Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threshold RSA Cryptography

Published byLanny Sanjaya Modified over 5 years ago

Similar presentations

Presentation on theme: "Threshold RSA Cryptography"— Presentation transcript:

1 Threshold RSA Cryptography
Scott Anson CSEP590 Presentation

2 Overview: RSA Threshold Schemes
Motivation Quick recap of threshold crypto basics Simple “N out of N” scheme k out of N scheme using trusted dealer Robust scheme with semi-trusted dealer Scheme that eliminates the trusted dealer for key and modulus distribution January 17, 2019

3 Motivation for Threshold RSA
The same motivation that normal threshold schemes share. Canonical example is the digital signature scheme, k of N executives check-signing Eliminate single point of failure for ultra-sensitive public cryptosystem data. For example, Root CA private key (and modulus factors) Allow way for groups to communicate with each other, without requiring everyone to hold the private key, nor requiring everyone to cooperate. January 17, 2019

4 Threshold Crypto Basics
Recall Josh’s lecture on threshold schemes, Shamir’s secret sharing over finite field Zp = {0,1,…,p-1} where p is a prime RSA Private data: (p, q, d); public: (e, n) TRSA(k,N): k users can apply private key d to a message, while k-1 cannot and… Phases: Key distribution, partial signature computation, signature combination, verification January 17, 2019

5 k = N scheme Key generation phase:
Dealer publishes (e, n). Dealer splits d into N shares s.t. d = ∑i=1 to N di and distributes one share per member. Shares should be random. Signature phase: Message to sign is m, each member computes md_imod n and submits to combiner Combination phase: combiner computes ∏j=1toN md_i mod n = m∑d_i mod n = md mod n January 17, 2019

6 k = N scheme What’s not quite right with this scheme?
Dealer is trusted for n = pq, and that p and q are erased. Dealer is trusted for random key shares that add up to d. Participants are trusted to correctly apply their share. But this scheme can work for applications like securing root CA key, where N is small. k=2,N=3 system example: Dealer splits d two different ways, d = d1+d2=d3 +d4. S1 gets d1 and d3, S2 gets d2, S3 gets d1 and d4 January 17, 2019

7 k ≤ N scheme with trusted dealer Desmedt & Frankel, 1992
“pre-computation phase” for each grouping of k to cover the missing shares But can’t openly expose missing shares Solution is SSS, but SSS works over Zp, and application to RSA is complicated since Lagrange interpolation modular inverses are over Zpq or variant, and pre-computation may expose info on p or q. Further, the inverses may not exist. DF proposal has dealer craft a special degree k-1 polynomial where f(0) = d-1, plus other constraints Creates key shares that have the inverses built in, allow precomputation stage to avoid them, and then the product of the partial shares resolves to the secret via Lagrange interpolation. DF final solution has cumbersome double-layering of SSS. January 17, 2019

8 “k-1”-robust scheme with semi-trusted dealer, Rabin 1998
Different from DF, uses additive key scheme (same as k=N) slide. Uses Secret sharing to backup each key in the form of a k-1 degree polynomial, so that the k signing parties can determine the missing key shares. Broadcasts lots of witnesses for verification: wd_i = gd_imod n, where g=grnd(N!)^2 mod n This witness is used in signature verification, discrete log of partial signature is shown to be equivalent to discrete log of witness January 17, 2019

9 Robust scheme key share backup
For each player i, who holds key share di (-Nn2 ≤ di ≤ Nn2), dealer creates polynomial of degree k-1 for VSS scheme: Fi (x) = ai,k-1xk-1 + … + ai,2x2 + ai,1x + di∙N!, coefficient values range from (-N)(N!2)(n3) to (N)(N!2)(n3) Give player Pi the value f(i), for every player i. Create witnesses, ga_i,j mod n for EVERY coefficient, and broadcast them to all members of group. Call them w_i,j Verification: gf(i) ≡ ∏j=0 to k-1(x-j) (mod n) Rabin gives methods to handle cheating dealer or participant, and method to reconstruct key shares from backup. January 17, 2019

10 What’s missing? Rabin shows how participants can enforce that the dealer is not cheating wrt passing out key shares, and that the participants aren’t cheating in forming their signatures And how a simple additive form distribution of keys can work with the missing shares being reconstructed via VSS But there is still a single point of failure: dealer can leak d, p or q. Dealer is still trusted. January 17, 2019

11 Secure TRSA key generation Boneh and Franklin, 1997
High level view: While ( n is not a valid modulus) for each party i, pick random pi and qi using modified-BGW version of SSS… create 3 polynomials, calculate tuples for each member, multiple sharings and interpolation results in n = ∑i pi∙ ∑i qi conduct distributed Fermat test on n conduct more advanced tests that use crazy math End There are a number of optimizations proposed to make up for how there is a n-2 chance of correctly choosing p and q. January 17, 2019

12 Secure TRSA key gen continued…
They give a method* to generate key shares without a dealer by using their respective pi and qi values Uses multiple one-to-all broadcasts and computations that do not expose the pi or qi values Result is that the servers all have valid key shares but one That server’s share is only off by at most N, so a series of sample encryptions are run to correct it’s share value. k out of N schemes require combinatorial distribution approach or usage of Rabin’s backups *using a protocol due to Benaloh January 17, 2019

13 Conclusion Threshold RSA is theoretically possible, in a way that is more secure than single-party RSA, but not necessarily efficiently practical. RSA not as easily adaptable to threshold schemes as discrete log public crypto Some CA’s already use Threshold RSA variants (Visa/MC) ITTC project at Stanford implements no-dealer approach. All techniques use variants on SSS January 17, 2019

Download ppt "Threshold RSA Cryptography"

Similar presentations

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.

Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.

Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN 317 12-03-2003.

Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN
Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,

Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept. 2012 Part I: Introduction to Number Theory Part II: Advanced Cryptography.

1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography

Cryptography and Network Security Chapter 9 - Public-Key Cryptography
DISTRIBUTED CRYPTOSYSTEMS Moti Yung. Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing.

DISTRIBUTED CRYPTOSYSTEMS Moti Yung. Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing.

Similar presentations

Ads by Google