Delivery of Secret Messages
Distributed CA
Based on Threshold Cryptography
Taejoon Park
March 17, 2004
Corrupted Messenger ?
2
Secret Splitting
Threshold Cryptography
Invented by A. Shamir
How to share a secret, Communications of the ACM ,
22(11), pp. 612~613, 1979
(n,t) Secret Sharing
Distributed CAs
Generate a set of n shares (k1,…,kn) from
secret k such that:
u No information about k can be learned
from up to t of the n shares
u k can be recovered from any t+1 shares
partial signatures
3
Example (3,1) Scheme
y
COCA: Cornell On-line CA
g(x) = k + a x (mod q)
(x 1,g(x 1))
4
Proposed by Zhou et al.
COCA: A Secure Distributed On-line Cert Authority,
ACM Tr. on Computer Systems , 20(4), Nov 2002
(x 3,g(x 3))
Objective
(x 2,g(x 2))
A Fault-tolerant and secure on-line CA
k
Preliminaries
x
u
u
Given any 2 shares, g(x) can be
reconstructed using interpolation
5
Certificate: binding btw client_id & public key
CA: attests to the validity of bindings by issuing
digitally signed certificates
6
1
Overview of COCA
Certificate Update
To compute {cid,c+} k
when no server holds k
c+,c-
p+,p-,k p
request
q+,q-,k q
p+,p-,k p
c+,cR = {Upd,cid,c+}c-
reponse
COCA Client
thresh_sign
q computes a partial signature
on • using its share k q
p computes { • }k from at least
t+1 partial signatures
{p,R,cert}p-
COCA Servers
7
Certificate Query
8
Proactive Secret Sharing
Problem
c+,c-
R = {Qry ,c,cid}c-
p+,p-,k p
Security is assured if the adversary compromises
less than t of n servers throughout the entire life-time
of the system.
q+,q-,k q
{R,cert}k
{q,partial_sig(R,cert,k q)}q-
9
Solution
u
Periodically renew shares without changing k
g’(x) = g(x) + d(x) where d(0) = 0
u
Server p generates dp(x), then computes and
sends to all other servers, dp(q)
u
Server q computes k q += d1(q) + … + dn(q)
10
2