Sharing DSS by the Chinese Remainder Theorem

1
Sharing DSS by the Chinese Remainder Theorem

• Kamer Kaya, Ali Aydm Selcuk
• Department of Computer Engineering
• Bilkent University
• Ankara, 06800 Turkey
• November 16, 2008

2
Outline

• Introduction
• Digital Signature Standard (DSS)
• Asmuth-Bloom Secret Sharing Scheme
• Sharing DSS
• Conclusion
• References

3
Introduction (1/2)

• Threshold cryptography deals with the problem of
  
• Sharing a highly sensitive secret among a group
  of n users
• The secret can be reconstructed only when a
  sufficient t users come together
• Another problem of threshold cryptography deal
  with is the function sharing problem

4
Introduction (2/2)

• A function sharing scheme (FSS) requires
• Distributing the functions computation according
  to the underlying SSS
• Each part of the computation can be carried out
  by a different users
• The partial results can be combined to yield the
  functions value without disclosing individual
  secrets

5
Digital Signature Standard (1/6)

• The Digital Signature Standard (DSS) is the
  current U.S. standard for the digital signature
• There have three phases in DSS
• Key Generation Phase
• Signing Phase
• Verification Phase

6
Digital Signature Standard (2/6)

• Key Generation phase
• Let p and q be large prime number where qp-1
• be an element of order q
• The private key is chosen randomly
• The public key is computed

7
Digital Signature Standard (3/6)

• Signing Phase
• The signer first chooses a random ephemeral key
• Then computes the signature (r,s) where
• For a hashed message

8
Digital Signature Standard (4/6)

• Verification phase
• The signature (r,s) is verified by checking
• Where s-1 is computed in

9
Digital Signature Standard (5/6)

• ?
• Substitute
  , we have
• So, whether ??

10
Digital Signature Standard (6/6)

• From right hand side,

11
Asmuth-Bloom Secret Sharing scheme (1/10)

• There have two phases in the Asmuth-Bloom SSS
• Dealer Phase
• Combiner Phase

12
Asmuth-Bloom Secret Sharing scheme (2/10)

• Dealer phase
• Let d be the secret to be shared
• n be the number of users
• t be the threshold value
• Let m0ltm1ltm2ltltmn be relatively prime integers
  such that dltm0

13
Asmuth-Bloom Secret Sharing scheme (3/10)

• Let M denote . The dealer computes y
  d Am0 where A is a random positive integer such
  that y lt M.
• The share of the ith user is yi y mod mi

14
Asmuth-Bloom Secret Sharing scheme (4/10)

• Combiner phase
• Let S be a coalition of t users gathered to
  construct the secret
• Let Ms denote
• Let MS\i denote and MS,i be the
  multiplicative inverse of MS\i in Zmi
• i.e.,

15
Asmuth-Bloom Secret Sharing scheme (5/10)

• First, the ith user computes
• The users first compute
• Then obtain the secret d by computing
• d y mod m0

16
Asmuth-Bloom Secret Sharing scheme (6/10)

• Arithmetic properties of AB SSS
• The notation to
  denote a (t,n)-SSS with secret d and shares
  (y1, y2,,yn)
• Suppose multiple secrets are shared with common
  parameters t, n, and moduli mis.

17
Asmuth-Bloom Secret Sharing scheme (7/10)

• Proposition 1
• Let d1,d2,..,dl be secrets shared by AB-SSS with
  common parameters t, n, and moduli mis, for some
  l lt m0.
• Let yij be the share of the ith user for secret
  dj. Then for and
• We have

18

• l 5, n4

19
Asmuth-Bloom Secret Sharing scheme (8/10)

• Proof 2
• For , we have
  
• Note that , for any coalition S
  where .
• Hence, a coaliton S of t1 users can construct
  and

20
Asmuth-Bloom Secret Sharing scheme (9/10)

• Proposition 3
• Let d1,d2 be secret shared by AB-SSS with common
  parameter t, n and mis.
• Let yij be the share of the ith user for secret
  dj
• Then, for and
• We have

21
Asmuth-Bloom Secret Sharing scheme (10/10)

• Proof 4
• For , we have
• Note that , for any coalition
  S where
• Hence, a coalition S of 2t users can construct
  and obtain

22

• Dealer phase
• k2, n3, dltm0
• d 9 , m0 11, m1 123, m2 131, m3 133
• (2,3) AB-SSS, y 9 (20)11 229

23

• Combiner phase
• Let S U1,U3,

24
Sharing DSS (1/14)

• Joint Random Secret Sharing (JOINT-RSS)
• Let S denotes the signing coalition 2t2
• Each user choose a random secret
  and shares it as
  where yij is the share
  of the ith user

25
Sharing DSS (2/14)

• Each user choose a random secret
  and shares it as
  where yij is the share
  of the ith user
• The ith user computes .
  By proposition 1, is a
  valid SSS for assuming
  nltm0

26
Sharing DSS (3/14)

• Threshold DSS scheme
• Key Generation phase
• Let be the private signature key.
• The dealer set m0q and shares
• Signing phase
• To sign a hashed message , the signing
  coalition S of size 2t2 first computes
  by JOINT-EXP-INVERSE

27
Sharing DSS (4/14)

• To compute , each user
  computes
• by proposition 3, and s is
  computed by 2t2 partial signatures
• Verification phase
• Same as the standard DSS verification

28
Sharing DSS (5/14)

• Note that anyone can forge signatures if he knows
  k for a valid signature (r,s)
• Hence, must be
  computed in a way no one obtain k

29
Sharing DSS (6/14)

• The Dealer
• Choose m0, m1,m2,,mn
• Set m0 q, choose p as a large prime where
  qp-1,
• By JOINT-RSS,
• Send yi to user i respectively where
• as public key

Dealer
y3
y1
y2
U1
U2
U3
30
Sharing DSS (7/14)

• Let S be a coalition of size 2t2 want to sign a
  hashed message w, Each user
• Choose and randomly
• Shares the aj and kj by
• For , distribute the share aij and kij to
  user i respectively

U1
a13,k13
a31,k31
U3
a21,k21
a12,k12
a32,k32
a23,k23
U2
31
Sharing DSS (8/14)

• Each user computes
• After that, they will try to construct vak from
  shares viaiki

32
Sharing DSS (9/14)

• Signing phase
• For be a set of t1 users. Each
  user computes

33
Sharing DSS (10/14)

• After that, broadcast
• The approximate value for ga mod p is computed as
  
• But

U1
f3,a
f1,a
U3
f1,a
f2,a
f2,a
f3,a
U2
34
Sharing DSS (11/14)

• S corrects fa through the following correction
  procedure
• Let be a set of t 1 users. Each
  user compute
• After that, broadcast

U1
f3,k,f3,ak
f1,k,f1,ak
U3
f1,k,f1,ak
f2,k,f2,ak
f2,k,k2,ak
f3,k,f3,ak
U2
35
Sharing DSS (12/14)

• Then, fk and fak are computed as
• Where for some

36
Sharing DSS (13/14)

• S checks the following equality for all
• Note that

37
Sharing DSS (14/14)

• We need to find ( ) that
  satisfies this equality
• Once is found
  can be computed
• The signing coalition S compute

38
Conclusion

• In this paper, the authors investigated how to
  share the signing function used in the DSS by
  using AB-SSS
• They proposed a t-out-of-n threshold signature
  scheme based on the Chinese Remainder Theorem

39
References

• 1 C. Asmuth and J. Bloom. A modular approach to
  key safeguarding. IEEE Trans. Information Theory,
  29(2)208210, 1983.
• 2 G. Blakley. Safeguarding cryptographic keys.
  In Proc. of AFIPS National Computer Conference,
  1979.
• 3 Y. Desmedt and Y. Frankel. Threshold
  cryptosystems. In Proc. of CRYPTO'89,volume 435
  of LNCS, pages 307315. Springer-Verlag, 1990.
• 4 Y. Desmedt and Y. Frankel. Shared generation
  of authenticators and signatures. In Proc. of
  CRYPTO'91, volume 576 of LNCS, pages 457469.
  Springer-Verlag,1992.
• 5 R. Gennaro, S. Jarecki, H. Krawczyk, and T.
  Rabin. Robust threshold DSS signatures.
  Information and Computation, 164(1)5484, 2001.
  6
• 6 K. Kaya and A. A. Selcuk. Threshold
  cryptography based on Asmuth-Bloom secret
  sharing. Information Sciences, 177(19)41484160,
  2007.
• 7 A. De Santis, Y. Desmedt, Y. Frankel, and M.
  Yung. How to share a function securely? In Proc.
  of STOC94, pages 522533, 1994.
• 8 A. Shamir. How to share a secret? Comm. ACM,
  22(11)612613, 1979.
• 9 V. Shoup. Practical threshold signatures. In
  Proc. of EUROCRYPT 2000, volume 1807 of LNCS,
  pages 207220. Springer-Verlag, 2000.