Secure Schemes for Server-

innocentsickΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

66 εμφανίσεις

CT
-
RSA'03

1

Two
-
Efficient and Provably
Secure
Schemes for Server
-
Assisted Threshold Signatures

Ravi Sandhu

Joint work with

Shouhuai Xu

CT
-
RSA'03

2

Roadmap


Motivation


Cryptographic preliminaries


First scheme:
TPAKE
-
HTSig


Second scheme:
LW
-
TSig


Related work

CT
-
RSA'03

3

Motivation


Modern cryptography is “key
-
centric”


Rivest
-
Shamir
-
Adleman

have no “
short cut
” in
breaking
RSA


But you can generate
Rivest
’s digital signatures once
you compromised his private key


This has no counterpart in handwriting signatures


Since compromise will inevitably happen, one can only
expect “second to the best”


Minimize the damage

CT
-
RSA'03

4

Motivation


So how to protect the private signing keys (or functions)


conveniently


cheaply


efficiently

CT
-
RSA'03

5

Our Approach


Assume a set of (>2) servers provide service (e.g., for
economic incentives) like threshold signing


Differ from standard threshold signing


only a user can invoke her signing function


compromise of a user’s machine does not necessarily
mean her signing function is compromised (i.e.,
the
adversary may still unable to invoke the servers
)


compromise of a threshold number of servers does
not necessarily mean her signing function is
compromised

CT
-
RSA'03

6

Our Approach


The core underlying our approach is some
convenient
,
cheap
,
efficient

mechanisms whereby the servers
collaboratively authenticate a user


threshold password authenticated key exchange (e.g.,
[MacKenzie et al. Crypto’02])


symmetric key
-
based authentication (e.g., MAC)


Don’t confuse “
server
-
added signature
” (
which is motivated
to provide better efficiency
) with our “
server
-
assisted
signature
” (
which is motivated to provide better security
)


though they do overlap sometimes

CT
-
RSA'03

7

Roadmap


Motivation


Cryptographic preliminaries


First scheme: TPAKE
-
HTSig


Second scheme: LW
-
Tsig


Related work

CT
-
RSA'03

8

Cryptographic Preliminaries


Message authentication code (MAC)


secure against adaptive chosen message attack


Signature scheme
(Sig.Init, Sig.Sig, Sig.Ver)


secure against adaptive chosen message attack


we are interested in a class of signature schemes
that have efficient distributed version

CT
-
RSA'03

9

Cryptographic Preliminaries


T
hreshold
Sig
nature scheme
(TSig.Init, TSig.Sig, TSig.Ver)


secure against adaptive chosen message attack


2
-
party
Sig
nature scheme
(2Sig.Init, 2Sig.Sig, 2Sig.Ver)


secure against adaptive chosen message attack


H
ybrid
-
T
hreshold
Sig
nature scheme, which is a composition of
TSig

and
2Sig
, consists of
(HTSig.Init, HTSig.Sig, HTSig.Ver)


a user splits her private key
X

into two shares
X1
,
X2


the user holds
X1

as in
2Sig


the user shares
X2

among the servers as in
TSig

CT
-
RSA'03

10

Cryptographic Preliminaries


T
hreshold
P
assword
-
A
uthenticated
K
ey
E
xchange scheme
(TPAKE.Init, TPAKE.Login)


a user shares her password among servers via
TPAKE.Init


a user authenticates herself to the servers via
TPAKE.Login
, which may also output a fresh session key
with each server


TPAKE.Login

is secure against off
-
line dictionary attack


compromise of no more than a threshold number of
servers does not make the password subject to off
-
line
dictionary attack


the first
TPAKE

is due to [MacKenzie et al. Crypto’02]

CT
-
RSA'03

11

Roadmap


Motivation


Cryptographic preliminaries


First scheme:
TPAKE
-
HTSig


Second scheme: LW
-
Tsig


Related work

CT
-
RSA'03

12

First Scheme:
TPAKE
-
HTSig


TPAKE
-
HTSig

is

a composition of
TPAKE

and
HTSig


Idea is simple


Run a
TPAKE

to authenticate a user and generate a
fresh session key that is common to the user and each
individual server


The servers authenticate signing requests using the
session keys; the signing operation is similar to
TSig.Sig


The user obtains a signature as in
2Sig.Sig

CT
-
RSA'03

13

TPAKE
-
HTSig

MAC
key1
(m)

MAC
key2
(m)

MAC
keyn
(m)



server 1

server 2

server n

partial signature 1

partial signature 2

partial signature n

TPAKE.Login

outputs
key1

TPAKE.Login

outputs
key2

TPAKE.Login

outputs
keyn

CT
-
RSA'03

14

TPAKE
-
HTSig:
another look

TPAKE

glue: session key based authentication

HTSig

CT
-
RSA'03

15

TPAKE
-
HTSig


Some comments


We give a specification of
TPAKE
, so any scheme (e.g.,
more efficient than [MSJ02]) satisfying it can plug
-
and
-
play


DLOG based
HTSig

can pug
-
and
-
play in
TPAKE
-
HTSig


RSA
-
based
HTSig

is more subtle


[Shoup Eurocrypt’00] scheme cannot be used unless
one assume that no threshold number of servers are
compromised


[Rabin Crypto’98] scheme can be used, but need
additional care

CT
-
RSA'03

16

Roadmap


Motivation


Cryptographic preliminaries


First scheme: TPAKE
-
HTSig


Second scheme:
LW
-
TSig


Related work

CT
-
RSA'03

17

Second Scheme:
LW
-
TSig


LW
-
TSig

stands for
L
ight
-
W
eight server
-
assisted
T
hreshold
Sig
natures


Idea is simple


a user holds (say) a smartcard


she shares her private key among the servers, as in
TSig


she shares a symmetric key with each server


invocation of signing function is based on
MAC
s

CT
-
RSA'03

18

LW
-
TSig

MAC
key1
(m)

MAC
key2
(m)

MAC
keyn
(m)



server 1

server 2

server n

partial signature 1

partial signature 2

partial signature n

CT
-
RSA'03

19

LW
-
TSig


Some comments


a smartcard does not need a cryptographic
co
-
processor


communication between a smartcard and the
servers can be done via a signature receiver

CT
-
RSA'03

20

Roadmap


Motivation


Cryptographic preliminaries


First scheme: TPAKE
-
HTSig


Second scheme: LW
-
Tsig


Related work

CT
-
RSA'03

21

Related Work


Instead of comparing our work with the related
works one
-
by
-
one, we present a
taxonomy

of
systems protecting private signing functions


The taxonomy is based on


user storage media
: human
-
memory (for
password),
soft
-
token
, hard
-
token,


soft
-

& hard
-
token


number of runtime key
-
shares
: 1,
2
, >2

CT
-
RSA'03

22

Taxonomy

1

2

>2

human
-
memory

soft
-
token

hard
-
token

soft
-

&
hard
-
token

number of
runtime

key
-
shares

downloading


a user downloads (say, to a
public computer) her private key
stored at some remote server(s)


password
-
based authenticated
key exchange (for session key)

user storage media

CT
-
RSA'03

23

Taxonomy

1

2

>2

human
-
memory

soft
-
token

hard
-
token

soft
-

&
hard
-
token

number of
runtime

key
-
shares

downloading

a user utilizes a password to
activate multiple remote servers
to generate a threshold signature

special case of
TPAKE
-
HTSig

downsized
(password, >2)

user storage media

CT
-
RSA'03

24

Taxonomy

1

2

>2

human
-
memory

soft
-
token

hard
-
token

soft
-

&
hard
-
token

number of
runtime

key
-
shares

downloading

special case of
TPAKE
-
HTSig

Two types of systems:


password
-
protected private key (a variant
can block off
-
line dictionary attack if
public keys are kept secret)


forward
-
security: compromising today’s
private key does not mean compromising
yesterday's private key

downsized
(password, >2)

(soft
-
token,1)

user storage media

CT
-
RSA'03

25

Taxonomy

1

2

>2

human
-
memory

soft
-
token

hard
-
token

soft
-

&
hard
-
token

number of
runtime

key
-
shares

downloading

special case of
TPAKE
-
HTSig


password
-
based authentication


composition of two
-
party and
threshold signatures

downsized
(password, >2)

(soft
-
token,1)

TPAKE
-
HTSig

downsized
TPAKE
-
HTSig

user storage media

CT
-
RSA'03

26

Taxonomy

1

2

>2

human
-
memory

soft
-
token

hard
-
token

soft
-

&
hard
-
token

number of
runtime

key
-
shares

downloading

special case of
TPAKE
-
HTSig

downsized
(password, >2)

(soft
-
token,1)

TPAKE
-
HTSig

downsized
TPAKE
-
HTSig

traditional

LW
-
TSig

downsized
LW
-
TSig

a user invokes a set of
remote servers via
symmetric authentication

user storage media

CT
-
RSA'03

27

Taxonomy

1

2

>2

human
-
memory

soft
-
token

hard
-
token

soft
-

&
hard
-
token

number of
runtime

key
-
shares

downloading

special case of
TPAKE
-
HTSig

downsized
(password, >2)

(soft
-
token,1)

TPAKE
-
HTSig

downsized
TPAKE
-
HTSig

traditional

LW
-
TSig

downsized
LW
-
TSig

key
-
insulation/
intrusion
-
resilience


compromise of today’s private key
does not mean compromise of
yesterday’s or tomorrow’s private key


even if soft
-
token and hard
-
token are
compromised simultaneously, forward
-
security is still ensured

user storage media

CT
-
RSA'03

28

Taxonomy

1

2

>2

human
-
memory

soft
-
token

hard
-
token

soft
-

&
hard
-
token

number of
runtime

key
-
shares

user storage media

downloading

special case of
TPAKE
-
HTSig

downsized
(password, >2)

(soft
-
token,1)

TPAKE
-
HTSig

downsized
TPAKE
-
HTSig

traditional

LW
-
TSig

downsized
LW
-
TSig

key
-
insulation/
intrusion
-
resilience

extension to
TPAKE
-
HTSig

and
LW
-
TSig

two
-
party signatures

CT
-
RSA'03

29

Questions?

CT
-
RSA'03

30

Q & A


Our constructions are obtained via modular composition,
but our security analysis method is more specific


Canetti’s is more general


Why [Shoup Eurocrypt’00] cannot be used?


An adversary compromising a threshold number of
servers can obtain
X2
. Since [S00] requests that the
public exponent corresponding to
X2

be public, the
adversary can factor the user’s RSA modulus.

CT
-
RSA'03

31

Q & A


What care we need for [Rabin Crypto’98]?


If [MSJ02]
TPAKE

is used, we need another layer of
invocation that a threshold number of servers activates all
the servers. This is specific to [MSJ02], though.


Denial
-
of
-
service attack is appropriately dealt with;
otherwise, the secret share of a server under denial
-
of
-
service attack is interpolated and could make the threshold
protection meaningless.