Proactive public key and signature systems

Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for world-wide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of private keys is a security bottleneck in these sensitive applications. This problem is further worsened in the cases where a single and unchanged private key must be kept secret for very long time (such is the case of certi cation authority keys, bank and e-cash keys, etc.). One crucial defense against exposure of private keys is o ered by threshold cryptography where the private key functions (like signatures or decryption) are distributed among several parties such that a predetermined number of parties must cooperate in order to correctly perform these operations. This protects keys from any single point of failure. An attacker needs to break into a multiplicity of locations before it can compromise the system. However, in the case of long-lived keys the attacker still has a considerable period of time (like a few years) to gradually break the system. Here we present proactive public key systems where the threshold solutions are further enhanced by periodic refreshment of the shared function in such a way that the private key (and its corresponding public key) is kept unchanged for as long as required, yet the breaking of the system requires the attacker to break into IBM Research, Haifa Scienti c Center, amir@haifa.vnet.ibm.com University of California, San Diego, markus@cs.ucsd.edu Massachusetts Institute of Technology, stasio@theory.lcs.mit.edu IBM T.J. Watson Research Center, hugo@watson.ibm.com CertCo, New York, moti@certco.com, moti@cs.columbia.edu several locations in a short period of time, e.g during one day or one week. We present such solutions for a variety of discrete log based cryptosystems including DSS and Schnorr signatures, ElGamal-like signatures and encryption, undeniable signatures, and more. We build on previous work on proactive secret sharing and threshold schemes, and develop a general methodology for the combination of many of these systems into secure proactive public key solutions.

[1]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[2]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[3]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[4]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[5]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[6]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[7]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[8]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[9]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[10]  Jon A. Rochlis,et al.  With microscope and tweezers: an analysis of the Internet virus of November 1988 , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[11]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[12]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[13]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[14]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[15]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[16]  S. Vanstone,et al.  Improved digital signature scheme based on discrete exponentiation , 1990 .

[17]  David Chaum,et al.  Convertible Undeniable Signatures , 1990, CRYPTO.

[18]  Torben P. Pedersen Distributed Provers with Applications to Undeniable Signatures , 1991, EUROCRYPT.

[19]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[20]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[21]  Rafail Ostrovsky,et al.  How To Withstand Mobile Virus Attacks , 1991, PODC 1991.

[22]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[23]  J. Hartmanis,et al.  Advances in Cryptology: Crypto, 90 : Proceedings , 1991 .

[24]  J. Feigenbaum Advances in cryptology--CRYPTO '91 : proceedings , 1992 .

[25]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[26]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallets with Observers (Extended Abstract) , 1993, CRYPTO.

[27]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[28]  Ran Canetti,et al.  Maintaining Security in the Presence of Transient Faults , 1994, CRYPTO.

[29]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[30]  Noga Alon,et al.  Efficient Dynamic-Resharing "Verifiable Secret Sharing" Against Mobile Adversary , 1995, ESA.

[31]  Stanisław Jarecki,et al.  Proactive secret sharing and public key cryptosystems , 1995 .

[32]  Amir Herzberg,et al.  Network Randomization Protocol: A Proactive Pseudo-Random Generator , 1995, USENIX Security Symposium.

[33]  Moti Yung,et al.  Proactive RSA , 1997, CRYPTO.

[34]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[35]  Markus Jakobsson,et al.  Proving Without Knowing: On Oblivious, Agnostic and Blindolded Provers , 1996, CRYPTO.

[36]  Moti Yung,et al.  Witness-based cryptographic program checking and robust function sharing , 1996, STOC '96.