1 / 30

DISTRIBUTED CRYPTOSYSTEMS

DISTRIBUTED CRYPTOSYSTEMS. Moti Yung. Distributed Trust-- traditionally. Secret sharing: Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.

kimn
Download Presentation

DISTRIBUTED CRYPTOSYSTEMS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DISTRIBUTED CRYPTOSYSTEMS Moti Yung

  2. Distributed Trust-- traditionally • Secret sharing: • Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret. • Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n • Every group of t+1 know the secret • Every group of up to t does not know anything • We EXTEND sharing of a secret to “SAHRING CAPABILITY”

  3. SECRET SHARING [B, Sh] s1 key s2 . • v out of v (additive) sharing: s1 + … + sv = key • t out of v polynomial sharing . . sv

  4. Polynomial Sharing

  5. Inefficient way: Secure Function Evaluation • PART OF A SET OF PROTOCOLS • Basic Initial Protocols • Coin Flipping [Blum] • Oblivious Transfer [Rabin] • Mental Poker [SRA] • Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..

  6. Secure Distributed Computing: [Yao, GMW] P (Input) Secret Inputs General function compilers: 1) are merely plausibility results 2) gross inefficiency: communication complexity linear in function’s circuit size

  7. Efficient Distributed Function Application Function Sharing: [Boyd, CH,DF, F, DDFY] s1 s2 . Pkey(Input) Input . . sv Robust: poly time availability for any misbehaving minority t t+1 can compute Pkey(Input) t can not no entity learns key after function application

  8. Proof of security Given a regular system (RSA, say) then we say: The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value.. ..etc.)

  9. El Gamal Distributed Decryption • P=2q+1 (exponents in Zq) • g a generator of order q • Private key x, public key y= g^x (mod p) • X=s1+s2+s3 (mod q). • Each server I has si I=1,..,3 • ElGamal: • Public Key: p.q. y=g^x Secret:x • To encrypt M choose a random r and send <g^r, y^r * M>= <A,B> which is sent • To decrypt:

  10. To Decrypt • Input A,B • Each server computes: A^S1, A^S2, A^s3. • Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r • B/ y^r =( y^r * M/y^r)= M (decrypted message) To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).

  11. (t,v) threshold RSA P m P key(m) = m d mod n key =( d, n ) Transformed to s1 s2 m * P key(m) = m d mod n . . sv Any t+1 out of v can sign m Non-interactively or a few rounds

  12. (v,v) threshold RSA– security proof outline P m P key(m) = m d mod n key =( d, n ) Transformed to: S1+S2+…Sv=d s1 s2 m * P key(m) = m d mod n . . sv Any v-1 are known to adversary

  13. . . . . . . Proof of security • Simulation Argument with input: ( m , m d ) • WLOG, let ADVERSARY control server 1 through v-1 • generate s1 , … ,sv-1 randomly s1 m s1mod n s2 m * m s1m sv= m d mod n . . sv m sv=m d / (m s1 m sv-1)mod n

  14. Distribute Cryptosystems (Threshold Crypto) Issues: • Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY] • Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA] • Distributed key generation [for DLOG 91, RSA 97.98] • Proactive security (protection in the time domain) [OY 91 notion] • ………

  15. Proactive Public Key [HJJKY] May July June

  16. . . . Robust RSA system • Can use ZK-proofs (expensive) • Use robustness: witness signature on a random g with the share g s1make it public m s1mod n, g s1mod n and proof of same exponent s1 s2 m * Check all proofs and m s1 * … *m sv= m d mod n . . sv

  17. Problems with t-out-of-v RSA • Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor • Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem • For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next

  18. Proactive Public Key [HJJKY] May July June

  19. PROACTIVE D-Log based system • The parties have s1, s2 s3, s1+s2+s3=x key. • To refresh key server one has • R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM • R11 to server 1, R1,2 to server 2, R1,3 to server 3. • Other servers do the same. • When they add the distributed zeros: -- Any two keys from before are useless any two keys now are useless. -- The value of the key is the same = x mod q.

  20. Proactive RSA v out of v • Cannot add “zero” • But can split share: S1 s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM • Other servers do the same • (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).

  21. Proactive RSA [FGMY1] (principles only) • Re-randomize the families: s1 s2 s3 s4 sum up tod Family 1 sum up to share s1

  22. Continued s1 s2 s3 s4 sum up tod Family 1 sum up to share s1 sum up to share s2

  23. Continued s1 s2 s3 s4 sum up tod Family 1 sum up to share s1 + + + + sum up to share s2 + + + + sum up to share s3 + + + + sum up to share s4 = = = = sum up tod Family 2

  24. Family 1 Generates new family with new form new Family

  25. t out of vfromt out of t [FGMY-Cr97] • This idea can be extended to allow other threshold access structures based on [B89, F89, AGY] • The sum of shares in each family is the secret sum up tod sum up tod sum up tod Committees Example: 3 out of 4 sharing 1, 2 3 4 1 2 3, 4

  26. Proactive Security - partial history • Mobile Adversary for General function sharing [OY91] • Proactive Pseudo-random generator [CH94] • Proactive Secret Sharing [HJKY95] • Proactive Public Key (Discrete Log Systems): [HJJKY96] • Proactive Authenticated Communication [CHH97] • Optimal Resilience [FGY focs97] • Proactive RSA [FGMY97]

  27. Other Issues • Distributed Key generation (and Robust)… • Improved efficiency of solutions for threshold for proactive etc. • Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)

  28. TYPE OF ADVERSARIES • Mobile vs. Static (stationary) vs. Determined at start • Non-adaptive: makes decisions based on internal strategy or: • Adaptive: makes decisions based on messages in the protocol • Most deadly adversary: both dynamic and adaptive.

  29. Conclusions • Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod f (N) ). • When combined with a distributed setting, the problem may become even more challenging. • Efficiency (practice) + distributed + security constraints Þ Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”). • Developed new “robustness” and “computational” methods (of perhaps independent interest).

  30. Conclusions • Techniques that distribute trust and avoid single point of security and availability failures are interesting • The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.

More Related