Threshold Cryptography

1

• Threshold Cryptography
• Panos

2
Papers presented

• Y. Desmedt. "Some recent research aspects of
  threshold cryptography." In E. Okamoto, G. I.
  Davida, and M. Mambo, editors, ISW '97
  Proceedings of the First International Workshop
  on Information Security, volume 1396 of Lecture
  Notes in Computer Science
• Y. Desmedt and Y Frankel, "Threshold
  Cryptosyste-ms." Proc. CRYPTO 89

3
Overview

• Other schemes
• Basic scheme
• An example (ElGamal)
• Properties (under research)
• Review

4
Threshold cryptography

• Secret sharing

5
Threshold cryptography

• Public Key

Bob
Alice
Valid
Invalid
Secret key(Bob) Public key(Bob)
Verification using Public key(Bob)
6
Threshold cryptography

• Problems with traditional public key
• Giving secret key to president of bank is a bad
  idea
• Bank wholesale transactions signed by
  2-out-of-n
• Parliament signature by majority
• Inexperienced signer
• Reorganization of company

7
Threshold Cryptography
Shamirs model trusted computer
Share Generation
T. S.
Sign
V I E W
Key
k shares
n shares .



1000
1111
8
Threshold Cryptography

• Problems Trusted computer sees k shares, which
  implies the secret key, so trusted computer
• can leak master key
• can modify message, no control by the signers
• can sign extra messages
• Should clearly be avoided.

9
Threshold Cryptography

• Threshold Cryptography Signatures

Co-sign
v i e w
Co-sign
10
Threshold Cryptography

• View of
• combiner
• nothing, i.e. can simulate view
• untrusted (k-1) insiders
• see uniformly random shares
• combiner and untrusted insiders combination

11
Basic Scheme

• Lets view the input to be signed as a parameter
• Homomorphic property
• Then n shareholders can sign an input message

12
Basic Scheme contd

• ki secret for each participant
• shadow in this context
• sharei ki after certain computations,
• modified shadow in this context
• input the message
• partial result or
  partial signature
• signature

13
Example (ElGamal)

• ElGamal encryption scheme
• - private key a
• publish ga as public
• - sender message M
• sender chooses random number k
• sends (gk, M gak)
• - receiver g-ak M gak M
• (mod p operations)

14
Example (ElGamal) contd

• - shares a1, a2, a3 such that aa1a2a3
• a is forgotten
• - each shareholder computes (gk)-ai as its
• partial result
• - so now receiver has the g-aik s and M gak
• - M gak (g-a1k g-a2k g-a3k)
• M gak g-(a1a2a3)k M gak g-ak
• M

15
Example (ElGamal-formal)

• ElGamal signatures
• ltg, p, Tgt public key p prime, T gSmod p
• S private key, Sm random number
• Tm gSm mod p
• d dig(mTm), m is message (input from
  previous slide)
• X Sm d S mod p
• Transmitted m, X, Tm
• Verified gX TmTd mod p

16
Example (ElGamal-formal) proof

• We know X Sm d S
• T gSmod p
• Tm gSm mod p
• Thus gX gSmdS gSm(gS)d Tm Td

17
Example (ElGamal-formal) contd

• Each shareholder has its
• Si secret (ki from previous slide) such that
• Ti giSi mod p
• random Sm,i? Tm,i giSm,i mod p
• di dig(mTm,i)
• Xi Sm,i di Si mod p
• (
  partial result from previous slide)
• by each shareholder m, Xi , Tm,i
• verified gX giX1 giX2giXn (Tm,1Ti
  d1)(Tm,2Ti d2)(Tm,nTi dn)
• (
  from previous slide)

18
Properties

• Reliability
• ke partial results shouldnt recover the
  partial signature
• Security
• no trusted dealer
• single trusted dealer to calculate shares should
  be avoided
• proactive security and generalization
• who issues new shares, share updates, destroy
  old ones?
• insiders anonymity
• ginput(sharei) shouldnt betray i
• Efficiency
• share length, shareholders number

19
Properties contd

• Generalization
• abstraction
• g not homomorphic (threshold DSS)

20
Review

• practical, non-interactive scheme
• k of n people have to participate
• verifier just has to know just the public key
• group oriented society