Secure Distributed Key Generation for Discrete-Log Based Cryptosystems

Distributed key generation is a main component of threshold cryptosystems and distributed cryptographic computing in general. Solutions to the distributed generation of private keys for discrete-log based cryptosystems have been known for several years and used in a variety of protocols and in many research papers. However, these solutions fail to provide the full security required and claimed by these works. We show how an active attacker controlling a small number of parties can bias the values of the generated keys, thus violating basic correctness and secrecy requirements of a key generation protocol. In particular, our attacks point out to the places where the proofs of security fail. Based on these findings we designed a distributed key generation protocol which we present here together with a rigorous proof of security. Our solution, that achieves optimal resiliency, can be used as a drop-in replacement for key generation modules as well as other components of threshold or proactive discrete-log based cryptosystems.

[1]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[2]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[3]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[4]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[5]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[6]  K. Kurosawa,et al.  New EIGamal Type Threshold Digital Signature Scheme , 1996 .

[7]  H. Imai,et al.  Efficient and secure multiparty generation of digital signatures based on discrete logarithms , 1993 .

[8]  L. Harn Group-oriented (t, n) threshold digital signature scheme and digital multisignature , 1994 .

[9]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..

[10]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[11]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[12]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[13]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[14]  Moti Yung,et al.  Optimal-resilience proactive public-key cryptosystems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[15]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, EUROCRYPT.

[16]  Hugo Krawczyk,et al.  Robust Threshold DSS Signatures , 1996, Inf. Comput..

[17]  Hugo Krawczyk,et al.  Adaptive Security for Threshold Cryptosystems , 1999, CRYPTO.