Revisiting the Distributed Key Generation for Discrete-Log Based Cryptosystems

A Distributed Key Generation (DKG) protocol is an essential component of any threshold cryptosystem. It is used to initialize the cryptosystem and generate its private and public keys, and it is used as a subprotocol, for example to generate a one-time key pair which is a part of any threshold El-Gamal-like signature scheme. Gennaro et al. showed [GJKR99] that a widely-known non-interactive DKG protocol suggested by Pedersen does not guarantee a uniformly random distribution of generated secret keys even in the static adversary model. Furthermore, Gennaro et al. proposed to replace this protocol with one that guarantees a uniform distribution of the generated key but requires an extra round of (broadcast) communication. We investigate the question whether some discrete-log based threshold cryptosystems remain secure when implemented using the more efficient DKG protocol of Pedersen, in spite of the fact that the adversary can skew the distribution of the secret key generated by this protocol. We answer this question in the positive. We show that threshold versions of some schemes whose security reduces to the hardness of the discrete logarithm problem, remain secure when implemented with Pedersen DKG. We exemplify this claim with a threshold Schnorr signature scheme. However, the resulting scheme has less efficient security reduction (in the random oracle model) to the hardness of the discrete logarithm problem than the same scheme implemented with the computationally more expensive DKG protocol of Gennaro et al. Thus our results imply a trade-off in the design of threshold versions of certain discrete-log based schemes between the round complexity of a protocol and the size of the modulus.

[1]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[2]  E. Bach Analytic methods in the analysis and design of number-theoretic algorithms , 1985 .

[3]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[4]  Yvo Desmedt,et al.  Society and Group Oriented Cryptography: A New Concept , 1987, CRYPTO.

[5]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[6]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[7]  Judit Bar-Ilan,et al.  Non-cryptographic fault-tolerant computing in constant number of rounds of interaction , 1989, PODC '89.

[8]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[9]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[10]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[11]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[12]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[13]  H. Imai,et al.  Efficient and secure multiparty generation of digital signatures based on discrete logarithms , 1993 .

[14]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[15]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[16]  K. Kurosawa,et al.  New EIGamal Type Threshold Digital Signature Scheme , 1996 .

[17]  Kaoru KUROSAWAzy New Elgamal Type Threshold Digital Signature Scheme , 1996 .

[18]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[19]  Ronald Cramer,et al.  A Secure and Optimally Efficient Multi-Authority Election Scheme ( 1 ) , 2000 .

[20]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[21]  Hugo Krawczyk,et al.  Adaptive Security for Threshold Cryptosystems , 1999, CRYPTO.

[22]  Ran Canetti,et al.  An Efficient Threshold Public Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack , 1999, EUROCRYPT.

[23]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, EUROCRYPT.

[24]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[25]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[26]  Stanislaw Jarecki,et al.  Adaptively Secure Threshold Cryptography: Introducing Concurrency, Removing Erasures , 2000, EUROCRYPT.

[27]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, Journal of Cryptology.

[28]  Hugo Krawczyk,et al.  Robust Threshold DSS Signatures , 1996, Inf. Comput..

[29]  Stanislaw Jarecki Efficient threshold cryptosystems , 2001 .

[30]  Moti Yung,et al.  Adaptively secure distributed public-key systems , 2002, Theor. Comput. Sci..

[31]  Christian Cachin,et al.  Secure INtrusion-Tolerant Replication on the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.