1. Further Simplifications in Proactive RSA Signatures
Stanisław Jarecki and Nitesh Saxena
School of Information and Computer Science
University of California, Irvine
02/12/05
Theory of Cryptography Conference (TCC)

2. Theory of Cryptography Conference (TCC)
Outline
Threshold Crypto, Proactive Signatures
Proactive RSA - related work
Rabin’s Scheme
URSA Scheme (and its insecurity)
Motivation
Proposed Proactive RSA Scheme
Tighter Analysis of Rabin’s Scheme
Open Problems
02/12/05
Theory of Cryptography Conference (TCC)

3. (t,n)-Threshold Cryptography
Due to Desmedt; Boyd; Croft and Harris; Desmedt and Frankel
Tool: Shamir’s Polynomial Secret Sharing
Motivation: to secure the cryptosystem against t (< n/2) corruptions
Split the secret d among n entities so that
any set of t+1 or more entities can recover the secret
an adversary who corrupts at most t entities, learns nothing about d
f(x) = S + a1x + a2x2 + … + at-1xt (mod q)
ssi = f(idi) (mod q)
SECURE
INSECURE
Polynomial interpolation:
for any G, s.t. |G|=t+1
02/12/05
Theory of Cryptography Conference (TCC)

4. Threshold and Proactive Signatures
Threshold Signatures
allow any set of t+1 entities to sign messages on behalf of the system
tolerate up to t corruptions in the lifetime of the system
Proactive Signatures
threshold signatures with increased resilience,
lifetime is divided into intervals
secret shares are updated
tolerate up to t corruptions in every interval
02/12/05
Theory of Cryptography Conference (TCC)

5. Theory of Cryptography Conference (TCC)
Types of Adversaries
Static
Adaptive/Dynamic
02/12/05
Theory of Cryptography Conference (TCC)

6. Applications of Proactive Signatures
Distributed Certification Authority, e.g., COCA
Time-stamping Service
Access control in peer-to-peer and mobile ad hoc networks, e.g., URSA
P2P
MANET
02/12/05
Theory of Cryptography Conference (TCC)

7. Examples of Proactive Signatures
Discrete-log based
DSA based;
Gennaro, et al. [EC’96] [IANDC’01]
Schnorr based
Gennaro, et al. [RSA Security’03]
BLS based
Boldyreva [PKC’03]
RSA based
Frankel, et al. [FOCS’97] [Crypto’97],
Rabin [Crypto’98]
Trusted Standard;
Faster Verification
02/12/05
Theory of Cryptography Conference (TCC)

8. Proactive RSA – Related Work (1/3)
Frankel, et al. [Crypto’97]
Does not achieve optimal threshold t < n/2
Combinatorial and thus not scalable
Frankel, et al. [FOCS’97]
02/12/05
Theory of Cryptography Conference (TCC)

9. Proactive RSA – Related Work (2/3)
Rabin [Crypto’98]
Main idea:
share RSA secret d additively over integers
share the additive shares polynomially over integers
Sign using additive share
Proactivize by shuffling and re-sharing additive shares.
Crash == malicious fault
Does not tolerate adaptive adversary
02/12/05
Theory of Cryptography Conference (TCC)

10. Proactive RSA – Related Work (3/3)
URSA: Ubiquitous and Robust Access Control
Luo, et al. [ICNP’01, ISCC’02, WCMC’02, ToN’04]
Main idea:
Share d polynomially in ZN
Sign using polynomial shares
Reconstruct sig by converting the equation in mod N into an equation in integers
No proof of security
Actually insecure; Jarecki, et al. [SASN’04]
Equation over integers leaks certain information about d
02/12/05
Theory of Cryptography Conference (TCC)

11. Motivation for the Proposed Scheme
Can we fix the URSA scheme to yield a proactive RSA
simpler?
more efficient?
crash ≠ malicious fault?
adaptively secure?
Yes
Yes
No/Open
No/Open
02/12/05
Theory of Cryptography Conference (TCC)

12. URSA Proactive RSA Scheme (1/3)
Setup
Dealer generates RSA private key d and public key (e, N)
Randomly picks polynomial f(x) of degree t
Member Mj is issued a secret share:
f(x) = d + a1x + a2x2 + … + atxt (mod N)
ssj = f(j) (mod N)
Signature generation (signing group G, |G|=t+1)
Polynomial interpolation:
, , where partial key:
Mj outputs partial signature:
Recall: RSA signature
s = md (mod N)
02/12/05
Theory of Cryptography Conference (TCC)

13. URSA Proactive RSA Scheme (2/3)
Signature reconstruction: from t+1
Since 
Try all (t+1) values of α , s.t. se = m (mod N)
Note: α is revealed
02/12/05
Theory of Cryptography Conference (TCC)

14. Problems with URSA Proactive RSA
Robustness; Narasimha, et al. [ICNP’03]
Shares are computed mod N
Regular verifiability mechanisms fail
No verifiability  No robustness
Insecure
Jarecki, et al. [SASN’04]
e.g., for t = 7, |N|=1024, e = ,
the attack recovers d in 163 rounds
02/12/05
Theory of Cryptography Conference (TCC)

15. Our Attack (example): Binary Search
t=1, n=2
Players M1, M2 , Signing group G={1,2}
Adversary A corrupts M1
Recall: d = d1 + d2 – αN
Signing protocol reveals α
If α = 0,  d = d1 + d2  d ≥ d1
o/w if α = 1,  d = d1 + (d2 - N)  d < d1
During proactive updates, A can choose ss1 s.t.
With every update round, the search interval is halved
Binary search recovers d in log2(N) rounds
Recall d1 = ss1l1 (mod N)
d N
02/12/05
Theory of Cryptography Conference (TCC)

16. The Proposed Scheme in a Nutshell
Share d additively over a large enough prime q
Share the shares polynomially using Pedersen’s VSS
Use additive shares to sign
Use URSA signature reconstruction
To detect faulty signers, use special purpose zero-knowledge proofs
Boudot [EC’00] & Camenisch and Michels [Crypto’99]
02/12/05
Theory of Cryptography Conference (TCC)

17. Theory of Cryptography Conference (TCC)
Set-up
Dealer d and (e, N) ; a prime q ≥ r2|N|+τ, g, h, p
Pick dj, dj’ ε Zq s.t
Share dj, dj’ using polynomials fj(z) and f’j(z) over Zq and publish the commitment to the polynomials as g f(z)hf’(z) mod p
Send di, di’, fj(i), fj’(i) to member Mi
02/12/05
Theory of Cryptography Conference (TCC)

18. Signature Generation & Reconstruction
Mj outputs partial signature:
Reconstruction:
02/12/05
Theory of Cryptography Conference (TCC)

19. Robustness during Signing
Signing with (dj + q) will also succeed this proof; gq = 1 (mod p)
Failure of signature reconstruction  at least a cheating signer
Detect by verifying each partial sig. sj
Equality of discrete log in two different groups
Using proofs by Damgard-Fujisaki-Okamoato; Camenish-Michels
Range of a committed number
Using proofs by Boudot; Damgard-Fujisaki-Okamoato
02/12/05
Theory of Cryptography Conference (TCC)

20. Theory of Cryptography Conference (TCC)
Proactive Update
Each Mj splits his old secret share dj additively into n subshares in Zq
Mi’s new share
02/12/05
Theory of Cryptography Conference (TCC)

21. Theory of Cryptography Conference (TCC)
Security Analysis: why top level additive sharing fixes the URSA scheme
Model: Existential Forgery in Chosen Message Attack
Theorem: If an adversary corrupting t players can CMA attack the new (FDH) proactive RSA scheme with probabilty β in time T  he can CMA attack the standard (FDH) RSA with probability β-2-τ in time T+ poly(n, |N|)
Proof: Using Simulation technique
Statistical difference is due to the probability difference of generating α value in the protocol and α value in the simulator
02/12/05
Theory of Cryptography Conference (TCC)

22. Comparison with Rabin’s Scheme
New Scheme
Sharing
Over integers
Over prime number
Additive Share size
[-nN2, nN2]
[0, rN2τ]
Coefficient size
[-nL2N3, nL2N3]
(L= n!)
In short, new scheme is
simpler
twice faster in signing
02/12/05
Theory of Cryptography Conference (TCC)

23. Tighter Analysis of Rabin’s
Original Simulation
Picking d1, d2,…, dn-1, uniformly at random from [-R,R], where R = nN2
Picking dpublic uniformly at random from [nR, nR+N]
Error
dpublic in protocol has normal dist.
dpublic in simulation has uniform dist
Immediately distinguishable
Corrected Simulation
Exactly as the protocol
In r rounds, statistical difference δ = rN/R
New share sizes R = rN2τ to make δ negligible
02/12/05
Theory of Cryptography Conference (TCC)

24. Theory of Cryptography Conference (TCC)
Related Open Problems
Can we fix the URSA scheme to yield a proactive RSA
crash ≠ malicious fault?
adaptively secure?
Can we have upper bounds on the security of URSA scheme
Upto how many rounds is it secure (if at all)
Upto how many signature operations it allows in every round
What threshold is it secure for (if at all)
02/12/05
Theory of Cryptography Conference (TCC)