Proactive RSA

The notion of \proactive security" of basic primitives and cryptosystems that are distributed amongst various servers, was introduced in order to tolerate a very strong \mobile adversary." This adversary may corrupt all participants throughout the lifetime of the system in a non-monotonic fashion (i.e. recoveries are possible) but the adversary is unable to corrupt too many participants during any short time period OstrovskyYung]. The notion assures increased security and availability of the cryptographic primitive. We present a proactive RSA system in which a threshold of servers applies the RSA signature (or decryption) function in a distributed manner; RSA is perhaps the most important trapdoor function in use. Employing new combinatorial and elementary number theoretic techniques, our protocol enables the dynamic updating of the servers (which hold the RSA key distributively); it is secure even when a linear number of the servers are corrupted during any time period (linear redundancy); it eeciently \self-maintains" the security of the function and its messages (ciphertexts or signatures); and it enables continuous availability, namely, correct function application using the shared key is possible at any time. We present an eecient way in which l servers can share an RSA private function so that, given 0 < < < 1: Proactive (Dynamic) Robustness: A gateway G can combine information from any set of l (honest) servers to deduce the RSA signature for any authorized message at any period. Proactive Security (against mobile adversary): Our protocol is secure against a polynomial time adversary who controls the gateway G and time-variant sets of up to minfl(1 ?); lg servers, and can obtain the shares of up to l servers (including those that it corrupts). Uniform Boundedness: The share-size is always bounded by the size of an RSA private key (i.e., logarithmically in N). We also present special practical instances based on designs; some of these instances were recently implemented as part of a highly secure application testbed at Sandia National Laboratories. A major technical diiculty in \proactivizing" RSA was the fact that the servers have to update the \distributed representation" of an RSA key, while not learning the order of the group from which keys are drawn (in order not to compromise the RSA security).

[1]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[2]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[3]  Yair Frankel,et al.  A Practical Protocol for Large Group Oriented Networks , 1990, EUROCRYPT.

[4]  Moti Yung,et al.  Witness-based cryptographic program checking and robust function sharing , 1996, STOC '96.

[5]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[6]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[7]  Rafail Ostrovsky,et al.  How To Withstand Mobile Virus Attacks , 1991, PODC 1991.

[8]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[9]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[10]  Moti Yung,et al.  Minimum-Knowledge Interactive Proofs for Decision Problems , 1989, SIAM J. Comput..

[11]  Ran Canetti,et al.  Maintaining Security in the Presence of Transient Faults , 1994, CRYPTO.

[12]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[13]  Michael J. Fischer,et al.  A robust and verifiable cryptographically secure election scheme , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[14]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[15]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.