CT-RSA'03 1

Two-Efficient and Provably Secure Schemes for Server-

Assisted Threshold Signatures

Ravi Sandhu

Joint work with Shouhuai Xu

CT-RSA'03 2

Roadmap

• Motivation

• Cryptographic preliminaries

• First scheme: TPAKE-HTSig

• Second scheme: LW-TSig

• Related work

CT-RSA'03 3

Motivation

• Modern cryptography is “key-centric”

Rivest-Shamir-Adleman have no “short cut” in breaking RSARSA

• But you can generate Rivest’s digital signatures once you compromised his private key

This has no counterpart in handwriting signatures

• Since compromise will inevitably happen, one can only expect “second to the best”

Minimize the damage

CT-RSA'03 4

Motivation

• So how to protect the private signing keys (or functions)

conveniently

cheaply

efficiently

CT-RSA'03 5

Our Approach

• Assume a set of (>2) servers provide service (e.g., for economic incentives) like threshold signing

• Differ from standard threshold signing

only a user can invoke her signing function

compromise of a user’s machine does not necessarily mean her signing function is compromised (i.e., the adversary may still unable to invoke the servers)

compromise of a threshold number of servers does not necessarily mean her signing function is compromised

CT-RSA'03 6

Our Approach

• The core underlying our approach is some convenient, cheap, efficient mechanisms whereby the servers collaboratively authenticate a user

threshold password authenticated key exchange (e.g., [MacKenzie et al. Crypto’02])

symmetric key-based authentication (e.g., MAC)

• Don’t confuse “server-added signature” (which is motivated to provide better efficiency) with our “server-assisted signature” (which is motivated to provide better security)

though they do overlap sometimes

CT-RSA'03 7

Roadmap

• Motivation

• Cryptographic preliminaries

• First scheme: TPAKE-HTSig

• Second scheme: LW-Tsig

• Related work

CT-RSA'03 8

Cryptographic Preliminaries

• Message authentication code (MAC)

secure against adaptive chosen message attack

• Signature scheme (Sig.Init, Sig.Sig, Sig.Ver)

secure against adaptive chosen message attack

we are interested in a class of signature schemes that have efficient distributed version

CT-RSA'03 9

Cryptographic Preliminaries

• Threshold Signature scheme (TSig.Init, TSig.Sig, TSig.Ver)

secure against adaptive chosen message attack

• 2-party Signature scheme (2Sig.Init, 2Sig.Sig, 2Sig.Ver)

secure against adaptive chosen message attack

• Hybrid-Threshold Signature scheme, which is a composition of TSig and 2Sig, consists of (HTSig.Init, HTSig.Sig, HTSig.Ver)

a user splits her private key X into two shares X1, X2

the user holds X1 as in 2Sig

the user shares X2 among the servers as in TSig

CT-RSA'03 10

Cryptographic Preliminaries

• Threshold Password-Authenticated Key Exchange scheme (TPAKE.Init, TPAKE.Login)

a user shares her password among servers via TPAKE.Init

a user authenticates herself to the servers via TPAKE.Login, which may also output a fresh session key with each server

TPAKE.Login is secure against off-line dictionary attack

compromise of no more than a threshold number of servers does not make the password subject to off-line dictionary attack

the first TPAKE is due to [MacKenzie et al. Crypto’02]

CT-RSA'03 11

Roadmap

• Motivation

• Cryptographic preliminaries

• First scheme: TPAKE-HTSig

• Second scheme: LW-Tsig

• Related work

CT-RSA'03 12

First Scheme: TPAKE-HTSig

• TPAKE-HTSig is a composition of TPAKE and HTSig

• Idea is simple

Run a TPAKE to authenticate a user and generate a fresh session key that is common to the user and each individual server

The servers authenticate signing requests using the session keys; the signing operation is similar to TSig.Sig

The user obtains a signature as in 2Sig.Sig

CT-RSA'03 13

TPAKE-HTSig

MACkey1(m)

MACkey2(m)

MACkeyn(m)

…

server 1

server 2

server n

partial signature 1

partial signature 2

partial signature n

TPAKE.Login outputs key1

TPAKE.Login outputs key2

TPAKE.Login outputs keyn

CT-RSA'03 14

TPAKE-HTSig: another look

TPAKE

glue: session key based authentication

HTSig

CT-RSA'03 15

TPAKE-HTSig

• Some comments

We give a specification of TPAKE, so any scheme (e.g., more efficient than [MSJ02]) satisfying it can plug-and-play

DLOG based HTSig can pug-and-play in TPAKE-HTSig

RSA-based HTSig is more subtle

[Shoup Eurocrypt’00] scheme cannot be used unless one assume that no threshold number of servers are compromised

[Rabin Crypto’98] scheme can be used, but need additional care

CT-RSA'03 16

Roadmap

• Motivation

• Cryptographic preliminaries

• First scheme: TPAKE-HTSig

• Second scheme: LW-TSig

• Related work

CT-RSA'03 17

Second Scheme: LW-TSig

• LW-TSig stands for Light-Weight server-assisted Threshold Signatures

• Idea is simple

a user holds (say) a smartcard

she shares her private key among the servers, as in TSig

she shares a symmetric key with each server

invocation of signing function is based on MACs

CT-RSA'03 18

LW-TSigMACkey1(m)

MACkey2(m)

MACkeyn(m)…

server 1

server 2

server n

partial signature 1

partial signature 2

partial signature n

CT-RSA'03 19

LW-TSig

• Some comments

a smartcard does not need a cryptographic co-processor

communication between a smartcard and the servers can be done via a signature receiver

CT-RSA'03 20

Roadmap

• Motivation

• Cryptographic preliminaries

• First scheme: TPAKE-HTSig

• Second scheme: LW-Tsig

• Related work

CT-RSA'03 21

Related Work

• Instead of comparing our work with the related works one-by-one, we present a taxonomytaxonomy of systems protecting private systems protecting private signing functionssigning functions

• The taxonomy is based on

user storage mediauser storage media: human-memory (for password), soft-token, hard-token, soft- & hard-token

number of runtime key-sharesnumber of runtime key-shares: 1, 2, >2

CT-RSA'03 22

Taxonomy

1

2

>2

human-memory

soft-token hard-tokensoft- & hard-token

number of runtimeruntime key-shares

downloading

• a user downloads (say, to a public computer) her private key stored at some remote server(s)

• password-based authenticated key exchange (for session key) u

ser storage med

ia

CT-RSA'03 23

Taxonomy

1

2

>2

human-memory

soft-token hard-tokensoft- & hard-token

number of runtimeruntime key-shares

downloading

a user utilizes a password to activate multiple remote servers to generate a threshold signature

special case of TPAKE-HTSig

downsized (password, >2)

user storage m

edia

CT-RSA'03 24

Taxonomy

1

2

>2

human-memory

soft-token hard-tokensoft- & hard-token

number of runtimeruntime key-shares

downloading

special case of TPAKE-HTSig

Two types of systems: • password-protected private key (a

variant can block off-line dictionary attack if public keys are kept secret)

• forward-security: compromising today’s private key does not mean compromising yesterday's private key

downsized (password, >2)

(soft-token,1)

user storage m

edia

CT-RSA'03 25

Taxonomy

1

2

>2

human-memory

soft-token hard-tokensoft- & hard-token

number of runtimeruntime key-shares

downloading

special case of TPAKE-HTSig

• password-based authentication• composition of two-party and

threshold signaturesdownsized (password, >2)

(soft-token,1)

TPAKE-HTSig

downsized TPAKE-HTSig

user storage m

edia

CT-RSA'03 26

Taxonomy

1

2

>2

human-memory

soft-token hard-tokensoft- & hard-token

number of runtimeruntime key-shares

downloading

special case of TPAKE-HTSig

downsized (password, >2)

(soft-token,1)

TPAKE-HTSig

downsized TPAKE-HTSig

traditional

LW-TSig

downsized LW-TSig

a user invokes a set of remote servers via symmetric authentication

user storage m

edia

CT-RSA'03 27

Taxonomy

1

2

>2

human-memory

soft-token hard-tokensoft- & hard-token

number of runtimeruntime key-shares

downloading

special case of TPAKE-HTSig

downsized (password, >2)

(soft-token,1)

TPAKE-HTSig

downsized TPAKE-HTSig

traditional

LW-TSig

downsized LW-TSig

key-insulation/ intrusion-resilience

• compromise of today’s private key does not mean compromise of yesterday’s or tomorrow’s private key

• even if soft-token and hard-token are compromised simultaneously, forward-security is still ensured

user storage m

edia

CT-RSA'03 28

Taxonomy

1

2

>2

human-memory

soft-token hard-tokensoft- & hard-token

number of runtimeruntime key-shares

user storage m

edia

downloading

special case of TPAKE-HTSig

downsized (password, >2)

(soft-token,1)

TPAKE-HTSig

downsized TPAKE-HTSig

traditional

LW-TSig

downsized LW-TSig

key-insulation/ intrusion-resilience

extension to TPAKE-HTSig and LW-TSig

two-party signatures

CT-RSA'03 29

Questions?

CT-RSA'03 30

Q & A

• Our constructions are obtained via modular composition, but our security analysis method is more specific

Canetti’s is more general

• Why [Shoup Eurocrypt’00] cannot be used?

An adversary compromising a threshold number of servers can obtain X2. Since [S00] requests that the public exponent corresponding to X2 be public, the adversary can factor the user’s RSA modulus.

CT-RSA'03 31

Q & A

• What care we need for [Rabin Crypto’98]?

If [MSJ02] TPAKE is used, we need another layer of invocation that a threshold number of servers activates all the servers. This is specific to [MSJ02], though.

Denial-of-service attack is appropriately dealt with; otherwise, the secret share of a server under denial-of-service attack is interpolated and could make the threshold protection meaningless.