Further Simplifications in Proactive RSA Signatures Stanisław Jarecki and Nitesh Saxena School of Information and Computer Science University of California, Irvine 02/12/05 Theory of Cryptography Conference (TCC)
Theory of Cryptography Conference (TCC) Outline Threshold Crypto, Proactive Signatures Proactive RSA - related work Rabin’s Scheme URSA Scheme (and its insecurity) Motivation Proposed Proactive RSA Scheme Tighter Analysis of Rabin’s Scheme Open Problems 02/12/05 Theory of Cryptography Conference (TCC)
(t,n)-Threshold Cryptography Due to Desmedt; Boyd; Croft and Harris; Desmedt and Frankel Tool: Shamir’s Polynomial Secret Sharing Motivation: to secure the cryptosystem against t (< n/2) corruptions Split the secret d among n entities so that any set of t+1 or more entities can recover the secret an adversary who corrupts at most t entities, learns nothing about d f(x) = S + a1x + a2x2 + … + at-1xt (mod q) ssi = f(idi) (mod q) SECURE INSECURE Polynomial interpolation: for any G, s.t. |G|=t+1 02/12/05 Theory of Cryptography Conference (TCC)
Threshold and Proactive Signatures Threshold Signatures allow any set of t+1 entities to sign messages on behalf of the system tolerate up to t corruptions in the lifetime of the system Proactive Signatures threshold signatures with increased resilience, lifetime is divided into intervals secret shares are updated tolerate up to t corruptions in every interval 02/12/05 Theory of Cryptography Conference (TCC)
Theory of Cryptography Conference (TCC) Types of Adversaries Static Adaptive/Dynamic 02/12/05 Theory of Cryptography Conference (TCC)
Applications of Proactive Signatures Distributed Certification Authority, e.g., COCA Time-stamping Service Access control in peer-to-peer and mobile ad hoc networks, e.g., URSA P2P MANET 02/12/05 Theory of Cryptography Conference (TCC)
Examples of Proactive Signatures Discrete-log based DSA based; Gennaro, et al. [EC’96] [IANDC’01] Schnorr based Gennaro, et al. [RSA Security’03] BLS based Boldyreva [PKC’03] RSA based Frankel, et al. [FOCS’97] [Crypto’97], Rabin [Crypto’98] Trusted Standard; Faster Verification 02/12/05 Theory of Cryptography Conference (TCC)
Proactive RSA – Related Work (1/3) Frankel, et al. [Crypto’97] Does not achieve optimal threshold t < n/2 Combinatorial and thus not scalable Frankel, et al. [FOCS’97] 02/12/05 Theory of Cryptography Conference (TCC)
Proactive RSA – Related Work (2/3) Rabin [Crypto’98] Main idea: share RSA secret d additively over integers share the additive shares polynomially over integers Sign using additive share Proactivize by shuffling and re-sharing additive shares. Crash == malicious fault Does not tolerate adaptive adversary 02/12/05 Theory of Cryptography Conference (TCC)
Proactive RSA – Related Work (3/3) URSA: Ubiquitous and Robust Access Control Luo, et al. [ICNP’01, ISCC’02, WCMC’02, ToN’04] Main idea: Share d polynomially in ZN Sign using polynomial shares Reconstruct sig by converting the equation in mod N into an equation in integers No proof of security Actually insecure; Jarecki, et al. [SASN’04] Equation over integers leaks certain information about d 02/12/05 Theory of Cryptography Conference (TCC)
Motivation for the Proposed Scheme Can we fix the URSA scheme to yield a proactive RSA simpler? more efficient? crash ≠ malicious fault? adaptively secure? Yes Yes No/Open No/Open 02/12/05 Theory of Cryptography Conference (TCC)
URSA Proactive RSA Scheme (1/3) Setup Dealer generates RSA private key d and public key (e, N) Randomly picks polynomial f(x) of degree t Member Mj is issued a secret share: f(x) = d + a1x + a2x2 + … + atxt (mod N) ssj = f(j) (mod N) Signature generation (signing group G, |G|=t+1) Polynomial interpolation: , , where partial key: Mj outputs partial signature: Recall: RSA signature s = md (mod N) 02/12/05 Theory of Cryptography Conference (TCC)
URSA Proactive RSA Scheme (2/3) Signature reconstruction: from t+1 Since Try all (t+1) values of α , s.t. se = m (mod N) Note: α is revealed 02/12/05 Theory of Cryptography Conference (TCC)
Problems with URSA Proactive RSA Robustness; Narasimha, et al. [ICNP’03] Shares are computed mod N Regular verifiability mechanisms fail No verifiability No robustness Insecure Jarecki, et al. [SASN’04] e.g., for t = 7, |N|=1024, e = 65537 , the attack recovers d in 163 rounds 02/12/05 Theory of Cryptography Conference (TCC)
Our Attack (example): Binary Search t=1, n=2 Players M1, M2 , Signing group G={1,2} Adversary A corrupts M1 Recall: d = d1 + d2 – αN Signing protocol reveals α If α = 0, d = d1 + d2 d ≥ d1 o/w if α = 1, d = d1 + (d2 - N) d < d1 During proactive updates, A can choose ss1 s.t. With every update round, the search interval is halved Binary search recovers d in log2(N) rounds Recall d1 = ss1l1 (mod N) 0 d1 N 02/12/05 Theory of Cryptography Conference (TCC)
The Proposed Scheme in a Nutshell Share d additively over a large enough prime q Share the shares polynomially using Pedersen’s VSS Use additive shares to sign Use URSA signature reconstruction To detect faulty signers, use special purpose zero-knowledge proofs Boudot [EC’00] & Camenisch and Michels [Crypto’99] 02/12/05 Theory of Cryptography Conference (TCC)
Theory of Cryptography Conference (TCC) Set-up Dealer d and (e, N) ; a prime q ≥ r2|N|+τ, g, h, p Pick dj, dj’ ε Zq s.t Share dj, dj’ using polynomials fj(z) and f’j(z) over Zq and publish the commitment to the polynomials as g f(z)hf’(z) mod p Send di, di’, fj(i), fj’(i) to member Mi 02/12/05 Theory of Cryptography Conference (TCC)
Signature Generation & Reconstruction Mj outputs partial signature: Reconstruction: 02/12/05 Theory of Cryptography Conference (TCC)
Robustness during Signing Signing with (dj + q) will also succeed this proof; gq = 1 (mod p) Failure of signature reconstruction at least a cheating signer Detect by verifying each partial sig. sj Equality of discrete log in two different groups Using proofs by Damgard-Fujisaki-Okamoato; Camenish-Michels Range of a committed number Using proofs by Boudot; Damgard-Fujisaki-Okamoato 02/12/05 Theory of Cryptography Conference (TCC)
Theory of Cryptography Conference (TCC) Proactive Update Each Mj splits his old secret share dj additively into n subshares in Zq Mi’s new share 02/12/05 Theory of Cryptography Conference (TCC)
Theory of Cryptography Conference (TCC) Security Analysis: why top level additive sharing fixes the URSA scheme Model: Existential Forgery in Chosen Message Attack Theorem: If an adversary corrupting t players can CMA attack the new (FDH) proactive RSA scheme with probabilty β in time T he can CMA attack the standard (FDH) RSA with probability β-2-τ in time T+ poly(n, |N|) Proof: Using Simulation technique Statistical difference is due to the probability difference of generating α value in the protocol and α value in the simulator 02/12/05 Theory of Cryptography Conference (TCC)
Comparison with Rabin’s Scheme New Scheme Sharing Over integers Over prime number Additive Share size [-nN2, nN2] [0, rN2τ] Coefficient size [-nL2N3, nL2N3] (L= n!) In short, new scheme is simpler twice faster in signing 02/12/05 Theory of Cryptography Conference (TCC)
Tighter Analysis of Rabin’s Original Simulation Picking d1, d2,…, dn-1, uniformly at random from [-R,R], where R = nN2 Picking dpublic uniformly at random from [nR, nR+N] Error dpublic in protocol has normal dist. dpublic in simulation has uniform dist Immediately distinguishable Corrected Simulation Exactly as the protocol In r rounds, statistical difference δ = rN/R New share sizes R = rN2τ to make δ negligible 02/12/05 Theory of Cryptography Conference (TCC)
Theory of Cryptography Conference (TCC) Related Open Problems Can we fix the URSA scheme to yield a proactive RSA crash ≠ malicious fault? adaptively secure? Can we have upper bounds on the security of URSA scheme Upto how many rounds is it secure (if at all) Upto how many signature operations it allows in every round What threshold is it secure for (if at all) 02/12/05 Theory of Cryptography Conference (TCC)