Threshold Cryptography - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Threshold Cryptography

Description:

... Okamoto, G. I. Davida, and M. Mambo, editors, ISW '97: Proceedings of the First ... Giving secret key to president of bank is a bad idea ... – PowerPoint PPT presentation

Number of Views:1099
Avg rating:3.0/5.0
Slides: 18
Provided by: antibig
Category:

less

Transcript and Presenter's Notes

Title: Threshold Cryptography


1
  • Threshold Cryptography
  • Panos

2
Papers presented
  • Y. Desmedt. "Some recent research aspects of
    threshold cryptography." In E. Okamoto, G. I.
    Davida, and M. Mambo, editors, ISW '97
    Proceedings of the First International Workshop
    on Information Security, volume 1396 of Lecture
    Notes in Computer Science
  • Y. Desmedt and Y Frankel, "Threshold
    Cryptosyste-ms." Proc. CRYPTO 89

3
Overview
  • Other schemes
  • Basic scheme
  • An example (ElGamal)
  • Properties (under research)
  • Review

4
Threshold cryptography
  • Secret sharing

5
Threshold cryptography
  • Public Key

Bob
Alice
Valid
Invalid
Secret key(Bob) Public key(Bob)
Verification using Public key(Bob)
6
Threshold cryptography
  • Problems with traditional public key
  • Giving secret key to president of bank is a bad
    idea
  • Bank wholesale transactions signed by
    2-out-of-n
  • Parliament signature by majority
  • Inexperienced signer
  • Reorganization of company

7
Threshold Cryptography
Shamirs model trusted computer
Share Generation
T. S.
Sign
V I E W
Key
k shares
n shares .



1000
1111
8
Threshold Cryptography
  • Problems Trusted computer sees k shares, which
    implies the secret key, so trusted computer
  • can leak master key
  • can modify message, no control by the signers
  • can sign extra messages
  • Should clearly be avoided.

9
Threshold Cryptography
  • Threshold Cryptography Signatures

Co-sign
v i e w
Co-sign
10
Threshold Cryptography
  • View of
  • combiner
  • nothing, i.e. can simulate view
  • untrusted (k-1) insiders
  • see uniformly random shares
  • combiner and untrusted insiders combination

11
Basic Scheme
  • Lets view the input to be signed as a parameter
  • Homomorphic property
  • Then n shareholders can sign an input message

12
Basic Scheme contd
  • ki secret for each participant
  • shadow in this context
  • sharei ki after certain computations,
  • modified shadow in this context
  • input the message
  • partial result or
    partial signature
  • signature

13
Example (ElGamal)
  • ElGamal encryption scheme
  • - private key a
  • publish ga as public
  • - sender message M
  • sender chooses random number k
  • sends (gk, M gak)
  • - receiver g-ak M gak M
  • (mod p operations)

14
Example (ElGamal) contd
  • - shares a1, a2, a3 such that aa1a2a3
  • a is forgotten
  • - each shareholder computes (gk)-ai as its
  • partial result
  • - so now receiver has the g-aik s and M gak
  • - M gak (g-a1k g-a2k g-a3k)
  • M gak g-(a1a2a3)k M gak g-ak
  • M

15
Example (ElGamal-formal)
  • ElGamal signatures
  • ltg, p, Tgt public key p prime, T gSmod p
  • S private key, Sm random number
  • Tm gSm mod p
  • d dig(mTm), m is message (input from
    previous slide)
  • X Sm d S mod p
  • Transmitted m, X, Tm
  • Verified gX TmTd mod p

16
Example (ElGamal-formal) proof
  • We know X Sm d S
  • T gSmod p
  • Tm gSm mod p
  • Thus gX gSmdS gSm(gS)d Tm Td

17
Example (ElGamal-formal) contd
  • Each shareholder has its
  • Si secret (ki from previous slide) such that
  • Ti giSi mod p
  • random Sm,i? Tm,i giSm,i mod p
  • di dig(mTm,i)
  • Xi Sm,i di Si mod p
  • (
    partial result from previous slide)
  • by each shareholder m, Xi , Tm,i
  • verified gX giX1 giX2giXn (Tm,1Ti
    d1)(Tm,2Ti d2)(Tm,nTi dn)
  • (
    from previous slide)

18
Properties
  • Reliability
  • ke partial results shouldnt recover the
    partial signature
  • Security
  • no trusted dealer
  • single trusted dealer to calculate shares should
    be avoided
  • proactive security and generalization
  • who issues new shares, share updates, destroy
    old ones?
  • insiders anonymity
  • ginput(sharei) shouldnt betray i
  • Efficiency
  • share length, shareholders number

19
Properties contd
  • Generalization
  • abstraction
  • g not homomorphic (threshold DSS)

20
Review
  • practical, non-interactive scheme
  • k of n people have to participate
  • verifier just has to know just the public key
  • group oriented society
Write a Comment
User Comments (0)
About PowerShow.com