Sharing DSS by the Chinese Remainder Theorem - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Sharing DSS by the Chinese Remainder Theorem

Description:

Sharing DSS by the Chinese Remainder Theorem Kamer Kaya, Ali Aydm Selcuk Department of Computer Engineering Bilkent University Ankara, 06800 Turkey – PowerPoint PPT presentation

Number of Views:258
Avg rating:3.0/5.0
Slides: 40
Provided by: song66
Category:

less

Transcript and Presenter's Notes

Title: Sharing DSS by the Chinese Remainder Theorem


1
Sharing DSS by the Chinese Remainder Theorem
  • Kamer Kaya, Ali Aydm Selcuk
  • Department of Computer Engineering
  • Bilkent University
  • Ankara, 06800 Turkey
  • November 16, 2008

2
Outline
  • Introduction
  • Digital Signature Standard (DSS)
  • Asmuth-Bloom Secret Sharing Scheme
  • Sharing DSS
  • Conclusion
  • References

3
Introduction (1/2)
  • Threshold cryptography deals with the problem of
  • Sharing a highly sensitive secret among a group
    of n users
  • The secret can be reconstructed only when a
    sufficient t users come together
  • Another problem of threshold cryptography deal
    with is the function sharing problem

4
Introduction (2/2)
  • A function sharing scheme (FSS) requires
  • Distributing the functions computation according
    to the underlying SSS
  • Each part of the computation can be carried out
    by a different users
  • The partial results can be combined to yield the
    functions value without disclosing individual
    secrets

5
Digital Signature Standard (1/6)
  • The Digital Signature Standard (DSS) is the
    current U.S. standard for the digital signature
  • There have three phases in DSS
  • Key Generation Phase
  • Signing Phase
  • Verification Phase

6
Digital Signature Standard (2/6)
  • Key Generation phase
  • Let p and q be large prime number where qp-1
  • be an element of order q
  • The private key is chosen randomly
  • The public key is computed

7
Digital Signature Standard (3/6)
  • Signing Phase
  • The signer first chooses a random ephemeral key
  • Then computes the signature (r,s) where
  • For a hashed message

8
Digital Signature Standard (4/6)
  • Verification phase
  • The signature (r,s) is verified by checking
  • Where s-1 is computed in

9
Digital Signature Standard (5/6)
  • ?
  • Substitute
    , we have
  • So, whether ??

10
Digital Signature Standard (6/6)
  • From right hand side,

11
Asmuth-Bloom Secret Sharing scheme (1/10)
  • There have two phases in the Asmuth-Bloom SSS
  • Dealer Phase
  • Combiner Phase

12
Asmuth-Bloom Secret Sharing scheme (2/10)
  • Dealer phase
  • Let d be the secret to be shared
  • n be the number of users
  • t be the threshold value
  • Let m0ltm1ltm2ltltmn be relatively prime integers
    such that dltm0

13
Asmuth-Bloom Secret Sharing scheme (3/10)
  • Let M denote . The dealer computes y
    d Am0 where A is a random positive integer such
    that y lt M.
  • The share of the ith user is yi y mod mi

14
Asmuth-Bloom Secret Sharing scheme (4/10)
  • Combiner phase
  • Let S be a coalition of t users gathered to
    construct the secret
  • Let Ms denote
  • Let MS\i denote and MS,i be the
    multiplicative inverse of MS\i in Zmi
  • i.e.,

15
Asmuth-Bloom Secret Sharing scheme (5/10)
  • First, the ith user computes
  • The users first compute
  • Then obtain the secret d by computing
  • d y mod m0

16
Asmuth-Bloom Secret Sharing scheme (6/10)
  • Arithmetic properties of AB SSS
  • The notation to
    denote a (t,n)-SSS with secret d and shares
    (y1, y2,,yn)
  • Suppose multiple secrets are shared with common
    parameters t, n, and moduli mis.

17
Asmuth-Bloom Secret Sharing scheme (7/10)
  • Proposition 1
  • Let d1,d2,..,dl be secrets shared by AB-SSS with
    common parameters t, n, and moduli mis, for some
    l lt m0.
  • Let yij be the share of the ith user for secret
    dj. Then for and
  • We have

18
  • l 5, n4

19
Asmuth-Bloom Secret Sharing scheme (8/10)
  • Proof 2
  • For , we have
  • Note that , for any coalition S
    where .
  • Hence, a coaliton S of t1 users can construct
    and

20
Asmuth-Bloom Secret Sharing scheme (9/10)
  • Proposition 3
  • Let d1,d2 be secret shared by AB-SSS with common
    parameter t, n and mis.
  • Let yij be the share of the ith user for secret
    dj
  • Then, for and
  • We have

21
Asmuth-Bloom Secret Sharing scheme (10/10)
  • Proof 4
  • For , we have
  • Note that , for any coalition
    S where
  • Hence, a coalition S of 2t users can construct
    and obtain

22
  • Dealer phase
  • k2, n3, dltm0
  • d 9 , m0 11, m1 123, m2 131, m3 133
  • (2,3) AB-SSS, y 9 (20)11 229

23
  • Combiner phase
  • Let S U1,U3,

24
Sharing DSS (1/14)
  • Joint Random Secret Sharing (JOINT-RSS)
  • Let S denotes the signing coalition 2t2
  • Each user choose a random secret
    and shares it as
    where yij is the share
    of the ith user

25
Sharing DSS (2/14)
  • Each user choose a random secret
    and shares it as
    where yij is the share
    of the ith user
  • The ith user computes .
    By proposition 1, is a
    valid SSS for assuming
    nltm0

26
Sharing DSS (3/14)
  • Threshold DSS scheme
  • Key Generation phase
  • Let be the private signature key.
  • The dealer set m0q and shares
  • Signing phase
  • To sign a hashed message , the signing
    coalition S of size 2t2 first computes
    by JOINT-EXP-INVERSE

27
Sharing DSS (4/14)
  • To compute , each user
    computes
  • by proposition 3, and s is
    computed by 2t2 partial signatures
  • Verification phase
  • Same as the standard DSS verification

28
Sharing DSS (5/14)
  • Note that anyone can forge signatures if he knows
    k for a valid signature (r,s)
  • Hence, must be
    computed in a way no one obtain k

29
Sharing DSS (6/14)
  • The Dealer
  • Choose m0, m1,m2,,mn
  • Set m0 q, choose p as a large prime where
    qp-1,
  • By JOINT-RSS,
  • Send yi to user i respectively where
  • as public key

Dealer
y3
y1
y2
U1
U2
U3
30
Sharing DSS (7/14)
  • Let S be a coalition of size 2t2 want to sign a
    hashed message w, Each user
  • Choose and randomly
  • Shares the aj and kj by
  • For , distribute the share aij and kij to
    user i respectively

U1
a13,k13
a31,k31
U3
a21,k21
a12,k12
a32,k32
a23,k23
U2
31
Sharing DSS (8/14)
  • Each user computes
  • After that, they will try to construct vak from
    shares viaiki

32
Sharing DSS (9/14)
  • Signing phase
  • For be a set of t1 users. Each
    user computes

33
Sharing DSS (10/14)
  • After that, broadcast
  • The approximate value for ga mod p is computed as
  • But

U1
f3,a
f1,a
U3
f1,a
f2,a
f2,a
f3,a
U2
34
Sharing DSS (11/14)
  • S corrects fa through the following correction
    procedure
  • Let be a set of t 1 users. Each
    user compute
  • After that, broadcast

U1
f3,k,f3,ak
f1,k,f1,ak
U3
f1,k,f1,ak
f2,k,f2,ak
f2,k,k2,ak
f3,k,f3,ak
U2
35
Sharing DSS (12/14)
  • Then, fk and fak are computed as
  • Where for some

36
Sharing DSS (13/14)
  • S checks the following equality for all
  • Note that

37
Sharing DSS (14/14)
  • We need to find ( ) that
    satisfies this equality
  • Once is found
    can be computed
  • The signing coalition S compute

38
Conclusion
  • In this paper, the authors investigated how to
    share the signing function used in the DSS by
    using AB-SSS
  • They proposed a t-out-of-n threshold signature
    scheme based on the Chinese Remainder Theorem

39
References
  • 1 C. Asmuth and J. Bloom. A modular approach to
    key safeguarding. IEEE Trans. Information Theory,
    29(2)208210, 1983.
  • 2 G. Blakley. Safeguarding cryptographic keys.
    In Proc. of AFIPS National Computer Conference,
    1979.
  • 3 Y. Desmedt and Y. Frankel. Threshold
    cryptosystems. In Proc. of CRYPTO'89,volume 435
    of LNCS, pages 307315. Springer-Verlag, 1990.
  • 4 Y. Desmedt and Y. Frankel. Shared generation
    of authenticators and signatures. In Proc. of
    CRYPTO'91, volume 576 of LNCS, pages 457469.
    Springer-Verlag,1992.
  • 5 R. Gennaro, S. Jarecki, H. Krawczyk, and T.
    Rabin. Robust threshold DSS signatures.
    Information and Computation, 164(1)5484, 2001.
    6
  • 6 K. Kaya and A. A. Selcuk. Threshold
    cryptography based on Asmuth-Bloom secret
    sharing. Information Sciences, 177(19)41484160,
    2007.
  • 7 A. De Santis, Y. Desmedt, Y. Frankel, and M.
    Yung. How to share a function securely? In Proc.
    of STOC94, pages 522533, 1994.
  • 8 A. Shamir. How to share a secret? Comm. ACM,
    22(11)612613, 1979.
  • 9 V. Shoup. Practical threshold signatures. In
    Proc. of EUROCRYPT 2000, volume 1807 of LNCS,
    pages 207220. Springer-Verlag, 2000.
Write a Comment
User Comments (0)
About PowerShow.com