Robust Threshold DSS Signatures

We present threshold DSS (Digital Signature Standard) signatures where the power to sign is shared by n players such that for a given parameter t < n/2 any subset of 2t + 1 signers can collaborate to produce a valid DSS signature on any given message, but no subset of t corrupted players can forge a signature (in particular, cannot learn the signature key). In addition, we present a robust threshold DSS scheme that can also tolerate n/3 players who refuse to participate in the signature protocol. We can also endure n/4 maliciously faulty players that generate incorrect partial signatures at the time of signature computation. This results in a highly secure and resilient DSS signature system applicable to the protection of the secret signature key, the prevention of forgery, and increased system availability. Our results significantly improve over a recent result by Langford from CRYPTO'95 that presents threshold DSS signatures which can stand much smaller subsets of corrupted players, namely, t ≅ √n, and do not enjoy the robustness property. As in thc case of Langford's result, our schemes require no trusted party. Our techniques apply to other threshold ElGamal-like signatures as well. We prove the security of our schemes solely based on the hardness of forging a regular DSS signature.

[1]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[2]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[3]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[4]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[5]  David Chaum,et al.  Zero-Knowledge Undeniable Signatures , 1991, EUROCRYPT.

[6]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[7]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[8]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[9]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[10]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[11]  Silvio Micali,et al.  Optimal algorithms for Byzantine agreement , 1988, STOC '88.

[12]  Torben P. Pedersen Distributed Provers with Applications to Undeniable Signatures , 1991, EUROCRYPT.

[13]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[14]  Rainer A. Rueppel,et al.  Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem , 1994, EUROCRYPT.

[15]  R. J. McEliece,et al.  On sharing secrets and Reed-Solomon codes , 1981, CACM.

[16]  L. Harn Group-oriented (t, n) threshold digital signature scheme and digital multisignature , 1994 .

[17]  Susan K. Langford Threshold DSS Signatures without a Trusted Party , 1995, CRYPTO.

[18]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[19]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[20]  Yvo Desmedt,et al.  Society and Group Oriented Cryptography: A New Concept , 1987, CRYPTO.

[21]  Moti Yung,et al.  Witness-based cryptographic program checking and robust function sharing , 1996, STOC '96.

[22]  Patrick Horster,et al.  Meta-ElGamal signature schemes , 1994, CCS '94.

[23]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[24]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[25]  Rosario Gennaro,et al.  Theory and practice of verifiable secret sharing , 1996 .