DISTRIBUTED CRYPTOSYSTEMS Moti Yung

Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.  Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n –Every group of t+1 know the secret –Every group of up to t does not know anything  We EXTEND sharing of a secret to “SAHRING CAPABILITY”

SECRET SHARING s1s1 s2s2 svsv.. key. v out of v (additive) sharing: s 1 + … + s v = key t out of v polynomial sharing [B, Sh]

Polynomial Sharing

Inefficient way: Secure Function Evaluation  PART OF A SET OF PROTOCOLS  Basic Initial Protocols –Coin Flipping [Blum] –Oblivious Transfer [Rabin] –Mental Poker [SRA]  Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..

Secret Inputs P (Input) Secure Distributed Computing: [Yao, GMW] General function compilers: 1) are merely plausibility results 2) gross inefficiency: communication complexity linear in function’s circuit size

Efficient Distributed Function Application s1s1 s2s2 svsv.. Input P key (Input). Function Sharing: [Boyd, CH,DF, F, DDFY] t+1 can compute P key (Input) t can not no entity learns key after function application Robust: poly time availability for any misbehaving minority t

Proof of security Given a regular system (RSA, say) then we say: The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value....etc.)

El Gamal Distributed Decryption  P=2q+1 (exponents in Zq)  g a generator of order q  Private key x, public key y= g^x (mod p)  X=s1+s2+s3 (mod q).  Each server I has si I=1,..,3  ElGamal:  Public Key: p.q. y=g^x Secret:x  To encrypt M choose a random r and send = which is sent  To decrypt:

To Decrypt  Input A,B  Each server computes: A^S1, A^S2, A^s3.  Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r  B/ y^r =( y^r * M/y^r)= M (decrypted message) To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).

(t,v) threshold RSA P mP key (m) = m d mod n Transformed to key =( d, n ) s1s1 s2s2 sv m *.. P key (m) = m d mod n Any t+1 out of v can sign m Non-interactively or a few rounds

(v,v) threshold RSA– security proof outline P mP key (m) = m d mod n Transformed to: S1+S2+…Sv=d key =( d, n ) s1s1 s2s2 sv m *.. P key (m) = m d mod n Any v-1 are known to adversary

Proof of security s1s1 s2s2 svsv m * m s 1 mod n m s v = m d / (m s 1 m s v-1 )mod n m s 1 m s v  m d mod n.....  Simulation Argument with input: ( m, m d )  WLOG, let ADVERSARY control server 1 through v-1  generate s 1, …, s v-1 randomly...

Distribute Cryptosystems (Threshold Crypto) Issues:  Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY]  Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA]  Distributed key generation [for DLOG 91, RSA 97.98]  Proactive security (protection in the time domain) [OY 91 notion]  ………

Proactive Public Key [HJJKY] May June July

Robust RSA system s1s1 s2s2 svsv m * m s 1 mod n, g s 1 mod n and proof of same exponent Check all proofs and m s 1 * … * m s v  m d mod n.....  Can use ZK-proofs (expensive)  Use robustness: witness signature on a random g with the share g s 1 make it public

Problems with t-out-of-v RSA  Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor  Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem  For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next

Proactive Public Key [HJJKY] May June July

PROACTIVE D-Log based system  The parties have s1, s2 s3, s1+s2+s3=x key.  To refresh key server one has  R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM  R11 to server 1, R1,2 to server 2, R1,3 to server 3.  Other servers do the same.  When they add the distributed zeros: -- Any two keys from before are useless any two keys now are useless. -- The value of the key is the same = x mod q.

Proactive RSA v out of v  Cannot add “zero”  But can split share: S1  s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM  Other servers do the same  (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).

Proactive RSA [FGMY1] (principles only)  Re-randomize the families: Family 1 sum up to d sum up to share s 1 s1s1 s2s2 s3s3 s4s4

Continued Family 1 sum up to d sum up to share s 1 s1s1 s2s2 s3s3 s4s4 sum up to share s 2

Continued Family 1 sum up to d sum up to share s 1 s1s1 s2s2 s3s3 s4s4 sum up to share s sum up to share s 3 sum up to share s 4 Family 2 sum up to d = = = =

Family 1 new Family Generates new family with new form

t out of v from t out of t [FGMY-Cr97] Committees sum up to d Example: 3 out of 4 sharing 1, , 4  This idea can be extended to allow other threshold access structures based on [B89, F89, AGY]  The sum of shares in each family is the secret

Proactive Security - partial history  Mobile Adversary for General function sharing [OY91]  Proactive Pseudo-random generator [CH94]  Proactive Secret Sharing [HJKY95]  Proactive Public Key (Discrete Log Systems): [HJJKY96]  Proactive Authenticated Communication [CHH97]  Optimal Resilience [FGY focs97]  Proactive RSA [FGMY97]

Other Issues  Distributed Key generation (and Robust)…  Improved efficiency of solutions for threshold for proactive etc.  Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)

TYPE OF ADVERSARIES  Mobile vs. Static (stationary) vs. Determined at start  Non-adaptive: makes decisions based on internal strategy or:  Adaptive: makes decisions based on messages in the protocol  Most deadly adversary: both dynamic and adaptive.

Conclusions  Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod  (N) ).  When combined with a distributed setting, the problem may become even more challenging.  Efficiency (practice) + distributed + security constraints  Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”).  Developed new “robustness” and “computational” methods (of perhaps independent interest).

Conclusions  Techniques that distribute trust and avoid single point of security and availability failures are interesting  The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.