Presentation is loading. Please wait.

Presentation is loading. Please wait.

DISTRIBUTED CRYPTOSYSTEMS Moti Yung. Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing.

Published byMorris Shelton Modified over 8 years ago

Similar presentations

Presentation on theme: "DISTRIBUTED CRYPTOSYSTEMS Moti Yung. Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing."— Presentation transcript:

1 DISTRIBUTED CRYPTOSYSTEMS Moti Yung

2 Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing of a secret.  Threshold schemes [Shamir, Blakely]: use polynomial interpolation (or a geometric structure) to share so that t-out-of-n –Every group of t+1 know the secret –Every group of up to t does not know anything  We EXTEND sharing of a secret to “SAHRING CAPABILITY”

3 SECRET SHARING s1s1 s2s2 svsv.. key. v out of v (additive) sharing: s 1 + … + s v = key t out of v polynomial sharing [B, Sh]

4 Polynomial Sharing

5 Inefficient way: Secure Function Evaluation  PART OF A SET OF PROTOCOLS  Basic Initial Protocols –Coin Flipping [Blum] –Oblivious Transfer [Rabin] –Mental Poker [SRA]  Given any polynomial circuit compute it with secret output so that only result is known [Yao, GMW,…]..

6 Secret Inputs P (Input) Secure Distributed Computing: [Yao, GMW] General function compilers: 1) are merely plausibility results 2) gross inefficiency: communication complexity linear in function’s circuit size

7 Efficient Distributed Function Application s1s1 s2s2 svsv.. Input P key (Input). Function Sharing: [Boyd, CH,DF, F, DDFY] t+1 can compute P key (Input) t can not no entity learns key after function application Robust: poly time availability for any misbehaving minority t

8 Proof of security Given a regular system (RSA, say) then we say: The distributed (threshold) system is secure if given the input/output relationships from the centralized system, we can “simulate” the distributed protocol which is used to generate the final output (signature or decrypted value....etc.)

9 El Gamal Distributed Decryption  P=2q+1 (exponents in Zq)  g a generator of order q  Private key x, public key y= g^x (mod p)  X=s1+s2+s3 (mod q).  Each server I has si I=1,..,3  ElGamal:  Public Key: p.q. y=g^x Secret:x  To encrypt M choose a random r and send = which is sent  To decrypt:

10 To Decrypt  Input A,B  Each server computes: A^S1, A^S2, A^s3.  Combiner multiply A^s1*A^s2*A^s3= A^(s1+s2+s3) = A^x = (g^r)^x =(g^x)^r=y^r  B/ y^r =( y^r * M/y^r)= M (decrypted message) To have a 2-out-of-3: every share will be a point on a polynomial, before acting the lagrangian coefficient will multiply the share (depending who the other party is) and this linearizes the problem (as above). Possible Zq is a field (so computing Lagrange is ok in a field).

11 (t,v) threshold RSA P mP key (m) = m d mod n Transformed to key =( d, n ) s1s1 s2s2 sv m *.. P key (m) = m d mod n Any t+1 out of v can sign m Non-interactively or a few rounds

12 (v,v) threshold RSA– security proof outline P mP key (m) = m d mod n Transformed to: S1+S2+…Sv=d key =( d, n ) s1s1 s2s2 sv m *.. P key (m) = m d mod n Any v-1 are known to adversary

13 Proof of security s1s1 s2s2 svsv m * m s 1 mod n m s v = m d / (m s 1 m s v-1 )mod n m s 1 m s v  m d mod n.....  Simulation Argument with input: ( m, m d )  WLOG, let ADVERSARY control server 1 through v-1  generate s 1, …, s v-1 randomly...

14 Distribute Cryptosystems (Threshold Crypto) Issues:  Basic provably secure function sharing [89-90, 94 first RSA provably secure scheme DDFY]  Robust Function sharing (assuring completion of operation even if subset misbehave) [96 for RSA DSA]  Distributed key generation [for DLOG 91, RSA 97.98]  Proactive security (protection in the time domain) [OY 91 notion]  ………

15 Proactive Public Key [HJJKY] May June July

16 Robust RSA system s1s1 s2s2 svsv m * m s 1 mod n, g s 1 mod n and proof of same exponent Check all proofs and m s 1 * … * m s v  m d mod n.....  Can use ZK-proofs (expensive)  Use robustness: witness signature on a random g with the share g s 1 make it public

17 Problems with t-out-of-v RSA  Cannot interpolate (inverses in Lagrangian in the domain (mod Lambda(n) while nnot allowing to factor  Thus– how to go around Interpolation (doing it over the Integers etc. or in another extended domain was a problem  For proactive: need to refresh keys over unknown domain (no random zero as in Zq) … to be discussed next

18 Proactive Public Key [HJJKY] May June July

19 PROACTIVE D-Log based system  The parties have s1, s2 s3, s1+s2+s3=x key.  To refresh key server one has  R1,1+ r1,2+r1,3 = 0 mod q. This is a distributed zero. ADD ZERO PARADIGM  R11 to server 1, R1,2 to server 2, R1,3 to server 3.  Other servers do the same.  When they add the distributed zeros: -- Any two keys from before are useless any two keys now are useless. -- The value of the key is the same = x mod q.

20 Proactive RSA v out of v  Cannot add “zero”  But can split share: S1  s1,1, s1,2 s,3 so that their sum is s1. REDISTRIBUTION PARADIGM  Other servers do the same  (Share may grow over time (statistical imbalance but likely to grow slowly (random walk analysis).

21 Proactive RSA [FGMY1] (principles only)  Re-randomize the families: Family 1 sum up to d sum up to share s 1 s1s1 s2s2 s3s3 s4s4

22 Continued Family 1 sum up to d sum up to share s 1 s1s1 s2s2 s3s3 s4s4 sum up to share s 2

23 Continued Family 1 sum up to d sum up to share s 1 s1s1 s2s2 s3s3 s4s4 sum up to share s 2 + + + + sum up to share s 3 sum up to share s 4 Family 2 sum up to d = = = =

24 Family 1 new Family Generates new family with new form

25 t out of v from t out of t [FGMY-Cr97] Committees sum up to d Example: 3 out of 4 sharing 1, 2 3 4 1 2 3, 4  This idea can be extended to allow other threshold access structures based on [B89, F89, AGY]  The sum of shares in each family is the secret

26 Proactive Security - partial history  Mobile Adversary for General function sharing [OY91]  Proactive Pseudo-random generator [CH94]  Proactive Secret Sharing [HJKY95]  Proactive Public Key (Discrete Log Systems): [HJJKY96]  Proactive Authenticated Communication [CHH97]  Optimal Resilience [FGY focs97]  Proactive RSA [FGMY97]

27 Other Issues  Distributed Key generation (and Robust)…  Improved efficiency of solutions for threshold for proactive etc.  Note: this spread of risk is possible for a given architecture where I can have multitude (redundancy)

28 TYPE OF ADVERSARIES  Mobile vs. Static (stationary) vs. Determined at start  Non-adaptive: makes decisions based on internal strategy or:  Adaptive: makes decisions based on messages in the protocol  Most deadly adversary: both dynamic and adaptive.

29 Conclusions  Highly structured number-theoretic/algebraic problems may pose constraints due to security requirements (e.g., calculating mod  (N) ).  When combined with a distributed setting, the problem may become even more challenging.  Efficiency (practice) + distributed + security constraints  Need for new algorithms and computational techniques (beyond the ones of the “completeness theorems”).  Developed new “robustness” and “computational” methods (of perhaps independent interest).

30 Conclusions  Techniques that distribute trust and avoid single point of security and availability failures are interesting  The solutions employ distributed system (that usually are considered the source of security problems) to achieve better security.

Download ppt "DISTRIBUTED CRYPTOSYSTEMS Moti Yung. Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing."

Similar presentations

Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
7. Asymmetric encryption-

7. Asymmetric encryption-
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Similar presentations

Ads by Google