Distributed cryptosystems
Download
1 / 30

DISTRIBUTED CRYPTOSYSTEMS - PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on
  • Presentation posted in: General

DISTRIBUTED CRYPTOSYSTEMS. Moti Yung. Distributed Trust-- traditionally. Secret sharing: Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

DISTRIBUTED CRYPTOSYSTEMS

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


DISTRIBUTED CRYPTOSYSTEMS

Moti Yung


Distributed Trust-- traditionally

  • Secret sharing:

    • Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

  • Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n

    • Every group of t+1 know the secret

    • Every group of up to t does not know anything

  • We EXTEND sharing of a secret to “SAHRING CAPABILITY”


SECRET SHARING

[B, Sh]

s1

key

s2

.

  • v out of v (additive) sharing: s1 + … + sv = key

  • t out of v polynomial sharing

.

.

sv


Polynomial Sharing


Inefficient way: Secure Function Evaluation

  • PART OF A SET OF PROTOCOLS

  • Basic Initial Protocols

    • Coin Flipping [Blum]

    • Oblivious Transfer [Rabin]

    • Mental Poker [SRA]

  • Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..


Secure Distributed Computing: [Yao, GMW]

P (Input)

Secret

Inputs

General function

compilers:

1) are merely plausibility results

2) gross inefficiency:

communication complexity linear in function’s circuit size


Efficient Distributed Function Application

Function Sharing: [Boyd, CH,DF, F, DDFY]

s1

s2

.

Pkey(Input)

Input

.

.

sv

Robust: poly time

availability

for any misbehaving

minority t

t+1 can compute Pkey(Input)

t can not

no entity learns key after

function application


Proof of security

Given a regular system (RSA, say) then we say:

The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value.. ..etc.)


El Gamal Distributed Decryption

  • P=2q+1 (exponents in Zq)

  • g a generator of order q

  • Private key x, public key y= g^x (mod p)

  • X=s1+s2+s3 (mod q).

  • Each server I has si I=1,..,3

  • ElGamal:

    • Public Key: p.q. y=g^x Secret:x

    • To encrypt M choose a random r and send <g^r, y^r * M>= <A,B> which is sent

    • To decrypt:


To Decrypt

  • Input A,B

  • Each server computes: A^S1, A^S2, A^s3.

  • Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r

  • B/ y^r =( y^r * M/y^r)= M (decrypted message)

    To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).


(t,v) threshold RSA

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any t+1 out of v can sign m

Non-interactively or a few rounds


(v,v) threshold RSA– security proof outline

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to: S1+S2+…Sv=d

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any v-1 are known to adversary


.

.

.

.

.

.

Proof of security

  • Simulation Argument with input: ( m , m d )

  • WLOG, let ADVERSARY control server 1 through v-1

  • generate s1 , … ,sv-1 randomly

s1

m s1mod n

s2

m

*

m s1m sv= m d mod n

.

.

sv

m sv=m d / (m s1 m sv-1)mod n


Distribute Cryptosystems (Threshold Crypto) Issues:

  • Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY]

  • Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA]

  • Distributed key generation [for DLOG 91, RSA 97.98]

  • Proactive security (protection in the time domain) [OY 91 notion]

  • ………


Proactive Public Key [HJJKY]

May

July

June


.

.

.

Robust RSA system

  • Can use ZK-proofs (expensive)

  • Use robustness: witness signature on a random g with the share g s1make it public

m s1mod n, g s1mod n

and proof of same exponent

s1

s2

m

*

Check all proofs and

m s1 * … *m sv= m d mod n

.

.

sv


Problems with t-out-of-v RSA

  • Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor

  • Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem

  • For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next


Proactive Public Key [HJJKY]

May

July

June


PROACTIVE D-Log based system

  • The parties have s1, s2 s3, s1+s2+s3=x key.

  • To refresh key server one has

  • R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM

  • R11 to server 1, R1,2 to server 2, R1,3 to server 3.

  • Other servers do the same.

  • When they add the distributed zeros:

    -- Any two keys from before are useless any two keys now are useless.

    -- The value of the key is the same = x mod q.


Proactive RSA v out of v

  • Cannot add “zero”

  • But can split share: S1 s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM

  • Other servers do the same

  • (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).


Proactive RSA [FGMY1] (principles only)

  • Re-randomize the families:

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1


Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

sum up to share s2


Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

+ + + +

sum up to share s2

+ + + +

sum up to share s3

+ + + +

sum up to share s4

= = = =

sum up tod

Family 2


Family 1

Generates new family with new form

new Family


t out of vfromt out of t [FGMY-Cr97]

  • This idea can be extended to allow other threshold access structures based on [B89, F89, AGY]

  • The sum of shares in each family is the secret

sum up tod

sum up tod

sum up tod

Committees

Example:

3 out of 4 sharing

1, 2 3 4

1 2 3, 4


Proactive Security - partial history

  • Mobile Adversary for General function sharing [OY91]

  • Proactive Pseudo-random generator [CH94]

  • Proactive Secret Sharing [HJKY95]

  • Proactive Public Key (Discrete Log Systems): [HJJKY96]

  • Proactive Authenticated Communication [CHH97]

  • Optimal Resilience [FGY focs97]

  • Proactive RSA [FGMY97]


Other Issues

  • Distributed Key generation (and Robust)…

  • Improved efficiency of solutions for threshold for proactive etc.

  • Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)


TYPE OF ADVERSARIES

  • Mobile vs. Static (stationary) vs. Determined at start

  • Non-adaptive: makes decisions based on internal strategy or:

  • Adaptive: makes decisions based on messages in the protocol

  • Most deadly adversary: both dynamic and adaptive.


Conclusions

  • Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod f (N) ).

  • When combined with a distributed setting, the problem may become even more challenging.

  • Efficiency (practice) + distributed + security constraints Þ Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”).

  • Developed new “robustness” and “computational” methods (of perhaps independent interest).


Conclusions

  • Techniques that distribute trust and avoid single point of security and availability failures are interesting

  • The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.


ad
  • Login