Threshold Cryptography

The approach to reconstructing the secret s is not secure, if it is not reconstructed at a trusted entity. Therefore, other approaches were developed. These approaches enable the generation of distributed signatures. This means that a coalition of shareholders generates partial signatures using their shares of a shared private key and send these partial signatures to the signature requester. The requester com- bines these partial signatures to get the final signature. Some approaches are presented in (FGMY97b, FGMY97a, JS05, Sho00, Rab98, GJKR01, HJJK97). A few of these ( (FGMY97b, JS05, Rab98)) apply ad- ditive sharing. However, this would imply that all private key shares must be generated at system setup. This is not applicable to peer-to-peer systems, where no trusted central authority exists. Therefore, such schemes are not further considered.

Threshold cryptography is specific to the example cryptography scheme previously presented in this chapter. We now turn to a different scheme, the frequently discussed RSA-based threshold signature scheme.

2.4.7.1 RSA Threshold Cryptography Fundamentals

The assumption is that some shareholders share a private RSA key using Shamir’s secret sharing scheme and have to sign a message m. Therefore, the following steps are performed.5

• The shareholders are requested to sign a message m, requiring a coalition of k shareholders com- municate and distribute their indexes.

• Each shareholder Pi computes a partial key ki using the summand of Equation 2.3 (see Equa- tion 2.6). ki= si k Y j=1;j6=i −j i − j (2.6)

• With these partial keys ki each shareholder computes a partial signature sigsi = m

ki _{mod N and}

sends this message secretly to the requester of the decryption task (see figure 2.6).

• The requester receives the k partial signatures sigsi(m)and multiplies them to decrypt the message

(see Equation 2.7). sig(m) = k Y i=1 sigsi(m) mod N = k Y i=1 mki _{mod N =} k Y i=1 msiQkj=1;j6=i −xj i−xj _{mod N} = m Pk i=1si Qk j=1,i6=j −xi

i−xi _{mod N = m}d_{mod N (2.7)}

It is possible that the shareholders only compute the partial signed message msi_{. These message are}

then sent together with the indexes i to the requester. The requester can then choose any k messages to

Figure 2.6: Threshold signature without revealing the secret

generate the final decrypted message. Just the product λi = Qk

j=1;j6=i −j

i−j of the corresponding partial message msi _{has to be generated and the m}s _{can be created.}

ms= k Y

i=1

(msi₎λi _{mod N (2.8)}

For many years, threshold cryptography seemed unable to be applied to RSA-based cryptography. This is due to the negative numbers or non-natural numbers in the exponent of the RSA-threshold signature that are created by the Lagrange interpolation (e.g. see (DF89)).

If the Lagrange coefficient is negative, one has to compute the inverse modulo of m. This can be done efficiently, if the message m and the RSA modulo N are relative prime (see (Buc03)). However, to compute the exponentiation of a message mab mod N, one has to compute the root modulo N . The only

way to compute this root is to know ϕ(N ) = (p − 1)(q − 1) (see (Buc03)). This requires knowledge of the primes p and q that must remain secret. Therefore, one has to avoid fractions in the exponent. Several possibilities to accomplish this exist ( (FGMY97a, Sho00, LKZ+_{04)). However, these options generate} additional problems. Either they apply additive secret sharing, or they use a different method, which was first presented by Frankel et. al in (FGMY97a), presented below.

2.4.7.2 Frankel’s RSA-based Threshold Cryptography Scheme (Summary)

The scheme of (FGMY97a) can be applied to both polynomial secret sharing (Section 2.4.4.1) and additive secret sharing (Section C.2.1.2). The principle is to avoid the non-natural numbers of the Lagrange coefficients by extending the exponent by the factorial n!, where n is the total number of shares issued. This way, non-natural numbers in the exponent can be reduced. Details about Frankel’s threshold scheme are given in Appendix C.2.2.5.

Summary

Although this scheme circumvents the problem of negative numbers or non-natural numbers in the exponent, it has a limitation that prohibits its application large distributed anonymous systems. In order to avoid non natural numbers in the Lagrange coefficients, one has to compute the factorial of the number of shareholders. This is feasible for threshold groups with around up to 100 shareholders, but not for threshold groups with thousands of shareholders. Accordingly, this scheme can be applied in server-based environments like COCA (ZSvR02). However, it is not suited for large p2p systems.

2.4.7.3 Further RSA-based Threshold Signature Schemes

Like in (FGMY97a), the same problem exists in the RSA-based threshold cryptography scheme presented in (Sho00). This scheme also enables the verification of the shares.

The only scheme that seems applicable to large autonomous distributed systems was presented by Luo and Kong in (KZL+_{01, LKZ}+_{04). This scheme will be called “URSA” in the following.}

2.4.7.4 USRA: RSA-based Threshold Cryptography Scheme

A protocol to provide ubiquitous and robust access control (URSA) in mobile ad hoc networks without a centralised authority is presented in (LKZ+_04).

Initialisation Phase

The dealer D generates the RSA parameters (RSA modulo N , public key e, private key d) and creates a random polynomial f (x) of degree k − 1 with f (0) = d. Then the shares si= f (i) mod N are computed. In general this phase is similar to Shamir’s secret sharing (Section 2.4.4.1) except that the shares are reduced modulo in the RSA modulo.

Reconstruction Phase

In contrast to the RSA sharing schemes presented in Section 2.4.7.1, this scheme is not limited to a small number of shareholders. This is achieved by introducing the “k-bounded offsetting algorithm” to reconstruct the secret.

To create a signature, k shareholders have to cooperate and generate the partial signatures using Equation 2.9 and then send these signatures to the signature requester.

sigsi(m) = m

siQkj=1;j6=i −j

i−j mod N _{mod N} (2.9)

To reconstruct the final signature the requester multiplies the received signatures. However, Equa- tion 2.10 shows, the resulting signature is not equal to the final signature, because the summation of the exponents is not reduced modulo N .

sigs(m) = k Y i=1 sigsi(m) mod N (2.10) = m Pk i=1(si Qk j=1;j6=i −j

i−j mod N ) _{mod N}

= md+tN mod N 6= md mod N

To eliminate the part mtN _{the range of values of s} i

Qk j=1;j6=i

−j

i−j mod N has to be viewed. These values are in the interval [0, . . . , n − 1] and thus, the value of parameter t is in the set {0, 1, . . . , k}. To reconstruct the final message, the requester multiplies md+tN _{with m}−N_{as long as the resulting message} can be decrypted with the public key e to the original message m (see Equation 2.11). At most k attempts are needed (α = {0, 1, . . . , k}), otherwise a partial signature is false.

Summary

URSA circumvents the issues of other RSA-based threshold cryptography schemes by introducing the “k-bounded offsetting algorithm”. Thus, this is the first threshold cryptography scheme which is actually applicable in large p2p systems. Still, for RSA keys the distributed generation of a new key is very expensive in terms of traffic. Thus, next DSA-based threshold cryptography scheme are discussed, as here distributed key generation is much more efficient (see above).

2.4.7.5 DSA Threshold Cryptography

Basics

The Digital Signature Algorithm (DSA), also known as Digital Signature Standard (DSS), is based on the El Gamal signature scheme (Gam85) and was approved in 1994 by the National Institute of Standards and Technology (NIST) (Nat94).

DSA uses three system-wide parameters p, q, g. Parameter q is a 160-bit prime number, p is a large prime number such that q divides (p − 1), and g in an element of order q in Z∗p. As the private key, users select a random integer x ∈ Zq. The corresponding public key computes to y = gx(mod p).

For signing a message m the signee picks a random number k ∈ Zq and calculates as his signature the pair (r, s) with r = (gk−1_{(mod p)) mod q and s = k(m + xr) mod p.}

In order to verify a signature the verifier computes r0 = ((gms−1yrs−1)mod p) mod q. The signature verifies if r0_{= r.}

Threshold DSA

Threshold DSA was presented by Gennaro in (GJKR01). Similar to threshold RSA Shamir’s secret sharing is applied. A trusted dealer selects the system parameters p, q, g and a random polynomial f (x) = s + α1x + α2x2+ . . . + αk−1xk−1over Zq, where s = x. For each participant Pithe trusted dealer computes the secret shares xiwith xi= f (idi) mod q.

If VSS should be applied, the trusted dealer publishes the verification values Vk= gαk for k ∈ [0, t − 1]. Using Joint Secret Sharing this process can be performed without a trusted dealer. In that case, 3t − 2 founding members are required.

To generate a threshold DSA signature for a requester R using 2t signees, the signees will first run two instances of Joint Secret Sharing, which is a variant of Pedersen’s Secret Sharing (see Section 2.4.5.1). in order to generate individual shares ki and ai of the random numbers k and a. Then, the signees run two instances of Joint Zero Secret Sharing in order to generate shares bi and ci of the 0. Verification values are calculated and distributed in order to apply Verifyable Secret Sharing and ensuring that all ki, ai, bi, and ciare consistent.

Now each Pj computes vj = kjaj + bj mod q and wj = gaj mod p and sends these values to the other signees. Each signee then computes locally µ = P2t

i=1(kiai+ bi) Q2t j=1,j6=i −xj xi−xj mod q and β = ga mod p = Qt i=0w Q2t j=1,j6=i −xj xi−xj

i . With this they compute r = β

µ−1 _{mod p mod q and send the partial} signatures si= ki(m + xir) + cimod q and r to the requester R.

The requester computes the s =P2t i=1si Q2t j=1,j6=i −xj xi−xj mod q. Evaluation

Distributed key generation of DSA keys is much more efficient than of RSA keys. However, it is obvious that threshold DSA will generate significantly more traffic for signing a document then threshold RSA. In DSA, at least 2t signees have to participate, because two polynomials of degree t − 1 are multiplied with each other. Therefore, the communication complexity between the signees is O((2t)2_{), where it is for} RSA based signing O(t). Thus, for p2p systems this trade off has to be evaluated carefully and depends on the number of required signees.

2.4.7.6 Threshold Schnorr

The Schnorr signature scheme (Sch91) is a variant of the El Gamal scheme, which is also being applied in DSA. The corresponding threshold scheme was presented in (GJKR03). It is more efficient than the DSA threshold scheme. However, the proof of security requires additive secret sharing rather then polynomial secret sharing. Thus, Schnorrs scheme does not meet the requirements of this dissertation.

2.4.7.7 Threshold BLS

A signature scheme based on the Computational Diffie-Hellman assumption was presented in (BLS01, BLS04) (BLS01, BLS04) by Boneh, Lynn, Shacham (BLS). The BLS-scheme produces half the length of DSA signatures. The corresponding threshold scheme was presented in (Bol03).

BLS Signature Scheme Basics

The BLS signature scheme is a short signature scheme and is based on Elliptic Curves and Pairing- Based Cryptography. This is based on the concept of bilinear maps with two groups G1and G2of prime order q. G1is generated by g. A private key is a number x ∈RZ∗q. The corresponding public key is given by y = gx_{, an element in group G}

1. Further, H is a hash function with H : {0, 1}∗ → G1 that maps binary strings to non-zero points in G1.

The signature σ on a message m is H(m)x _{(in G} 1).

In order to verify a signature it must be checked if (g, y, H(m), σ) is a Diffie-Hellman quadruple. This is the case if e(g, σ) = e(y, H(m)), where e : G1× G1→ G2is a bilinear mapping.

Threshold BLS

The Threshold BLS scheme presented in (Bol03) applies (GJKR99) (see Section 2.4.6.1) to generate the shares xiof the private key x. For each xi the validation values Bi= gxi can be calculated in order to verify the shares.

To generate a signature for a message m, each of t participants Pi computes σi = H(m)xi and sends it to the requester. The requester can verify the received partial signatures by checking the Decisional Diffie-Hellman6 VDDH(g, Bi, H(m), σi) = 1. The requester then combines the partial signatures to the final signature by computing σ =Qt

i=1(σ Li

i ), where Liis the Lagrange coefficient. Summary

Threshold BLS is another threshold cryptography scheme that can be applied to p2p systems. It has several advantages compared to RSA-based and DSA-based threshold schemes. Like in RSA the signing process has a message complexity of O(t); thus it is significantly more efficient than threshold DSA during the signing process. Further, BLS keys are based on simple random numbers; thus the distributed key generation is significantly more efficient than for RSA keys. However, there is a drawback. Another advantage is its short signatures. Therefore, its signatures create less traffic overhead RSA and DSA signatures. Threshold BLS is computational intensive (cf. (STY07)), i.e., it is not suited for small devices with little processing power.