Distributed cryptosystems
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

DISTRIBUTED CRYPTOSYSTEMS PowerPoint PPT Presentation


  • 51 Views
  • Uploaded on
  • Presentation posted in: General

DISTRIBUTED CRYPTOSYSTEMS. Moti Yung. Distributed Trust-- traditionally. Secret sharing: Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

Download Presentation

DISTRIBUTED CRYPTOSYSTEMS

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Distributed cryptosystems

DISTRIBUTED CRYPTOSYSTEMS

Moti Yung


Distributed trust traditionally

Distributed Trust-- traditionally

  • Secret sharing:

    • Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

  • Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n

    • Every group of t+1 know the secret

    • Every group of up to t does not know anything

  • We EXTEND sharing of a secret to “SAHRING CAPABILITY”


Secret sharing

SECRET SHARING

[B, Sh]

s1

key

s2

.

  • v out of v (additive) sharing: s1 + … + sv = key

  • t out of v polynomial sharing

.

.

sv


Polynomial sharing

Polynomial Sharing


Inefficient way secure function evaluation

Inefficient way: Secure Function Evaluation

  • PART OF A SET OF PROTOCOLS

  • Basic Initial Protocols

    • Coin Flipping [Blum]

    • Oblivious Transfer [Rabin]

    • Mental Poker [SRA]

  • Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..


Distributed cryptosystems

Secure Distributed Computing: [Yao, GMW]

P (Input)

Secret

Inputs

General function

compilers:

1) are merely plausibility results

2) gross inefficiency:

communication complexity linear in function’s circuit size


Distributed cryptosystems

Efficient Distributed Function Application

Function Sharing: [Boyd, CH,DF, F, DDFY]

s1

s2

.

Pkey(Input)

Input

.

.

sv

Robust: poly time

availability

for any misbehaving

minority t

t+1 can compute Pkey(Input)

t can not

no entity learns key after

function application


Proof of security

Proof of security

Given a regular system (RSA, say) then we say:

The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value.. ..etc.)


El gamal distributed decryption

El Gamal Distributed Decryption

  • P=2q+1 (exponents in Zq)

  • g a generator of order q

  • Private key x, public key y= g^x (mod p)

  • X=s1+s2+s3 (mod q).

  • Each server I has si I=1,..,3

  • ElGamal:

    • Public Key: p.q. y=g^x Secret:x

    • To encrypt M choose a random r and send <g^r, y^r * M>= <A,B> which is sent

    • To decrypt:


To decrypt

To Decrypt

  • Input A,B

  • Each server computes: A^S1, A^S2, A^s3.

  • Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r

  • B/ y^r =( y^r * M/y^r)= M (decrypted message)

    To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).


Distributed cryptosystems

(t,v) threshold RSA

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any t+1 out of v can sign m

Non-interactively or a few rounds


Distributed cryptosystems

(v,v) threshold RSA– security proof outline

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to: S1+S2+…Sv=d

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any v-1 are known to adversary


Distributed cryptosystems

.

.

.

.

.

.

Proof of security

  • Simulation Argument with input: ( m , m d )

  • WLOG, let ADVERSARY control server 1 through v-1

  • generate s1 , … ,sv-1 randomly

s1

m s1mod n

s2

m

*

m s1m sv= m d mod n

.

.

sv

m sv=m d / (m s1 m sv-1)mod n


Distribute cryptosystems threshold crypto issues

Distribute Cryptosystems (Threshold Crypto) Issues:

  • Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY]

  • Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA]

  • Distributed key generation [for DLOG 91, RSA 97.98]

  • Proactive security (protection in the time domain) [OY 91 notion]

  • ………


Distributed cryptosystems

Proactive Public Key [HJJKY]

May

July

June


Distributed cryptosystems

.

.

.

Robust RSA system

  • Can use ZK-proofs (expensive)

  • Use robustness: witness signature on a random g with the share g s1make it public

m s1mod n, g s1mod n

and proof of same exponent

s1

s2

m

*

Check all proofs and

m s1 * … *m sv= m d mod n

.

.

sv


Problems with t out of v rsa

Problems with t-out-of-v RSA

  • Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor

  • Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem

  • For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next


Distributed cryptosystems

Proactive Public Key [HJJKY]

May

July

June


Proactive d log based system

PROACTIVE D-Log based system

  • The parties have s1, s2 s3, s1+s2+s3=x key.

  • To refresh key server one has

  • R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM

  • R11 to server 1, R1,2 to server 2, R1,3 to server 3.

  • Other servers do the same.

  • When they add the distributed zeros:

    -- Any two keys from before are useless any two keys now are useless.

    -- The value of the key is the same = x mod q.


Proactive rsa v out of v

Proactive RSA v out of v

  • Cannot add “zero”

  • But can split share: S1 s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM

  • Other servers do the same

  • (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).


Distributed cryptosystems

Proactive RSA [FGMY1] (principles only)

  • Re-randomize the families:

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1


Distributed cryptosystems

Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

sum up to share s2


Distributed cryptosystems

Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

+ + + +

sum up to share s2

+ + + +

sum up to share s3

+ + + +

sum up to share s4

= = = =

sum up tod

Family 2


Distributed cryptosystems

Family 1

Generates new family with new form

new Family


Distributed cryptosystems

t out of vfromt out of t [FGMY-Cr97]

  • This idea can be extended to allow other threshold access structures based on [B89, F89, AGY]

  • The sum of shares in each family is the secret

sum up tod

sum up tod

sum up tod

Committees

Example:

3 out of 4 sharing

1, 2 3 4

1 2 3, 4


Distributed cryptosystems

Proactive Security - partial history

  • Mobile Adversary for General function sharing [OY91]

  • Proactive Pseudo-random generator [CH94]

  • Proactive Secret Sharing [HJKY95]

  • Proactive Public Key (Discrete Log Systems): [HJJKY96]

  • Proactive Authenticated Communication [CHH97]

  • Optimal Resilience [FGY focs97]

  • Proactive RSA [FGMY97]


Other issues

Other Issues

  • Distributed Key generation (and Robust)…

  • Improved efficiency of solutions for threshold for proactive etc.

  • Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)


Type of adversaries

TYPE OF ADVERSARIES

  • Mobile vs. Static (stationary) vs. Determined at start

  • Non-adaptive: makes decisions based on internal strategy or:

  • Adaptive: makes decisions based on messages in the protocol

  • Most deadly adversary: both dynamic and adaptive.


Conclusions

Conclusions

  • Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod f (N) ).

  • When combined with a distributed setting, the problem may become even more challenging.

  • Efficiency (practice) + distributed + security constraints Þ Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”).

  • Developed new “robustness” and “computational” methods (of perhaps independent interest).


Conclusions1

Conclusions

  • Techniques that distribute trust and avoid single point of security and availability failures are interesting

  • The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.


  • Login