Presentation is loading. Please wait.

Presentation is loading. Please wait.

CT-RSA'031 Two-Efficient and Provably Secure Schemes for Server- Assisted Threshold Signatures Ravi Sandhu Joint work with Shouhuai Xu.

Published byJocelyn Fowler Modified over 10 years ago

Similar presentations

Presentation on theme: "CT-RSA'031 Two-Efficient and Provably Secure Schemes for Server- Assisted Threshold Signatures Ravi Sandhu Joint work with Shouhuai Xu."— Presentation transcript:

1 CT-RSA'031 Two-Efficient and Provably Secure Schemes for Server- Assisted Threshold Signatures Ravi Sandhu Joint work with Shouhuai Xu

2 CT-RSA'032 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-TSig Related work

3 CT-RSA'033 Motivation Modern cryptography is key-centric RSA Rivest-Shamir-Adleman have no short cut in breaking RSA But you can generate Rivests digital signatures once you compromised his private key This has no counterpart in handwriting signatures Since compromise will inevitably happen, one can only expect second to the best Minimize the damage

4 CT-RSA'034 Motivation So how to protect the private signing keys (or functions) conveniently cheaply efficiently

5 CT-RSA'035 Our Approach Assume a set of (>2) servers provide service (e.g., for economic incentives) like threshold signing Differ from standard threshold signing only a user can invoke her signing function compromise of a users machine does not necessarily mean her signing function is compromised (i.e., the adversary may still unable to invoke the servers) compromise of a threshold number of servers does not necessarily mean her signing function is compromised

6 CT-RSA'036 Our Approach The core underlying our approach is some convenient, cheap, efficient mechanisms whereby the servers collaboratively authenticate a user threshold password authenticated key exchange (e.g., [MacKenzie et al. Crypto02]) symmetric key-based authentication (e.g., MAC) Dont confuse server-added signature (which is motivated to provide better efficiency) with our server-assisted signature (which is motivated to provide better security) though they do overlap sometimes

7 CT-RSA'037 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-Tsig Related work

8 CT-RSA'038 Cryptographic Preliminaries Message authentication code (MAC) secure against adaptive chosen message attack Signature scheme (Sig.Init, Sig.Sig, Sig.Ver) secure against adaptive chosen message attack we are interested in a class of signature schemes that have efficient distributed version

9 CT-RSA'039 Cryptographic Preliminaries Threshold Signature scheme (TSig.Init, TSig.Sig, TSig.Ver) secure against adaptive chosen message attack 2-party Signature scheme (2Sig.Init, 2Sig.Sig, 2Sig.Ver) secure against adaptive chosen message attack Hybrid-Threshold Signature scheme, which is a composition of TSig and 2Sig, consists of (HTSig.Init, HTSig.Sig, HTSig.Ver) a user splits her private key X into two shares X1, X2 the user holds X1 as in 2Sig the user shares X2 among the servers as in TSig

10 CT-RSA'0310 Cryptographic Preliminaries Threshold Password-Authenticated Key Exchange scheme (TPAKE.Init, TPAKE.Login) a user shares her password among servers via TPAKE.Init a user authenticates herself to the servers via TPAKE.Login, which may also output a fresh session key with each server TPAKE.Login is secure against off-line dictionary attack compromise of no more than a threshold number of servers does not make the password subject to off-line dictionary attack the first TPAKE is due to [MacKenzie et al. Crypto02]

11 CT-RSA'0311 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-Tsig Related work

12 CT-RSA'0312 First Scheme: TPAKE-HTSig TPAKE-HTSig is a composition of TPAKE and HTSig Idea is simple Run a TPAKE to authenticate a user and generate a fresh session key that is common to the user and each individual server The servers authenticate signing requests using the session keys; the signing operation is similar to TSig.Sig The user obtains a signature as in 2Sig.Sig

13 CT-RSA'0313 TPAKE-HTSig MAC key1 (m) MAC key2 (m) MAC keyn (m) … server 1 server 2 server n partial signature 1 partial signature 2 partial signature n TPAKE.Login outputs key1 TPAKE.Login outputs key2 TPAKE.Login outputs keyn

14 CT-RSA'0314 TPAKE-HTSig: another look TPAKE glue: session key based authentication HTSig

15 CT-RSA'0315 TPAKE-HTSig Some comments We give a specification of TPAKE, so any scheme (e.g., more efficient than [MSJ02]) satisfying it can plug-and-play DLOG based HTSig can pug-and-play in TPAKE-HTSig RSA-based HTSig is more subtle [Shoup Eurocrypt00] scheme cannot be used unless one assume that no threshold number of servers are compromised [Rabin Crypto98] scheme can be used, but need additional care

16 CT-RSA'0316 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-TSig Related work

17 CT-RSA'0317 Second Scheme: LW-TSig LW-TSig stands for Light-Weight server-assisted Threshold Signatures Idea is simple a user holds (say) a smartcard she shares her private key among the servers, as in TSig she shares a symmetric key with each server invocation of signing function is based on MACs

18 CT-RSA'0318 LW-TSig MAC key1 (m) MAC key2 (m) MAC keyn (m) … server 1 server 2 server n partial signature 1 partial signature 2 partial signature n

19 CT-RSA'0319 LW-TSig Some comments a smartcard does not need a cryptographic co-processor communication between a smartcard and the servers can be done via a signature receiver

20 CT-RSA'0320 Roadmap Motivation Cryptographic preliminaries First scheme: TPAKE-HTSig Second scheme: LW-Tsig Related work

21 CT-RSA'0321 Related Work taxonomy systems protecting private signing functionsInstead of comparing our work with the related works one-by-one, we present a taxonomy of systems protecting private signing functions The taxonomy is based on user storage media user storage media: human-memory (for password), soft-token, hard-token, soft- & hard-token number of runtime key-shares number of runtime key-shares: 1, 2, >2

22 CT-RSA'0322 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading a user downloads (say, to a public computer) her private key stored at some remote server(s) password-based authenticated key exchange (for session key) user storage media

23 CT-RSA'0323 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading a user utilizes a password to activate multiple remote servers to generate a threshold signature special case of TPAKE-HTSig downsized (password, >2) user storage media

24 CT-RSA'0324 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading special case of TPAKE-HTSig Two types of systems: password-protected private key (a variant can block off-line dictionary attack if public keys are kept secret) forward-security: compromising todays private key does not mean compromising yesterday's private key downsized (password, >2) (soft-token,1) user storage media

25 CT-RSA'0325 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading special case of TPAKE-HTSig password-based authentication composition of two-party and threshold signatures downsized (password, >2) (soft-token,1) TPAKE-HTSig downsized TPAKE-HTSig user storage media

26 CT-RSA'0326 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading special case of TPAKE-HTSig downsized (password, >2) (soft-token,1) TPAKE-HTSig downsized TPAKE-HTSig traditional LW-TSig downsized LW-TSig a user invokes a set of remote servers via symmetric authentication user storage media

27 CT-RSA'0327 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares downloading special case of TPAKE-HTSig downsized (password, >2) (soft-token,1) TPAKE-HTSig downsized TPAKE-HTSig traditional LW-TSig downsized LW-TSig key-insulation/ intrusion-resilience compromise of todays private key does not mean compromise of yesterdays or tomorrows private key even if soft-token and hard-token are compromised simultaneously, forward- security is still ensured user storage media

28 CT-RSA'0328 Taxonomy 1 2 >2 human- memory soft-tokenhard-token soft- & hard-token runtime number of runtime key-shares user storage media downloading special case of TPAKE-HTSig downsized (password, >2) (soft-token,1) TPAKE-HTSig downsized TPAKE-HTSig traditional LW-TSig downsized LW-TSig key-insulation/ intrusion-resilience extension to TPAKE- HTSig and LW-TSig two-party signatures

29 CT-RSA'0329 Questions?

30 CT-RSA'0330 Q & A Our constructions are obtained via modular composition, but our security analysis method is more specific Canettis is more general Why [Shoup Eurocrypt00] cannot be used? An adversary compromising a threshold number of servers can obtain X2. Since [S00] requests that the public exponent corresponding to X2 be public, the adversary can factor the users RSA modulus.

31 CT-RSA'0331 Q & A What care we need for [Rabin Crypto98]? If [MSJ02] TPAKE is used, we need another layer of invocation that a threshold number of servers activates all the servers. This is specific to [MSJ02], though. Denial-of-service attack is appropriately dealt with; otherwise, the secret share of a server under denial-of- service attack is interpolated and could make the threshold protection meaningless.

Download ppt "CT-RSA'031 Two-Efficient and Provably Secure Schemes for Server- Assisted Threshold Signatures Ravi Sandhu Joint work with Shouhuai Xu."

Similar presentations

27/08/03VOQUAL 031 Variation of glottal LF parameters across F0, vowels and phonetic environment Michelle Tooher & John McKenna School of Computing, Dublin.

27/08/03VOQUAL 031 Variation of glottal LF parameters across F0, vowels and phonetic environment Michelle Tooher & John McKenna School of Computing, Dublin.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Cryptographic Security Presented by: Josh Baker October 9 th, 2012 1CS5204 – Operating Systems.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Similar presentations

Ads by Google