Authenticated broadcast with a partially compromised public-key infrastructure

Given a public-key infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties (who do not follow the protocol), and honest parties whose secret (signing) keys have been compromised (but who continue to behave honestly). We explore conditions under which it is possible to construct broadcast protocols that still provide the usual guarantees (i.e., validity/agreement) to the latter. Consider a network of n parties, where an adversary has compromised the secret keys of up to tc honest parties and, in addition, fully controls the behavior of up to ta other parties. We show that for any fixed tc > 0, and any fixed ta, there exists an efficient protocol for broadcast if and only if 2ta+min(ta, tc) < n. (When tc = 0, standard results imply feasibility.) We also show that if tc, ta are not fixed, but are only guaranteed to satisfy the bound above, then broadcast is impossible to achieve except for a few specific values of n; for these "exceptional" values of n, we demonstrate a broadcast protocol. Taken together, our results give a complete characterization of this problem.

[1]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[2]  Matthias Fitzi,et al.  Multi-party Computation with Hybrid Security , 2004, EUROCRYPT.

[3]  Rafail Ostrovsky,et al.  How To Withstand Mobile Virus Attacks , 1991, PODC 1991.

[4]  Matthias Fitzi,et al.  Generalized communication and security models in Byzantine agreement , 2002 .

[5]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks (extended abstract) , 1991, PODC '91.

[6]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[7]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[8]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[9]  Martin Hirt,et al.  Player-Centric Byzantine Agreement , 2011, ICALP.

[10]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[11]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[12]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[13]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[14]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[15]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[16]  Danny Dolev,et al.  Authenticated Algorithms for Byzantine Agreement , 1983, SIAM J. Comput..

[17]  K. Srinathan,et al.  Authenticated Byzantine Generals in Dual Failure Model , 2010, ICDCN.

[18]  Matthias Fitzi,et al.  From partial consistency to global broadcast , 2000, STOC '00.

[19]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[20]  Phong Q. Nguyen Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1.2.3 , 2004, EUROCRYPT.

[21]  Piotr Berman,et al.  Towards optimal distributed consensus , 1989, 30th Annual Symposium on Foundations of Computer Science.