Upload
jocelyn-fowler
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
CT-RSA'03 1
Two-Efficient and Provably Secure Schemes for Server-
Assisted Threshold Signatures
Ravi Sandhu
Joint work with Shouhuai Xu
CT-RSA'03 2
Roadmap
• Motivation
• Cryptographic preliminaries
• First scheme: TPAKE-HTSig
• Second scheme: LW-TSig
• Related work
CT-RSA'03 3
Motivation
• Modern cryptography is “key-centric”
Rivest-Shamir-Adleman have no “short cut” in breaking RSARSA
• But you can generate Rivest’s digital signatures once you compromised his private key
This has no counterpart in handwriting signatures
• Since compromise will inevitably happen, one can only expect “second to the best”
Minimize the damage
CT-RSA'03 4
Motivation
• So how to protect the private signing keys (or functions)
conveniently
cheaply
efficiently
CT-RSA'03 5
Our Approach
• Assume a set of (>2) servers provide service (e.g., for economic incentives) like threshold signing
• Differ from standard threshold signing
only a user can invoke her signing function
compromise of a user’s machine does not necessarily mean her signing function is compromised (i.e., the adversary may still unable to invoke the servers)
compromise of a threshold number of servers does not necessarily mean her signing function is compromised
CT-RSA'03 6
Our Approach
• The core underlying our approach is some convenient, cheap, efficient mechanisms whereby the servers collaboratively authenticate a user
threshold password authenticated key exchange (e.g., [MacKenzie et al. Crypto’02])
symmetric key-based authentication (e.g., MAC)
• Don’t confuse “server-added signature” (which is motivated to provide better efficiency) with our “server-assisted signature” (which is motivated to provide better security)
though they do overlap sometimes
CT-RSA'03 7
Roadmap
• Motivation
• Cryptographic preliminaries
• First scheme: TPAKE-HTSig
• Second scheme: LW-Tsig
• Related work
CT-RSA'03 8
Cryptographic Preliminaries
• Message authentication code (MAC)
secure against adaptive chosen message attack
• Signature scheme (Sig.Init, Sig.Sig, Sig.Ver)
secure against adaptive chosen message attack
we are interested in a class of signature schemes that have efficient distributed version
CT-RSA'03 9
Cryptographic Preliminaries
• Threshold Signature scheme (TSig.Init, TSig.Sig, TSig.Ver)
secure against adaptive chosen message attack
• 2-party Signature scheme (2Sig.Init, 2Sig.Sig, 2Sig.Ver)
secure against adaptive chosen message attack
• Hybrid-Threshold Signature scheme, which is a composition of TSig and 2Sig, consists of (HTSig.Init, HTSig.Sig, HTSig.Ver)
a user splits her private key X into two shares X1, X2
the user holds X1 as in 2Sig
the user shares X2 among the servers as in TSig
CT-RSA'03 10
Cryptographic Preliminaries
• Threshold Password-Authenticated Key Exchange scheme (TPAKE.Init, TPAKE.Login)
a user shares her password among servers via TPAKE.Init
a user authenticates herself to the servers via TPAKE.Login, which may also output a fresh session key with each server
TPAKE.Login is secure against off-line dictionary attack
compromise of no more than a threshold number of servers does not make the password subject to off-line dictionary attack
the first TPAKE is due to [MacKenzie et al. Crypto’02]
CT-RSA'03 11
Roadmap
• Motivation
• Cryptographic preliminaries
• First scheme: TPAKE-HTSig
• Second scheme: LW-Tsig
• Related work
CT-RSA'03 12
First Scheme: TPAKE-HTSig
• TPAKE-HTSig is a composition of TPAKE and HTSig
• Idea is simple
Run a TPAKE to authenticate a user and generate a fresh session key that is common to the user and each individual server
The servers authenticate signing requests using the session keys; the signing operation is similar to TSig.Sig
The user obtains a signature as in 2Sig.Sig
CT-RSA'03 13
TPAKE-HTSig
MACkey1(m)
MACkey2(m)
MACkeyn(m)
…
server 1
server 2
server n
partial signature 1
partial signature 2
partial signature n
TPAKE.Login outputs key1
TPAKE.Login outputs key2
TPAKE.Login outputs keyn
CT-RSA'03 14
TPAKE-HTSig: another look
TPAKE
glue: session key based authentication
HTSig
CT-RSA'03 15
TPAKE-HTSig
• Some comments
We give a specification of TPAKE, so any scheme (e.g., more efficient than [MSJ02]) satisfying it can plug-and-play
DLOG based HTSig can pug-and-play in TPAKE-HTSig
RSA-based HTSig is more subtle
[Shoup Eurocrypt’00] scheme cannot be used unless one assume that no threshold number of servers are compromised
[Rabin Crypto’98] scheme can be used, but need additional care
CT-RSA'03 16
Roadmap
• Motivation
• Cryptographic preliminaries
• First scheme: TPAKE-HTSig
• Second scheme: LW-TSig
• Related work
CT-RSA'03 17
Second Scheme: LW-TSig
• LW-TSig stands for Light-Weight server-assisted Threshold Signatures
• Idea is simple
a user holds (say) a smartcard
she shares her private key among the servers, as in TSig
she shares a symmetric key with each server
invocation of signing function is based on MACs
CT-RSA'03 18
LW-TSigMACkey1(m)
MACkey2(m)
MACkeyn(m)…
server 1
server 2
server n
partial signature 1
partial signature 2
partial signature n
CT-RSA'03 19
LW-TSig
• Some comments
a smartcard does not need a cryptographic co-processor
communication between a smartcard and the servers can be done via a signature receiver
CT-RSA'03 20
Roadmap
• Motivation
• Cryptographic preliminaries
• First scheme: TPAKE-HTSig
• Second scheme: LW-Tsig
• Related work
CT-RSA'03 21
Related Work
• Instead of comparing our work with the related works one-by-one, we present a taxonomytaxonomy of systems protecting private systems protecting private signing functionssigning functions
• The taxonomy is based on
user storage mediauser storage media: human-memory (for password), soft-token, hard-token, soft- & hard-token
number of runtime key-sharesnumber of runtime key-shares: 1, 2, >2
CT-RSA'03 22
Taxonomy
1
2
>2
human-memory
soft-token hard-tokensoft- & hard-token
number of runtimeruntime key-shares
downloading
• a user downloads (say, to a public computer) her private key stored at some remote server(s)
• password-based authenticated key exchange (for session key) u
ser storage med
ia
CT-RSA'03 23
Taxonomy
1
2
>2
human-memory
soft-token hard-tokensoft- & hard-token
number of runtimeruntime key-shares
downloading
a user utilizes a password to activate multiple remote servers to generate a threshold signature
special case of TPAKE-HTSig
downsized (password, >2)
user storage m
edia
CT-RSA'03 24
Taxonomy
1
2
>2
human-memory
soft-token hard-tokensoft- & hard-token
number of runtimeruntime key-shares
downloading
special case of TPAKE-HTSig
Two types of systems: • password-protected private key (a
variant can block off-line dictionary attack if public keys are kept secret)
• forward-security: compromising today’s private key does not mean compromising yesterday's private key
downsized (password, >2)
(soft-token,1)
user storage m
edia
CT-RSA'03 25
Taxonomy
1
2
>2
human-memory
soft-token hard-tokensoft- & hard-token
number of runtimeruntime key-shares
downloading
special case of TPAKE-HTSig
• password-based authentication• composition of two-party and
threshold signaturesdownsized (password, >2)
(soft-token,1)
TPAKE-HTSig
downsized TPAKE-HTSig
user storage m
edia
CT-RSA'03 26
Taxonomy
1
2
>2
human-memory
soft-token hard-tokensoft- & hard-token
number of runtimeruntime key-shares
downloading
special case of TPAKE-HTSig
downsized (password, >2)
(soft-token,1)
TPAKE-HTSig
downsized TPAKE-HTSig
traditional
LW-TSig
downsized LW-TSig
a user invokes a set of remote servers via symmetric authentication
user storage m
edia
CT-RSA'03 27
Taxonomy
1
2
>2
human-memory
soft-token hard-tokensoft- & hard-token
number of runtimeruntime key-shares
downloading
special case of TPAKE-HTSig
downsized (password, >2)
(soft-token,1)
TPAKE-HTSig
downsized TPAKE-HTSig
traditional
LW-TSig
downsized LW-TSig
key-insulation/ intrusion-resilience
• compromise of today’s private key does not mean compromise of yesterday’s or tomorrow’s private key
• even if soft-token and hard-token are compromised simultaneously, forward-security is still ensured
user storage m
edia
CT-RSA'03 28
Taxonomy
1
2
>2
human-memory
soft-token hard-tokensoft- & hard-token
number of runtimeruntime key-shares
user storage m
edia
downloading
special case of TPAKE-HTSig
downsized (password, >2)
(soft-token,1)
TPAKE-HTSig
downsized TPAKE-HTSig
traditional
LW-TSig
downsized LW-TSig
key-insulation/ intrusion-resilience
extension to TPAKE-HTSig and LW-TSig
two-party signatures
CT-RSA'03 29
Questions?
CT-RSA'03 30
Q & A
• Our constructions are obtained via modular composition, but our security analysis method is more specific
Canetti’s is more general
• Why [Shoup Eurocrypt’00] cannot be used?
An adversary compromising a threshold number of servers can obtain X2. Since [S00] requests that the public exponent corresponding to X2 be public, the adversary can factor the user’s RSA modulus.
CT-RSA'03 31
Q & A
• What care we need for [Rabin Crypto’98]?
If [MSJ02] TPAKE is used, we need another layer of invocation that a threshold number of servers activates all the servers. This is specific to [MSJ02], though.
Denial-of-service attack is appropriately dealt with; otherwise, the secret share of a server under denial-of-service attack is interpolated and could make the threshold protection meaningless.