# DISTRIBUTED CRYPTOSYSTEMS - PowerPoint PPT Presentation

1 / 30

DISTRIBUTED CRYPTOSYSTEMS. Moti Yung. Distributed Trust-- traditionally. Secret sharing: Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

DISTRIBUTED CRYPTOSYSTEMS

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

## DISTRIBUTED CRYPTOSYSTEMS

Moti Yung

• Secret sharing:

• Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

• Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n

• Every group of t+1 know the secret

• Every group of up to t does not know anything

• We EXTEND sharing of a secret to “SAHRING CAPABILITY”

### SECRET SHARING

[B, Sh]

s1

key

s2

.

• v out of v (additive) sharing: s1 + … + sv = key

• t out of v polynomial sharing

.

.

sv

### Inefficient way: Secure Function Evaluation

• PART OF A SET OF PROTOCOLS

• Basic Initial Protocols

• Coin Flipping [Blum]

• Oblivious Transfer [Rabin]

• Mental Poker [SRA]

• Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..

Secure Distributed Computing: [Yao, GMW]

P (Input)

Secret

Inputs

General function

compilers:

1) are merely plausibility results

2) gross inefficiency:

communication complexity linear in function’s circuit size

Efficient Distributed Function Application

Function Sharing: [Boyd, CH,DF, F, DDFY]

s1

s2

.

Pkey(Input)

Input

.

.

sv

Robust: poly time

availability

for any misbehaving

minority t

t+1 can compute Pkey(Input)

t can not

no entity learns key after

function application

### Proof of security

Given a regular system (RSA, say) then we say:

The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value.. ..etc.)

### El Gamal Distributed Decryption

• P=2q+1 (exponents in Zq)

• g a generator of order q

• Private key x, public key y= g^x (mod p)

• X=s1+s2+s3 (mod q).

• Each server I has si I=1,..,3

• ElGamal:

• Public Key: p.q. y=g^x Secret:x

• To encrypt M choose a random r and send <g^r, y^r * M>= <A,B> which is sent

• To decrypt:

### To Decrypt

• Input A,B

• Each server computes: A^S1, A^S2, A^s3.

• Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r

• B/ y^r =( y^r * M/y^r)= M (decrypted message)

To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).

(t,v) threshold RSA

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any t+1 out of v can sign m

Non-interactively or a few rounds

(v,v) threshold RSA– security proof outline

P

m

P key(m) = m d mod n

key =( d, n )

Transformed to: S1+S2+…Sv=d

s1

s2

m

*

P key(m) = m d mod n

.

.

sv

Any v-1 are known to adversary

.

.

.

.

.

.

Proof of security

• Simulation Argument with input: ( m , m d )

• WLOG, let ADVERSARY control server 1 through v-1

• generate s1 , … ,sv-1 randomly

s1

m s1mod n

s2

m

*

m s1m sv= m d mod n

.

.

sv

m sv=m d / (m s1 m sv-1)mod n

### Distribute Cryptosystems (Threshold Crypto) Issues:

• Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY]

• Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA]

• Distributed key generation [for DLOG 91, RSA 97.98]

• Proactive security (protection in the time domain) [OY 91 notion]

• ………

Proactive Public Key [HJJKY]

May

July

June

.

.

.

Robust RSA system

• Can use ZK-proofs (expensive)

• Use robustness: witness signature on a random g with the share g s1make it public

m s1mod n, g s1mod n

and proof of same exponent

s1

s2

m

*

Check all proofs and

m s1 * … *m sv= m d mod n

.

.

sv

### Problems with t-out-of-v RSA

• Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor

• Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem

• For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next

Proactive Public Key [HJJKY]

May

July

June

### PROACTIVE D-Log based system

• The parties have s1, s2 s3, s1+s2+s3=x key.

• To refresh key server one has

• R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM

• R11 to server 1, R1,2 to server 2, R1,3 to server 3.

• Other servers do the same.

• When they add the distributed zeros:

-- Any two keys from before are useless any two keys now are useless.

-- The value of the key is the same = x mod q.

### Proactive RSA v out of v

• But can split share: S1 s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM

• Other servers do the same

• (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).

Proactive RSA [FGMY1] (principles only)

• Re-randomize the families:

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

sum up to share s2

Continued

s1

s2

s3

s4

sum up tod

Family 1

sum up to share s1

+ + + +

sum up to share s2

+ + + +

sum up to share s3

+ + + +

sum up to share s4

= = = =

sum up tod

Family 2

Family 1

Generates new family with new form

new Family

t out of vfromt out of t [FGMY-Cr97]

• This idea can be extended to allow other threshold access structures based on [B89, F89, AGY]

• The sum of shares in each family is the secret

sum up tod

sum up tod

sum up tod

Committees

Example:

3 out of 4 sharing

1, 2 3 4

1 2 3, 4

Proactive Security - partial history

• Mobile Adversary for General function sharing [OY91]

• Proactive Pseudo-random generator [CH94]

• Proactive Secret Sharing [HJKY95]

• Proactive Public Key (Discrete Log Systems): [HJJKY96]

• Proactive Authenticated Communication [CHH97]

• Optimal Resilience [FGY focs97]

• Proactive RSA [FGMY97]

### Other Issues

• Distributed Key generation (and Robust)…

• Improved efficiency of solutions for threshold for proactive etc.

• Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)

• Mobile vs. Static (stationary) vs. Determined at start

• Non-adaptive: makes decisions based on internal strategy or:

• Adaptive: makes decisions based on messages in the protocol

### Conclusions

• Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod f (N) ).

• When combined with a distributed setting, the problem may become even more challenging.

• Efficiency (practice) + distributed + security constraints Þ Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”).

• Developed new “robustness” and “computational” methods (of perhaps independent interest).

### Conclusions

• Techniques that distribute trust and avoid single point of security and availability failures are interesting

• The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.