Distributed cryptosystems
Download
1 / 30

DISTRIBUTED CRYPTOSYSTEMS - PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on

DISTRIBUTED CRYPTOSYSTEMS. Moti Yung. Distributed Trust-- traditionally. Secret sharing: Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' DISTRIBUTED CRYPTOSYSTEMS' - kimn


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Distributed trust traditionally
Distributed Trust-- traditionally

  • Secret sharing:

    • Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

  • Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n

    • Every group of t+1 know the secret

    • Every group of up to t does not know anything

  • We EXTEND sharing of a secret to “SAHRING CAPABILITY”


Secret sharing
SECRET SHARING

[B, Sh]

s1

key

s2

.

  • v out of v (additive) sharing: s1 + … + sv = key

  • t out of v polynomial sharing

.

.

sv



Inefficient way secure function evaluation
Inefficient way: Secure Function Evaluation

  • PART OF A SET OF PROTOCOLS

  • Basic Initial Protocols

    • Coin Flipping [Blum]

    • Oblivious Transfer [Rabin]

    • Mental Poker [SRA]

  • Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..


Secure Distributed Computing: [Yao, GMW]

P (Input)

Secret

Inputs

General function

compilers:

1) are merely plausibility results

2) gross inefficiency:

communication complexity linear in function’s circuit size


Efficient Distributed Function Application

Function Sharing: [Boyd, CH,DF, F, DDFY]

s1

s2

.

Pkey(Input)

Input

.

.

sv

Robust: poly time

availability

for any misbehaving

minority t

t+1 can compute Pkey(Input)

t can not

no entity learns key after

function application


Proof of security
Proof of security

Given a regular system (RSA, say) then we say:

The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value.. ..etc.)


El gamal distributed decryption
El Gamal Distributed Decryption

  • P=2q+1 (exponents in Zq)

  • g a generator of order q

  • Private key x, public key y= g^x (mod p)

  • X=s1+s2+s3 (mod q).

  • Each server I has si I=1,..,3

  • ElGamal:

    • Public Key: p.q. y=g^x Secret:x

    • To encrypt M choose a random r and send <g^r, y^r * M>= <A,B> which is sent

    • To decrypt:


To decrypt
To Decrypt

  • Input A,B

  • Each server computes: A^S1, A^S2, A^s3.

  • Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r

  • B/ y^r =( y^r * M/y^r)= M (decrypted message)

    To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).


(t,v) threshold RSA

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any t+1 out of v can sign m

Non-interactively or a few rounds


(v,v) threshold RSA– security proof outline

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to: S1+S2+…Sv=d

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any v-1 are known to adversary


.

.

.

.

.

.

Proof of security

  • Simulation Argument with input: ( m , m d )

  • WLOG, let ADVERSARY control server 1 through v-1

  • generate s1 , … ,sv-1 randomly

s1

m s1mod n

s2

m

*

m s1m sv= m d mod n

.

.

sv

m sv=m d / (m s1 m sv-1)mod n


Distribute cryptosystems threshold crypto issues
Distribute Cryptosystems (Threshold Crypto) Issues:

  • Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY]

  • Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA]

  • Distributed key generation [for DLOG 91, RSA 97.98]

  • Proactive security (protection in the time domain) [OY 91 notion]

  • ………



.

.

.

Robust RSA system

  • Can use ZK-proofs (expensive)

  • Use robustness: witness signature on a random g with the share g s1make it public

m s1mod n, g s1mod n

and proof of same exponent

s1

s2

m

*

Check all proofs and

m s1 * … *m sv= m d mod n

.

.

sv


Problems with t out of v rsa
Problems with t-out-of-v RSA

  • Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor

  • Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem

  • For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next



Proactive d log based system
PROACTIVE D-Log based system

  • The parties have s1, s2 s3, s1+s2+s3=x key.

  • To refresh key server one has

  • R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM

  • R11 to server 1, R1,2 to server 2, R1,3 to server 3.

  • Other servers do the same.

  • When they add the distributed zeros:

    -- Any two keys from before are useless any two keys now are useless.

    -- The value of the key is the same = x mod q.


Proactive rsa v out of v
Proactive RSA v out of v

  • Cannot add “zero”

  • But can split share: S1 s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM

  • Other servers do the same

  • (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).


Proactive RSA [FGMY1] (principles only)

  • Re-randomize the families:

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1


Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

sum up to share s2


Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

+ + + +

sum up to share s2

+ + + +

sum up to share s3

+ + + +

sum up to share s4

= = = =

sum up tod

Family 2


Family 1

Generates new family with new form

new Family


t out of vfromt out of t [FGMY-Cr97]

  • This idea can be extended to allow other threshold access structures based on [B89, F89, AGY]

  • The sum of shares in each family is the secret

sum up tod

sum up tod

sum up tod

Committees

Example:

3 out of 4 sharing

1, 2 3 4

1 2 3, 4


Proactive Security - partial history

  • Mobile Adversary for General function sharing [OY91]

  • Proactive Pseudo-random generator [CH94]

  • Proactive Secret Sharing [HJKY95]

  • Proactive Public Key (Discrete Log Systems): [HJJKY96]

  • Proactive Authenticated Communication [CHH97]

  • Optimal Resilience [FGY focs97]

  • Proactive RSA [FGMY97]


Other issues
Other Issues

  • Distributed Key generation (and Robust)…

  • Improved efficiency of solutions for threshold for proactive etc.

  • Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)


Type of adversaries
TYPE OF ADVERSARIES

  • Mobile vs. Static (stationary) vs. Determined at start

  • Non-adaptive: makes decisions based on internal strategy or:

  • Adaptive: makes decisions based on messages in the protocol

  • Most deadly adversary: both dynamic and adaptive.


Conclusions
Conclusions

  • Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod f (N) ).

  • When combined with a distributed setting, the problem may become even more challenging.

  • Efficiency (practice) + distributed + security constraints Þ Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”).

  • Developed new “robustness” and “computational” methods (of perhaps independent interest).


Conclusions1
Conclusions

  • Techniques that distribute trust and avoid single point of security and availability failures are interesting

  • The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.


ad