Abstract
A Distributed Key Generation (DKG)p rotocol is an essential component of any threshold cryptosystem. It is used to initialize the cryptosystem and generate its private and public keys, and it is used as a subprotocol, for example to generate a one-time key pair which is a part of any threshold El-Gamal-like signature scheme. Gennaro et al. showed [GJKR99] that a widely-known non-interactive DKG protocol suggested by Pedersen does not guarantee a uniformly random distribution of generated secret keys even in the static adversary model. Furthermore, Gennaro et al. proposed to replace this protocol with one that guarantees a uniform distribution of the generated key but requires an extra round of reliable broadcast communication.
We investigate the question whether some discrete-log based threshold cryptosystems remain secure when implemented using the more efficient DKG protocol of Pedersen, in spite of the fact that the adversary can skew the distribution of the secret key generated by this protocol. We answer this question in the positive. We show that threshold versions of some schemes whose security reduces to the hardness of the discrete logarithm problem, remain secure when implemented with Pedersen DKG. We exemplify this claim with a threshold Schnorr signature scheme.
However, the resulting scheme has less efficient security reduction (in the random oracle model)from the hardness of the discrete logarithm problem than the same scheme implemented with the computationally more expensive DKG protocol of Gennaro et al. Thus our results imply a trade-o. in the design of threshold versions of certain discrete-log based schemes between the round complexity of a protocol and the size of the modulus.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
E. Bach. Analytic Methods in the Analysis and Design of Number-Theoretic Algorithms ACM Distiguished Dissertation (1984). MIT Press, Cambridge, MA, 1985. 378
J. Bar-Ilan and D. Beaver. Non-cryptographic fault-tolerant computing in a constant number of rounds. In Proc. 8th ACM Symp. on Principles of Distributed Computation, pages 201–209, 1989.
Mihir Bellare and Phillip Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In ACM Conference on Computer and Communications Security, pages 62–73, 1993. 379
R. Canetti and S. Goldwasser. An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack. In Eurocrypt’ 99, pages 90–106, 1999. LNCS No. 1592. 374, 389
Ran Canetti, Rosario Gennaro, StanisIlaw Jarecki, Hugo Krawczyk, and Tal Rabin. Adaptive security for threshold cryptosystems. In Proc. CRYPTO 99, pages 98–115. Springer-Verlag, 1999. LNCS No. 1666. 383
R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally efficient multi-authority election scheme. In Eurocrypt’ 97, pages 103–118, 1997. LNCS No. 1233. 374
D. Chaum and T. Pederson. Wallet databases with observers. In Crypto’ 92, LNCS No. 740, pages 89–105, 1992. 389
C. Cachin, and J.A. Poritz Secure Intrusion-tolerant Replication on the Internet. In Proc. Intl. Conference on Dependable Systems and Networks (DNS-2002), Washington DC, USA, IEEE, 2002. (see also http://eprint.iacr.org/) 375, 377, 378, 388
M. Cerecedo, T. Matsumoto, and H. Imai. Efficient and secure multiparty generation of digital signatures based on discrete logarithms. IEICE Trans. Fundamentals, E76-A(4):532–545, 1993. 374
Yvo Desmedt. Society and group oriented cryptography: A new concept. Crypto’87, pages 120–127, 1987. LNCS No. 293. 373
Y. Desmedt and Y. Frankel. Threshold cryptosystems. In Crypto’ 89, pages 307–315, 1989. LNCS No. 435. 373
P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In Proc. 28th FOCS, pages 427–437. IEEE, 1987. 379
Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Crypto’86, pages 186–194, 1986. LNCS No. 263. 382
Y. Frankel, P. D. MacKenzie, and M. Yung. Adaptively-secure distributed Public Key systems. In Algorithms-ESA’99, 7th Annual European Symposium, Prague, pages 4–27, 1999. LNCS No. 1643 375, 383
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In Information and Computation 164, pp.54–84, 2001. 374, 382
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. The (in)security of distributed key generation in dlog-based cryptosystems. In Eurocrypt’ 99, pages 295–310, 1999. LNCS No. 1592. 373, 374, 377, 380, 388
Shafi Goldwasser, Silvio Micali, and Ronald Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281–308, April 1988. 378, 382
Rosario Gennaro, Michael Rabin, and Tal Rabin. Simplified VSS and fast-track multiparty computations with applications to threshold cryptography. In Proc. 17th ACM Symp. on Principles of Distributed Comp.. ACM, 1998.
L. Harn. Group oriented (t, n)di gital signature scheme. In IEE Proc.-Comput.Digit.Tech, 141(5):307–313, Sept 1994. 374
A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive public key and signature systems. In 1997 ACM Conference on Computers and Communication Security, 1997. 374
S. Jarecki. Efficient Threshold Cryptosystems. MIT PhD Thesis, June 2001, http://theory.lcs.mit.edu/~cis/cis-theses.html. 377
StanisIlaw Jarecki and Anna Lysyanskaya. Adaptively secure threshold cryptosystems without erasures. In Eurocrypt’00, pages 221–242, 2000. LNCS. No. 1807. 383
C.-H. Li, T. Hwang, and N.-Y. Lee. (t, n)thres hold signature schemes based on discrete logarithm. In Eurocrypt’ 94, pp. 191–200, 1994. LNCS No. 950. 374
A. K. Lenstra and E. R. Verheul Selecting Cryptographic Key Sizes. In Journal of Cryptology, vol. 14(4), 2001, pages 255–293. 388
Torben Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Crypto’ 91, pages 129–140. 1991.
Torben Pedersen. A threshold cryptosystem without a trusted party. In Eurocrypt’ 91, pages 522–526, 1991. LNCS No. 547. 374, 379
C. Park and K. Kurosawa. New ElGamal Type Threshold Digital Signature Scheme. IEICE Trans. Fundamentals, E79-A(1):86–93, January 1996. 374
D. Pointcheval, and J. Stern, Security Proofs for Signature Schemes. Eurocrypt’ 96, pages 387–398, 1996. LNCS No. 1070. 376, 382, 385, 387, 389
A. Shamir. How to Share a Secret. CACM, 22:612–613, 1979. 373, 374
P. Schnorr. Efficient identification and signatures for smart cards.-Crypto’89, pages 235–251, 1989. LNCS No. 435. 375, 382
Victor Shoup. Practical threshold signatures. In Eiurocrypt’ 00, pages 207–220. Springer-Verlag, 2000. 375
V. Shoup and R. Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. In Eurocrypt’ 98, pages 1–16, 1998. LNCS No. 1403. 374
Wei Dai. Benchmarks for the Crypto++ 4.0 library performance. Available at http://www.eskimo.com/~weidai/cryptlib.html 388
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T. (2003). Secure Applications of Pedersen’s Distributed Key Generation Protocol. In: Joye, M. (eds) Topics in Cryptology — CT-RSA 2003. CT-RSA 2003. Lecture Notes in Computer Science, vol 2612. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36563-X_26
Download citation
DOI: https://doi.org/10.1007/3-540-36563-X_26
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00847-7
Online ISBN: 978-3-540-36563-1
eBook Packages: Springer Book Archive