Multi Signature Schemes for RSA Jonas B. Erasmus Thursday 25 th - - PowerPoint PPT Presentation

▶

Nov 01, 2022 290 likes •500 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Multi Signature Schemes for RSA Jonas B. Erasmus Thursday 25 th April, 2019 Chair of Network Architectures and Services Department of

SLIDE 1

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Multi Signature Schemes for RSA

Jonas B. Erasmus

Thursday 25th April, 2019 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

SLIDE 2

Introduction

Introduction to Signing Board of Directors

everyone needs to sign a contract (do

they?)

private keys of members are different (and

may not be shared)

but we don’t want 16 signatures from

16 managers! Certificate Authority

one employee signs a certificate
certificates are only signed if website has

been cleared for signing

did the employee check everything?

What to do ?

J. Erasmus — Multi Signing

SLIDE 3

Introduction

Multi Signing Sign the signature of the predecessor to generate a new signature, and RSA makes this possible

1. Sign the message and send to next
2. Next participant signs the signature (again) and sends it to next (repeat for all participants)
3. The final signature can be verified using a single public key => the verification is not differ-

ence to a normal signature

Figure 1: Three Signers Multi-Signing

J. Erasmus — Multi Signing

SLIDE 4

Introduction

What we will talk about Fundamentals Multi key Signing Secret Sharing What Now?

J. Erasmus — Multi Signing

SLIDE 5

Fundamentals

Fundamentals RSA Certificate Authorites Multi key Signing Secret Sharing What Now?

J. Erasmus — Multi Signing

SLIDE 6

RSA

Public - Private Keypairs Key Generation

Generates two keys (one private e, one public d)
Uses specific "backdoor" information
Knowing only one key (and no backdoor), the other cannot be computed

RSA encryption

c = RSA(M, k) = Mk

mod n

The same function encrypting, also decrypts with the inverse key
Signing (encrypting) identifies the sender of the message
J. Erasmus — Multi Signing

SLIDE 7

RSA

Use case Procedure

1. Sign the message c = RSA(H, e)
2. Send the message c
3. Any receiver can verify the signature with H = RSA(c, d)

Requirements

Public key is trusted (and is accessible by everyone)
Private key is not compromised
H is the hash(M)
Message still needs encryption
J. Erasmus — Multi Signing

SLIDE 8

RSA

Properties

Stackable: RSA(RSA(M, d1), d2) = RSA(M, d1.d2)
Commutative: RSA(RSA(M, d1), d2) = RSA(RSA(M, d2), d1)
Solvable: for any d1.d2..dn an inverse key e exists
J. Erasmus — Multi Signing

SLIDE 9

Certificate Authorites

Quick Reminder CAs are part of the PKI (public key infrastructure). Buzzwords

PKI
Certificate
Chain of Trust
Miss Signings
Certificate Revocation
DigiNotar
J. Erasmus — Multi Signing

SLIDE 10

Multi key Signing

Fundamentals Multi key Signing Boyd’s Idea The Problem of More Keys Secret Sharing What Now?

J. Erasmus — Multi Signing

SLIDE 11

Boyd’s Idea

Theory Brought up by Colin Boyd 1988 [1]

1. Signer A sign message as normal
2. Signer B can verify the signature with RSA(psig, d2.e)
3. If everything is fine the presignature is signed (again)
4. The final signature can be verified by only knowing the public key e

Figure 2: Dual Key Signing

J. Erasmus — Multi Signing

SLIDE 12

Boyd’s Idea

Example Implementation Let’s see it in action (Based on Dr. Holger Kinkelin’s code of basic RSA)

J. Erasmus — Multi Signing

SLIDE 13

The Problem of More Keys

Naive Approach Singing with more than 2 signers. Problems for centre signer (not first/not last)

1. Get presignature from previous signer
2. verify signature
3. sign and send to next signer

How to verify the presignature? Only public key and local secret are known. Needs all secrets of next signers RSA(psig, d2..dn.e) Blind signing is NOT an option

J. Erasmus — Multi Signing

SLIDE 14

The Problem of More Keys

Existing Multi Key Schemes Fix the inability to "centre" signers to verify the signature. Common Requirements

Signing must be in specific order
Not applicable to RSA (uses other/special ciphers)
Signers are handed additional information

OR Identity-Based signing (or other attribute based schemes)

J. Erasmus — Multi Signing

SLIDE 15

Secret Sharing

Fundamentals Multi key Signing Secret Sharing What Now?

J. Erasmus — Multi Signing

SLIDE 16

Secret Sharing

The Idea Most common used (also for RSA): Adi Shamir’s secret sharing (1979, [4]) Split a secret into n parts and distribute it to n entities All n are needed to recompute the secret OR Only t < n are needed; (t,n)-threshold schemes

J. Erasmus — Multi Signing

SLIDE 17

Secret Sharing

Application

Signers only know partial key, central authority computes master key from parts
Use in secret multi party computation [2]
Exploit advantages of (t,n)-threshold schemes

Problem: What if a party is not truthful about their algorithm/key part? verifiable secret sharing (VSS, [3])

J. Erasmus — Multi Signing

SLIDE 18

What Now?

Interesting Questions

Is multi-party signing needed?

(+) Strong cryptographic cipher (-) Can be replaced by company policy

Use multi-signing to spread power (crowd sourced CAs?)
IoT application (already used with attribute based signing)

Questions / Ideas ?

J. Erasmus — Multi Signing

SLIDE 19

Bibliography

[1]

C. Boyd.

Some application of multi key ciphers. Advances in Cryptology - EUROCRYPT ’88, 1988. [2]

A. Mauland.

Realizing distributed rsa using secure multiparty computations. 2009. [3]

T. P

. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. Advances in Cryptology — CRYPTO ’91, pages 129–140, 1992. [4]

A. Shamir.

How to share a secret. Communications of the ACM. 22 (11), 22:612–613, 1979.

J. Erasmus — Multi Signing