300 likes | 421 Views
DISTRIBUTED CRYPTOSYSTEMS. Moti Yung. Distributed Trust-- traditionally. Secret sharing: Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.
E N D
DISTRIBUTED CRYPTOSYSTEMS Moti Yung
Distributed Trust-- traditionally • Secret sharing: • Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret. • Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n • Every group of t+1 know the secret • Every group of up to t does not know anything • We EXTEND sharing of a secret to “SAHRING CAPABILITY”
SECRET SHARING [B, Sh] s1 key s2 . • v out of v (additive) sharing: s1 + … + sv = key • t out of v polynomial sharing . . sv
Inefficient way: Secure Function Evaluation • PART OF A SET OF PROTOCOLS • Basic Initial Protocols • Coin Flipping [Blum] • Oblivious Transfer [Rabin] • Mental Poker [SRA] • Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..
Secure Distributed Computing: [Yao, GMW] P (Input) Secret Inputs General function compilers: 1) are merely plausibility results 2) gross inefficiency: communication complexity linear in function’s circuit size
Efficient Distributed Function Application Function Sharing: [Boyd, CH,DF, F, DDFY] s1 s2 . Pkey(Input) Input . . sv Robust: poly time availability for any misbehaving minority t t+1 can compute Pkey(Input) t can not no entity learns key after function application
Proof of security Given a regular system (RSA, say) then we say: The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value.. ..etc.)
El Gamal Distributed Decryption • P=2q+1 (exponents in Zq) • g a generator of order q • Private key x, public key y= g^x (mod p) • X=s1+s2+s3 (mod q). • Each server I has si I=1,..,3 • ElGamal: • Public Key: p.q. y=g^x Secret:x • To encrypt M choose a random r and send <g^r, y^r * M>= <A,B> which is sent • To decrypt:
To Decrypt • Input A,B • Each server computes: A^S1, A^S2, A^s3. • Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r • B/ y^r =( y^r * M/y^r)= M (decrypted message) To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).
(t,v) threshold RSA P m P key(m) = m d mod n key =( d, n ) Transformed to s1 s2 m * P key(m) = m d mod n . . sv Any t+1 out of v can sign m Non-interactively or a few rounds
(v,v) threshold RSA– security proof outline P m P key(m) = m d mod n key =( d, n ) Transformed to: S1+S2+…Sv=d s1 s2 m * P key(m) = m d mod n . . sv Any v-1 are known to adversary
. . . . . . Proof of security • Simulation Argument with input: ( m , m d ) • WLOG, let ADVERSARY control server 1 through v-1 • generate s1 , … ,sv-1 randomly s1 m s1mod n s2 m * m s1m sv= m d mod n . . sv m sv=m d / (m s1 m sv-1)mod n
Distribute Cryptosystems (Threshold Crypto) Issues: • Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY] • Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA] • Distributed key generation [for DLOG 91, RSA 97.98] • Proactive security (protection in the time domain) [OY 91 notion] • ………
Proactive Public Key [HJJKY] May July June
. . . Robust RSA system • Can use ZK-proofs (expensive) • Use robustness: witness signature on a random g with the share g s1make it public m s1mod n, g s1mod n and proof of same exponent s1 s2 m * Check all proofs and m s1 * … *m sv= m d mod n . . sv
Problems with t-out-of-v RSA • Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor • Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem • For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next
Proactive Public Key [HJJKY] May July June
PROACTIVE D-Log based system • The parties have s1, s2 s3, s1+s2+s3=x key. • To refresh key server one has • R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM • R11 to server 1, R1,2 to server 2, R1,3 to server 3. • Other servers do the same. • When they add the distributed zeros: -- Any two keys from before are useless any two keys now are useless. -- The value of the key is the same = x mod q.
Proactive RSA v out of v • Cannot add “zero” • But can split share: S1 s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM • Other servers do the same • (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).
Proactive RSA [FGMY1] (principles only) • Re-randomize the families: s1 s2 s3 s4 sum up tod Family 1 sum up to share s1
Continued s1 s2 s3 s4 sum up tod Family 1 sum up to share s1 sum up to share s2
Continued s1 s2 s3 s4 sum up tod Family 1 sum up to share s1 + + + + sum up to share s2 + + + + sum up to share s3 + + + + sum up to share s4 = = = = sum up tod Family 2
Family 1 Generates new family with new form new Family
t out of vfromt out of t [FGMY-Cr97] • This idea can be extended to allow other threshold access structures based on [B89, F89, AGY] • The sum of shares in each family is the secret sum up tod sum up tod sum up tod Committees Example: 3 out of 4 sharing 1, 2 3 4 1 2 3, 4
Proactive Security - partial history • Mobile Adversary for General function sharing [OY91] • Proactive Pseudo-random generator [CH94] • Proactive Secret Sharing [HJKY95] • Proactive Public Key (Discrete Log Systems): [HJJKY96] • Proactive Authenticated Communication [CHH97] • Optimal Resilience [FGY focs97] • Proactive RSA [FGMY97]
Other Issues • Distributed Key generation (and Robust)… • Improved efficiency of solutions for threshold for proactive etc. • Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)
TYPE OF ADVERSARIES • Mobile vs. Static (stationary) vs. Determined at start • Non-adaptive: makes decisions based on internal strategy or: • Adaptive: makes decisions based on messages in the protocol • Most deadly adversary: both dynamic and adaptive.
Conclusions • Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod f (N) ). • When combined with a distributed setting, the problem may become even more challenging. • Efficiency (practice) + distributed + security constraints Þ Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”). • Developed new “robustness” and “computational” methods (of perhaps independent interest).
Conclusions • Techniques that distribute trust and avoid single point of security and availability failures are interesting • The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.