Threshold RSA Cryptography Scott Anson CSEP590 Presentation

Overview: RSA Threshold Schemes Motivation Quick recap of threshold crypto basics Simple “N out of N” scheme k out of N scheme using trusted dealer Robust scheme with semi-trusted dealer Scheme that eliminates the trusted dealer for key and modulus distribution January 17, 2019

Motivation for Threshold RSA The same motivation that normal threshold schemes share. Canonical example is the digital signature scheme, k of N executives check-signing Eliminate single point of failure for ultra-sensitive public cryptosystem data. For example, Root CA private key (and modulus factors) Allow way for groups to communicate with each other, without requiring everyone to hold the private key, nor requiring everyone to cooperate. January 17, 2019

Threshold Crypto Basics Recall Josh’s lecture on threshold schemes, Shamir’s secret sharing over finite field Zp = {0,1,…,p-1} where p is a prime RSA Private data: (p, q, d); public: (e, n) TRSA(k,N): k users can apply private key d to a message, while k-1 cannot and… Phases: Key distribution, partial signature computation, signature combination, verification January 17, 2019

k = N scheme Key generation phase: Dealer publishes (e, n). Dealer splits d into N shares s.t. d = ∑i=1 to N di and distributes one share per member. Shares should be random. Signature phase: Message to sign is m, each member computes md_imod n and submits to combiner Combination phase: combiner computes ∏j=1toN md_i mod n = m∑d_i mod n = md mod n January 17, 2019

k = N scheme What’s not quite right with this scheme? Dealer is trusted for n = pq, and that p and q are erased. Dealer is trusted for random key shares that add up to d. Participants are trusted to correctly apply their share. But this scheme can work for applications like securing root CA key, where N is small. k=2,N=3 system example: Dealer splits d two different ways, d = d1+d2=d3 +d4. S1 gets d1 and d3, S2 gets d2, S3 gets d1 and d4 January 17, 2019

k ≤ N scheme with trusted dealer Desmedt & Frankel, 1992 “pre-computation phase” for each grouping of k to cover the missing shares But can’t openly expose missing shares Solution is SSS, but SSS works over Zp, and application to RSA is complicated since Lagrange interpolation modular inverses are over Zpq or variant, and pre-computation may expose info on p or q. Further, the inverses may not exist. DF proposal has dealer craft a special degree k-1 polynomial where f(0) = d-1, plus other constraints Creates key shares that have the inverses built in, allow precomputation stage to avoid them, and then the product of the partial shares resolves to the secret via Lagrange interpolation. DF final solution has cumbersome double-layering of SSS. January 17, 2019

“k-1”-robust scheme with semi-trusted dealer, Rabin 1998 Different from DF, uses additive key scheme (same as k=N) slide. Uses Secret sharing to backup each key in the form of a k-1 degree polynomial, so that the k signing parties can determine the missing key shares. Broadcasts lots of witnesses for verification: wd_i = gd_imod n, where g=grnd(N!)^2 mod n This witness is used in signature verification, discrete log of partial signature is shown to be equivalent to discrete log of witness January 17, 2019

Robust scheme key share backup For each player i, who holds key share di (-Nn2 ≤ di ≤ Nn2), dealer creates polynomial of degree k-1 for VSS scheme: Fi (x) = ai,k-1xk-1 + … + ai,2x2 + ai,1x + di∙N!, coefficient values range from (-N)(N!2)(n3) to (N)(N!2)(n3) Give player Pi the value f(i), for every player i. Create witnesses, ga_i,j mod n for EVERY coefficient, and broadcast them to all members of group. Call them w_i,j Verification: gf(i) ≡ ∏j=0 to k-1(x-j) (mod n) Rabin gives methods to handle cheating dealer or participant, and method to reconstruct key shares from backup. January 17, 2019

What’s missing? Rabin shows how participants can enforce that the dealer is not cheating wrt passing out key shares, and that the participants aren’t cheating in forming their signatures And how a simple additive form distribution of keys can work with the missing shares being reconstructed via VSS But there is still a single point of failure: dealer can leak d, p or q. Dealer is still trusted. January 17, 2019

Secure TRSA key generation Boneh and Franklin, 1997 High level view: While ( n is not a valid modulus) for each party i, pick random pi and qi using modified-BGW version of SSS… create 3 polynomials, calculate tuples for each member, multiple sharings and interpolation results in n = ∑i pi∙ ∑i qi conduct distributed Fermat test on n conduct more advanced tests that use crazy math End There are a number of optimizations proposed to make up for how there is a n-2 chance of correctly choosing p and q. January 17, 2019

Secure TRSA key gen continued… They give a method* to generate key shares without a dealer by using their respective pi and qi values Uses multiple one-to-all broadcasts and computations that do not expose the pi or qi values Result is that the servers all have valid key shares but one That server’s share is only off by at most N, so a series of sample encryptions are run to correct it’s share value. k out of N schemes require combinatorial distribution approach or usage of Rabin’s backups *using a protocol due to Benaloh January 17, 2019

Conclusion Threshold RSA is theoretically possible, in a way that is more secure than single-party RSA, but not necessarily efficiently practical. RSA not as easily adaptable to threshold schemes as discrete log public crypto Some CA’s already use Threshold RSA variants (Visa/MC) ITTC project at Stanford implements no-dealer approach. All techniques use variants on SSS January 17, 2019