The Omega Key Management Service

Acknowledgements We thank Elizabeth Royer for implementing the WWW interface to. A method for obtaining digital signatures and public-key cryptosystems. 10 servers in these tests. All keys (notably the service's public key) contained 768-bit moduli. Keys used to encrypt shares in the private key escrow and recovery protocols were RSA keys, regardless of the client key type. Operation Client key type RSA ElGamal public key registration 1884 756 public key lookup 563 575 public key revocation 588 595 private key escrow 3648 1049 private key decryption 1365 1330 private key recovery 1357 1165 Table 1: Mean latency (ms); 768-bit moduli, Sparc 20s With the described key sizes, the mean round-trip latency of a null operation at the service was roughly 550 ms, over three-fourths of which was due to the modular exponenti-ation operations of the threshold signature scheme used to sign responses (see Section 3). The remainder of this time resulted primarily from costs associated with communication , particularly the atomic multicast protocol of Rampart. However, since the latency of this protocol is also partly due to modular exponentiations (see 26]), modular exponenti-ation is responsible for a large majority of the latency of a null request to the service. Even in most operations for which the 550 ms latency of the basic round-trip protocol was not the dominant cost, modular exponentiation continued to dominate the total latency. Speciically, our escrow, decryption, and ElGamal registration protocols, as well as the atomic multicast protocols that underlie them, employ modular exponentiation heavily at the servers. The only operation whose cost was not dominated by modular exponentiation is the RSA registration protocol. As described in Section 4, one step of this protocol is for each server to verify that N, the public key modulus provided by the client, is not a prime power. This is done by verifying that N is not a proper power of any integer, which is performed by taking k-th roots of N for each prime k, 1 < k jNj, where jNj is the bit length of N. Finding k-th roots of N, which is performed with Newton's method, dominated the latency of the registration protocol. This veriication could be skipped in the registration protocol, although doing so would require either doubling the value L in the RSA escrow protocol to achieve the same level of security or, in the event that an attempted decryption with the escrowed key …