Threshold schemes for cryptographic primitives:

The Computer Security Division at the National Institute of Standards and Technology is interested in promoting the security of implementations of cryptographic primitives. This security depends not only on the theoretical properties of the primitives but also on the ability to withstand attacks on their implementations. It is thus important to mitigate breakdowns that result from differences between ideal and real implementations of cryptographic algorithms. This document overviews the possibility of implementing cryptographic primitives using threshold schemes, where multiple components contribute to the operation in a way that attains the desired security goals even if f out of n of its components are compromised. There is also an identified potential in providing resistance against side-channel attacks, which exploit inadvertent leakage from real implementations. Security goals of interest include the secrecy of cryptographic keys, as well as enhanced integrity and availability, among others. This document considers challenges and opportunities related to standardization of threshold schemes for cryptographic primitives. It includes examples illustrating security tradeoffs under variations of system model and adversaries. It enumerates several high-level characterizing features of threshold schemes, including the types of threshold, the communication interfaces (with the environment and between components), the executing platform (e.g., single device vs. multiple devices) and the setup and maintenance requirements. The document poses a number of questions, motivating aspects to take into account when considering standardization. A particular challenge is the development of criteria that may help guide a selection of threshold cryptographic schemes. An open question is deciding at what level each standard should be defined (e.g., specific base techniques vs. conceptualized functionalities) and which flexibility of parametrization they should allow. Suitability to testing and validation of implementations are also major concerns to be addressed. Overall, the document intends to support discussion about standardization, including motivating an engagement from stakeholders. This is a step towards enabling threshold cryptography within the US federal government and beyond.

[1]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[2]  Fred B. Schneider,et al.  Implementing trustworthy services using replicated state machines , 2005, IEEE Security & Privacy Magazine.

[3]  Mihir Bellare,et al.  Robust computational secret sharing and a unified account of classical secret-sharing goals , 2007, CCS '07.

[4]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[5]  Richard Kissel,et al.  Glossary of Key Information Security Terms , 2014 .

[6]  A. Singh,et al.  Fault-tolerant systems , 1990, Computer.

[7]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[8]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[9]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[10]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[11]  Pankaj Rohatgi,et al.  Towards Sound Approaches to Counteract Power-Analysis Attacks , 1999, CRYPTO.

[12]  Ari Juels,et al.  $evwu Dfw , 1998 .

[13]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[14]  Johannes Behl,et al.  Hybrids on Steroids: SGX-Based High Performance BFT , 2017, EuroSys.

[15]  Nancy A. Lynch,et al.  A hundred impossibility proofs for distributed computing , 1989, PODC '89.

[16]  Chanathip Namprempre,et al.  Forward-Secure Threshold Signature Schemes , 2001, CT-RSA.

[17]  Karthikeyan Bhargavan,et al.  Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[18]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[19]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[20]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[21]  E. Brewer,et al.  CAP twelve years later: How the "rules" have changed , 2012, Computer.

[22]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[23]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[24]  Frank Jay,et al.  IEEE standard dictionary of electrical and electronics terms , 1984 .

[25]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[26]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[27]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[28]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[29]  Danny Dolev,et al.  On the minimal synchronism needed for distributed consensus , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[30]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[31]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[32]  Matthew K. Franklin,et al.  Efficient generation of shared RSA keys , 2001, JACM.

[33]  Bev Littlewood,et al.  Redundancy and Diversity in Security , 2004, ESORICS.

[34]  Yair Frankel,et al.  A Practical Protocol for Large Group Oriented Networks , 1990, EUROCRYPT.

[35]  K. Itakura,et al.  A public-key cryptosystem suitable for digital multisignatures , 1983 .

[36]  Josep Balasch,et al.  On the Cost of Lazy Engineering for Masked Software Implementations , 2014, CARDIS.

[37]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[38]  Nicky Mouha,et al.  Psst, Can You Keep a Secret? , 2018, Computer.

[39]  Alysson Neves Bessani,et al.  On the reliability and availability of replicated and rejuvenating systems under stealth attacks and intrusions , 2012, Journal of the Brazilian Computer Society.

[40]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[41]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[42]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[43]  Paulo Veríssimo,et al.  Hidden problems of asynchronous proactive recovery , 2007 .

[44]  Benny Pinkas,et al.  Efficient Private Matching and Set Intersection , 2004, EUROCRYPT.

[45]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[46]  Ueli Maurer,et al.  Player Simulation and General Adversary Structures in Perfect Multiparty Computation , 2000, Journal of Cryptology.

[47]  Ross J. Anderson,et al.  Two remarks on public key cryptology , 2002 .

[48]  Shay Gueron,et al.  Intel's New AES Instructions for Enhanced Performance and Security , 2009, FSE.

[49]  Michael Ben-Or,et al.  Another advantage of free choice (Extended Abstract): Completely asynchronous agreement protocols , 1983, PODC '83.

[50]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[51]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[52]  Hugo Krawczyk,et al.  Secret Sharing Made Short , 1994, CRYPTO.

[53]  Wieland Fischer,et al.  Fault Attacks on RSA with CRT: Concrete Results and Practical Countermeasures , 2002, CHES.

[54]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[55]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[56]  Birgit Pfitzmann,et al.  Unconditional Byzantine Agreement for any Number of Faulty Processors , 1992, STACS.

[57]  Yennun Huang,et al.  Software rejuvenation: analysis, module and applications , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[58]  Cas J. F. Cremers,et al.  A Comprehensive Symbolic Analysis of TLS 1.3 , 2017, CCS.

[59]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[60]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[61]  Giovanni Di Crescenzo,et al.  Sharing Block Ciphers , 2000, ACISP.

[62]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[63]  Michael O. Rabin,et al.  Randomized byzantine generals , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[64]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[65]  Berry Schoenmakers,et al.  A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic , 1999, CRYPTO.

[66]  Sushil Jajodia,et al.  Redistributing Secret Shares to New Access Structures and Its Applications , 1997 .

[67]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.

[68]  Thomas Morris,et al.  Trusted Platform Module , 2011, Encyclopedia of Cryptography and Security.

[69]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[70]  Andrew R. Regenscheid,et al.  NIST Cryptographic Standards and Guidelines Development Process , 2016 .

[71]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[72]  Matthias Fitzi,et al.  Two-Threshold Broadcast and Detectable Multi-party Computation , 2003, EUROCRYPT.

[73]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[74]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[75]  B. B. Amberker,et al.  Forward-Secure Multi-signatures , 2008, ICDCIT.

[76]  Serge Vaudenay,et al.  When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015 , 2016, CANS.

[77]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[78]  Leslie Lamport,et al.  Lower bounds for asynchronous consensus , 2006, Distributed Computing.

[79]  Stelvio Cimato,et al.  Encyclopedia of Cryptography and Security , 2005 .

[80]  Nikhil Swamy,et al.  Implementing and Proving the TLS 1.3 Record Layer , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[81]  Mitsuru Ito,et al.  Secret sharing scheme realizing general access structure , 1989 .

[82]  Silvio Micali,et al.  Accountable-subgroup multisignatures: extended abstract , 2001, CCS '01.

[83]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[84]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 2000, Journal of Cryptology.

[85]  Vincent Rijmen,et al.  Threshold Implementations Against Side-Channel Attacks and Glitches , 2006, ICICS.

[86]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[87]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[88]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[89]  Jeroen van de Graaf,et al.  A Simple and Secure Way to Show the Validity of Your Public Key , 1987, CRYPTO.