Title: Sharing DSS by the Chinese Remainder Theorem
1Sharing DSS by the Chinese Remainder Theorem
- Kamer Kaya, Ali Aydm Selcuk
- Department of Computer Engineering
- Bilkent University
- Ankara, 06800 Turkey
- November 16, 2008
2Outline
- Introduction
- Digital Signature Standard (DSS)
- Asmuth-Bloom Secret Sharing Scheme
- Sharing DSS
- Conclusion
- References
3Introduction (1/2)
- Threshold cryptography deals with the problem of
- Sharing a highly sensitive secret among a group
of n users - The secret can be reconstructed only when a
sufficient t users come together - Another problem of threshold cryptography deal
with is the function sharing problem -
4Introduction (2/2)
- A function sharing scheme (FSS) requires
- Distributing the functions computation according
to the underlying SSS - Each part of the computation can be carried out
by a different users - The partial results can be combined to yield the
functions value without disclosing individual
secrets
5Digital Signature Standard (1/6)
- The Digital Signature Standard (DSS) is the
current U.S. standard for the digital signature - There have three phases in DSS
- Key Generation Phase
- Signing Phase
- Verification Phase
6Digital Signature Standard (2/6)
- Key Generation phase
- Let p and q be large prime number where qp-1
- be an element of order q
- The private key is chosen randomly
- The public key is computed
7Digital Signature Standard (3/6)
- Signing Phase
- The signer first chooses a random ephemeral key
- Then computes the signature (r,s) where
- For a hashed message
8Digital Signature Standard (4/6)
- Verification phase
- The signature (r,s) is verified by checking
- Where s-1 is computed in
9Digital Signature Standard (5/6)
- ?
- Substitute
, we have - So, whether ??
-
10Digital Signature Standard (6/6)
11Asmuth-Bloom Secret Sharing scheme (1/10)
- There have two phases in the Asmuth-Bloom SSS
- Dealer Phase
- Combiner Phase
12Asmuth-Bloom Secret Sharing scheme (2/10)
- Dealer phase
- Let d be the secret to be shared
- n be the number of users
- t be the threshold value
- Let m0ltm1ltm2ltltmn be relatively prime integers
such that dltm0
13Asmuth-Bloom Secret Sharing scheme (3/10)
- Let M denote . The dealer computes y
d Am0 where A is a random positive integer such
that y lt M. - The share of the ith user is yi y mod mi
14Asmuth-Bloom Secret Sharing scheme (4/10)
- Combiner phase
- Let S be a coalition of t users gathered to
construct the secret - Let Ms denote
- Let MS\i denote and MS,i be the
multiplicative inverse of MS\i in Zmi - i.e.,
15Asmuth-Bloom Secret Sharing scheme (5/10)
- First, the ith user computes
- The users first compute
- Then obtain the secret d by computing
- d y mod m0
16Asmuth-Bloom Secret Sharing scheme (6/10)
- Arithmetic properties of AB SSS
- The notation to
denote a (t,n)-SSS with secret d and shares
(y1, y2,,yn) - Suppose multiple secrets are shared with common
parameters t, n, and moduli mis.
17Asmuth-Bloom Secret Sharing scheme (7/10)
- Proposition 1
- Let d1,d2,..,dl be secrets shared by AB-SSS with
common parameters t, n, and moduli mis, for some
l lt m0. - Let yij be the share of the ith user for secret
dj. Then for and - We have
18 19Asmuth-Bloom Secret Sharing scheme (8/10)
- Proof 2
- For , we have
- Note that , for any coalition S
where . - Hence, a coaliton S of t1 users can construct
and
20Asmuth-Bloom Secret Sharing scheme (9/10)
- Proposition 3
- Let d1,d2 be secret shared by AB-SSS with common
parameter t, n and mis. - Let yij be the share of the ith user for secret
dj - Then, for and
- We have
21Asmuth-Bloom Secret Sharing scheme (10/10)
- Proof 4
- For , we have
- Note that , for any coalition
S where - Hence, a coalition S of 2t users can construct
and obtain
22- Dealer phase
- k2, n3, dltm0
- d 9 , m0 11, m1 123, m2 131, m3 133
- (2,3) AB-SSS, y 9 (20)11 229
23- Combiner phase
- Let S U1,U3,
24Sharing DSS (1/14)
- Joint Random Secret Sharing (JOINT-RSS)
- Let S denotes the signing coalition 2t2
- Each user choose a random secret
and shares it as
where yij is the share
of the ith user
25Sharing DSS (2/14)
- Each user choose a random secret
and shares it as
where yij is the share
of the ith user - The ith user computes .
By proposition 1, is a
valid SSS for assuming
nltm0
26Sharing DSS (3/14)
- Threshold DSS scheme
- Key Generation phase
- Let be the private signature key.
- The dealer set m0q and shares
- Signing phase
- To sign a hashed message , the signing
coalition S of size 2t2 first computes
by JOINT-EXP-INVERSE
27Sharing DSS (4/14)
- To compute , each user
computes - by proposition 3, and s is
computed by 2t2 partial signatures - Verification phase
- Same as the standard DSS verification
28Sharing DSS (5/14)
- Note that anyone can forge signatures if he knows
k for a valid signature (r,s) - Hence, must be
computed in a way no one obtain k
29Sharing DSS (6/14)
- The Dealer
- Choose m0, m1,m2,,mn
- Set m0 q, choose p as a large prime where
qp-1, - By JOINT-RSS,
-
- Send yi to user i respectively where
- as public key
Dealer
y3
y1
y2
U1
U2
U3
30Sharing DSS (7/14)
- Let S be a coalition of size 2t2 want to sign a
hashed message w, Each user - Choose and randomly
- Shares the aj and kj by
- For , distribute the share aij and kij to
user i respectively
U1
a13,k13
a31,k31
U3
a21,k21
a12,k12
a32,k32
a23,k23
U2
31Sharing DSS (8/14)
- Each user computes
- After that, they will try to construct vak from
shares viaiki
32Sharing DSS (9/14)
- Signing phase
- For be a set of t1 users. Each
user computes
33Sharing DSS (10/14)
- After that, broadcast
- The approximate value for ga mod p is computed as
- But
U1
f3,a
f1,a
U3
f1,a
f2,a
f2,a
f3,a
U2
34Sharing DSS (11/14)
- S corrects fa through the following correction
procedure - Let be a set of t 1 users. Each
user compute - After that, broadcast
U1
f3,k,f3,ak
f1,k,f1,ak
U3
f1,k,f1,ak
f2,k,f2,ak
f2,k,k2,ak
f3,k,f3,ak
U2
35Sharing DSS (12/14)
- Then, fk and fak are computed as
- Where for some
36Sharing DSS (13/14)
- S checks the following equality for all
- Note that
37Sharing DSS (14/14)
- We need to find ( ) that
satisfies this equality - Once is found
can be computed - The signing coalition S compute
38Conclusion
- In this paper, the authors investigated how to
share the signing function used in the DSS by
using AB-SSS - They proposed a t-out-of-n threshold signature
scheme based on the Chinese Remainder Theorem
39References
- 1 C. Asmuth and J. Bloom. A modular approach to
key safeguarding. IEEE Trans. Information Theory,
29(2)208210, 1983. - 2 G. Blakley. Safeguarding cryptographic keys.
In Proc. of AFIPS National Computer Conference,
1979. - 3 Y. Desmedt and Y. Frankel. Threshold
cryptosystems. In Proc. of CRYPTO'89,volume 435
of LNCS, pages 307315. Springer-Verlag, 1990. - 4 Y. Desmedt and Y. Frankel. Shared generation
of authenticators and signatures. In Proc. of
CRYPTO'91, volume 576 of LNCS, pages 457469.
Springer-Verlag,1992. - 5 R. Gennaro, S. Jarecki, H. Krawczyk, and T.
Rabin. Robust threshold DSS signatures.
Information and Computation, 164(1)5484, 2001.
6 - 6 K. Kaya and A. A. Selcuk. Threshold
cryptography based on Asmuth-Bloom secret
sharing. Information Sciences, 177(19)41484160,
2007. - 7 A. De Santis, Y. Desmedt, Y. Frankel, and M.
Yung. How to share a function securely? In Proc.
of STOC94, pages 522533, 1994. - 8 A. Shamir. How to share a secret? Comm. ACM,
22(11)612613, 1979. - 9 V. Shoup. Practical threshold signatures. In
Proc. of EUROCRYPT 2000, volume 1807 of LNCS,
pages 207220. Springer-Verlag, 2000.