Efficient threshold cryptosystems

Thesis (Ph.D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2001.Includes bibliographical references (p. 181-189).A threshold signature or decryption scheme is a distributed implementation of a cryptosystem, in which the secret key is secret-shared among a group of servers. These servers can then sign or decrypt messages by following a distributed protocol. The goal of a threshold scheme is to protect the secret key in a highly fault-tolerant way. Namely, the key remains secret, and correct signatures or decryptions are always computed, even if the adversary corrupts less than a fixed threshold of the participating servers. We show that threshold schemes can be constructed by putting together several simple distributed protocols that implement arithmetic operations, like multiplication or exponentiation, in a threshold setting. We exemplify this approach with two discrete-log based threshold schemes, a threshold DSS signature scheme and a threshold Cramer-Shoup cryptosystem. Our methodology leads to threshold schemes which are more efficient than those implied by general secure multi-party computation protocols. Our schemes take a constant number of communication rounds, and the computation cost per server grows by a factor linear in the number of the participating servers compared to the cost of the underlying secret-key operation. We consider three adversarial models of increasing strength. We first present distributed protocols for constructing threshold cryptosystems secure in the static adversarial model, where the players are corrupted before the protocol starts. Then, under the assumption that the servers can reliably erase their local data, we show how to modify these protocols to extend the security of threshold schemes to an adaptive adversarial model,(cont.) where the adversary is allowed to choose which servers to corrupt during the protocol execution. Finally we show how to remove the reliable erasure assumption. All our schemes withstand optimal thresholds of a minority of malicious faults in a realistic partially-synchronous insecure-channels communication model with broadcast. Our work introduces several techniques that can be of interest to other research on secure multi-party protocols, e.g. the inconsistent player simulation technique which we use to construct efficient schemes secure in the adaptive model, and the novel primitive of a simultaneously secure encryption which provides an efficient implementation of private channels in an adaptive and erasure-free model for a wide class of multi-party protocols. We include extensions of the above results to: (1) RSA-based threshold cryptosystems; and (2) stronger adversarial models than a threshold adversary, namely to proactive and creeping adversaries, who, under certain assumptions regarding the speed and detectability of corruptions, are allowed to compromise all or almost all of the participating servers.by StanisÅaw Jarecki.Ph.D