- 57 Views
- Uploaded on
- Presentation posted in: General

DISTRIBUTED CRYPTOSYSTEMS

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

DISTRIBUTED CRYPTOSYSTEMS

Moti Yung

- Secret sharing:
- Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

- Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n
- Every group of t+1 know the secret
- Every group of up to t does not know anything

- We EXTEND sharing of a secret to “SAHRING CAPABILITY”

[B, Sh]

s1

key

s2

.

- v out of v (additive) sharing: s1 + … + sv = key
- t out of v polynomial sharing

.

.

sv

- PART OF A SET OF PROTOCOLS
- Basic Initial Protocols
- Coin Flipping [Blum]
- Oblivious Transfer [Rabin]
- Mental Poker [SRA]

- Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..

Secure Distributed Computing: [Yao, GMW]

P (Input)

Secret

Inputs

General function

compilers:

1) are merely plausibility results

2) gross inefficiency:

communication complexity linear in function’s circuit size

Efficient Distributed Function Application

Function Sharing: [Boyd, CH,DF, F, DDFY]

s1

s2

.

Pkey(Input)

Input

.

.

sv

Robust: poly time

availability

for any misbehaving

minority t

t+1 can compute Pkey(Input)

t can not

no entity learns key after

function application

Given a regular system (RSA, say) then we say:

The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value.. ..etc.)

- P=2q+1 (exponents in Zq)
- g a generator of order q
- Private key x, public key y= g^x (mod p)
- X=s1+s2+s3 (mod q).
- Each server I has si I=1,..,3
- ElGamal:
- Public Key: p.q. y=g^x Secret:x
- To encrypt M choose a random r and send <g^r, y^r * M>= <A,B> which is sent
- To decrypt:

- Input A,B
- Each server computes: A^S1, A^S2, A^s3.
- Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r
- B/ y^r =( y^r * M/y^r)= M (decrypted message)
To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).

(t,v) threshold RSA

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any t+1 out of v can sign m

Non-interactively or a few rounds

(v,v) threshold RSA– security proof outline

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to: S1+S2+…Sv=d

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any v-1 are known to adversary

.

.

.

.

.

.

Proof of security

- Simulation Argument with input: ( m , m d )
- WLOG, let ADVERSARY control server 1 through v-1
- generate s1 , … ,sv-1 randomly

s1

m s1mod n

s2

m

*

m s1m sv= m d mod n

.

.

sv

m sv=m d / (m s1 m sv-1)mod n

- Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY]
- Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA]
- Distributed key generation [for DLOG 91, RSA 97.98]
- Proactive security (protection in the time domain) [OY 91 notion]
- ………

Proactive Public Key [HJJKY]

May

July

June

.

.

.

Robust RSA system

- Can use ZK-proofs (expensive)
- Use robustness: witness signature on a random g with the share g s1make it public

m s1mod n, g s1mod n

and proof of same exponent

s1

s2

m

*

Check all proofs and

m s1 * … *m sv= m d mod n

.

.

sv

- Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor
- Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem
- For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next

Proactive Public Key [HJJKY]

May

July

June

- The parties have s1, s2 s3, s1+s2+s3=x key.
- To refresh key server one has
- R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM
- R11 to server 1, R1,2 to server 2, R1,3 to server 3.
- Other servers do the same.
- When they add the distributed zeros:
-- Any two keys from before are useless any two keys now are useless.

-- The value of the key is the same = x mod q.

- Cannot add “zero”
- But can split share: S1 s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM
- Other servers do the same
- (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).

Proactive RSA [FGMY1] (principles only)

- Re-randomize the families:

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

sum up to share s2

Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

+ + + +

sum up to share s2

+ + + +

sum up to share s3

+ + + +

sum up to share s4

= = = =

sum up tod

Family 2

Family 1

Generates new family with new form

new Family

t out of vfromt out of t [FGMY-Cr97]

- This idea can be extended to allow other threshold access structures based on [B89, F89, AGY]
- The sum of shares in each family is the secret

sum up tod

sum up tod

sum up tod

Committees

Example:

3 out of 4 sharing

1, 2 3 4

1 2 3, 4

Proactive Security - partial history

- Mobile Adversary for General function sharing [OY91]
- Proactive Pseudo-random generator [CH94]
- Proactive Secret Sharing [HJKY95]
- Proactive Public Key (Discrete Log Systems): [HJJKY96]
- Proactive Authenticated Communication [CHH97]
- Optimal Resilience [FGY focs97]
- Proactive RSA [FGMY97]

- Distributed Key generation (and Robust)…
- Improved efficiency of solutions for threshold for proactive etc.
- Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)

- Mobile vs. Static (stationary) vs. Determined at start
- Non-adaptive: makes decisions based on internal strategy or:
- Adaptive: makes decisions based on messages in the protocol
- Most deadly adversary: both dynamic and adaptive.

- Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod f (N) ).
- When combined with a distributed setting, the problem may become even more challenging.
- Efficiency (practice) + distributed + security constraints Þ Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”).
- Developed new “robustness” and “computational” methods (of perhaps independent interest).

- Techniques that distribute trust and avoid single point of security and availability failures are interesting
- The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.