliminaries • First scheme: TPAKE-HTSig • Second scheme: LW-Tsig • Related work
First Scheme: TPAKE-HTSig • TPAKE-HTSig is a composition of TPAKE and HTSig • Idea is simple • Run a TPAKE to authenticate a user and generate a fresh session key that is common to the user and each individual server • The servers authenticate signing requests using the session keys; the signing operation is similar to TSig.Sig • The user obtains a signature as in 2Sig.Sig
TPAKE.Login outputs key1 MACkey1(m) partial signature 1 server 1 TPAKE.Login outputs key2 MACkey2(m) partial signature 2 server 2 … TPAKE.Login outputs keyn MACkeyn(m) partial signature n server n TPAKE-HTSig
TPAKE-HTSig: another look HTSig glue: session key based authentication TPAKE
TPAKE-HTSig • Some comments • We give a specification of TPAKE, so any scheme (e.g., more efficient than [MSJ02]) satisfying it can plug-and-play • DLOG based HTSig can pug-and-play in TPAKE-HTSig • RSA-based HTSig is more subtle • [Shoup Eurocrypt’00] scheme cannot be used unless one assume that no threshold number of servers are compromised • [Rabin Crypto’98] scheme can be used, but need additional care
Roadmap • Motivation • Cryptographic preliminaries • First scheme: TPAKE-HTSig • Second scheme: LW-TSig • Related work
Second Scheme: LW-TSig • LW-TSig stands for Light-Weight server-assisted Threshold Signatures • Idea is simple • a user holds (say) a smartcard • she shares her private key among the servers, as in TSig • she shares a symmetric key with each server • invocation of signing function is based on MACs
MACkey1(m) partial signature 1 server 1 MACkey2(m) partial signature 2 server 2 … MACkeyn(m) partial signature n server n LW-TSig
LW-TSig • Some comments • a smartcard does not need a cryptographic co-processor • communication between a smartcard and the servers can be done via a signature receiver
Roadmap • Motivation • Cryptographic preliminaries • First scheme: TPAKE-HTSig • Second scheme: LW-Tsig • Related work
Related Work • Instead of comparing our work with the related works one-by-one, we present a taxonomy of systems protecting private signing functions • The taxonomy is based on • user storage media: human-memory (for password), soft-token, hard-token, soft- & hard-token • number of runtime key-shares: 1, 2, >2
Taxonomy number of runtime key-shares >2 • a user downloads (say, to a public computer) her private key stored at some remote server(s) • password-based authenticated key exchange (for session key) 2 1 downloading user storage media human-memory soft- & hard-token soft-token hard-token
Taxonomy number of runtime key-shares >2 special case of TPAKE-HTSig a user utilizes a password to activate multiple remote servers to generate a threshold signature downsized (password, >2) 2 1 downloading user storage media human-memory soft- & hard-token soft-token hard-token
Taxonomy number of runtime key-shares • Two types of systems: • password-protected private key (a variant can block off-line dictionary attack if public keys are kept secret) • forward-security: compromising today’s private key does not mean compromising yesterday's private key >2 special case of TPAKE-HTSig downsized (password, >2) 2 1 downloading (soft-token,1) user storage media human-memory soft- & hard-token soft-token hard-token
Taxonomy number of runtime key-shares >2 special case of TPAKE-HTSig TPAKE-HTSig • password-based authentication • composition of two-party and threshold signatures downsized (password, >2) downsized TPAKE-HTSig 2 1 downloading (soft-token,1) user storage media human-memory soft- & hard-token soft-token hard-token
Taxonomy a user invokes a set of remote servers via symmetric authentication number of runtime key-shares >2 special case of TPAKE-HTSig TPAKE-HTSig LW-TSig downsized (password, >2) downsized TPAKE-HTSig downsized LW-TSig 2 1 downloading traditional (soft-token,1) user storage media human-memory soft- & hard-token soft-token hard-token
Taxonomy number of runtime key-shares >2 special case of TPAKE-HTSig • compromise of today’s private key does not mean compromise of yesterday’s or tomorrow’s private key • even if soft-token and hard-token are compromised simultaneously, forward-security is still ensured TPAKE-HTSig LW-TSig downsized (password, >2) downsized TPAKE-HTSig downsized LW-TSig 2 key-insulation/ intrusion-resilience 1 traditional downloading (soft-token,1) user storage media human-memory soft- & hard-token soft-token hard-token
Taxonomy number of runtime key-shares >2 special case of TPAKE-HTSig extension to TPAKE-HTSig and LW-TSig TPAKE-HTSig LW-TSig downsized (password, >2) downsized TPAKE-HTSig downsized LW-TSig 2 two-party signatures key-insulation/ intrusion-resilience 1 traditional downloading (soft-token,1) user storage media human-memory soft- & hard-token soft-token hard-token
Q & A • Our constructions are obtained via modular composition, but our security analysis method is more specific • Canetti’s is more general • Why [Shoup Eurocrypt’00] cannot be used? • An adversary compromising a threshold number of servers can obtain X2. Since [S00] requests that the public exponent corresponding to X2 be public, the adversary can factor the user’s RSA modulus.
Q & A • What care we need for [Rabin Crypto’98]? • If [MSJ02] TPAKE is used, we need another layer of invocation that a threshold number of servers activates all the servers. This is specific to [MSJ02], though. • Denial-of-service attack is appropriately dealt with; otherwise, the secret share of a server under denial-of-service attack is interpolated and could make the threshold protection meaningless.