Chair of Network Architectures and Services Department of Informatics Technical University of Munich Multi Signature Schemes for RSA Jonas B. Erasmus Thursday 25 th April, 2019 Chair of Network Architectures and Services Department of Informatics Technical University of Munich
Introduction Introduction to Signing Board of Directors Certificate Authority • everyone needs to sign a contract (do • one employee signs a certificate they?) • certificates are only signed if website has • private keys of members are different (and been cleared for signing may not be shared) • did the employee check everything? • but we don’t want 16 signatures from 16 managers! What to do ? J. Erasmus — Multi Signing 2
Introduction Multi Signing Sign the signature of the predecessor to generate a new signature, and RSA makes this possible 1. Sign the message and send to next 2. Next participant signs the signature (again) and sends it to next (repeat for all participants) 3. The final signature can be verified using a single public key => the verification is not differ- ence to a normal signature Figure 1: Three Signers Multi-Signing J. Erasmus — Multi Signing 3
Introduction What we will talk about Fundamentals Multi key Signing Secret Sharing What Now? J. Erasmus — Multi Signing 4
Fundamentals Fundamentals RSA Certificate Authorites Multi key Signing Secret Sharing What Now? J. Erasmus — Multi Signing 5
RSA Public - Private Keypairs Key Generation • Generates two keys (one private e , one public d ) • Uses specific "backdoor" information • Knowing only one key (and no backdoor), the other cannot be computed RSA encryption • c = RSA ( M , k ) = M k mod n • The same function encrypting, also decrypts with the inverse key • Signing (encrypting) identifies the sender of the message J. Erasmus — Multi Signing 6
RSA Use case Procedure 1. Sign the message c = RSA ( H , e ) 2. Send the message c 3. Any receiver can verify the signature with H = RSA ( c , d ) Requirements • Public key is trusted (and is accessible by everyone) • Private key is not compromised • H is the hash ( M ) • Message still needs encryption J. Erasmus — Multi Signing 7
RSA Properties • Stackable: RSA ( RSA ( M , d 1), d 2) = RSA ( M , d 1. d 2) • Commutative: RSA ( RSA ( M , d 1), d 2) = RSA ( RSA ( M , d 2), d 1) • Solvable: for any d 1. d 2.. dn an inverse key e exists J. Erasmus — Multi Signing 8
Certificate Authorites Quick Reminder CAs are part of the PKI (public key infrastructure). Buzzwords • PKI • Certificate • Chain of Trust • Miss Signings • Certificate Revocation • DigiNotar J. Erasmus — Multi Signing 9
Multi key Signing Fundamentals Multi key Signing Boyd’s Idea The Problem of More Keys Secret Sharing What Now? J. Erasmus — Multi Signing 10
Boyd’s Idea Theory Brought up by Colin Boyd 1988 [1] 1. Signer A sign message as normal 2. Signer B can verify the signature with RSA ( psig , d 2. e ) 3. If everything is fine the presignature is signed (again) 4. The final signature can be verified by only knowing the public key e Figure 2: Dual Key Signing J. Erasmus — Multi Signing 11
Boyd’s Idea Example Implementation Let’s see it in action (Based on Dr. Holger Kinkelin’s code of basic RSA) J. Erasmus — Multi Signing 12
The Problem of More Keys Naive Approach Singing with more than 2 signers. Problems for centre signer (not first/not last) 1. Get presignature from previous signer 2. verify signature 3. sign and send to next signer How to verify the presignature? Only public key and local secret are known. Needs all secrets of next signers RSA ( psig , d 2.. dn . e ) Blind signing is NOT an option J. Erasmus — Multi Signing 13
The Problem of More Keys Existing Multi Key Schemes Fix the inability to "centre" signers to verify the signature. Common Requirements • Signing must be in specific order • Not applicable to RSA (uses other/special ciphers) • Signers are handed additional information OR Identity-Based signing (or other attribute based schemes) J. Erasmus — Multi Signing 14
Secret Sharing Fundamentals Multi key Signing Secret Sharing What Now? J. Erasmus — Multi Signing 15
Secret Sharing The Idea Most common used (also for RSA): Adi Shamir’s secret sharing (1979, [4]) Split a secret into n parts and distribute it to n entities All n are needed to recompute the secret OR Only t < n are needed; (t,n)-threshold schemes J. Erasmus — Multi Signing 16
Secret Sharing Application • Signers only know partial key, central authority computes master key from parts • Use in secret multi party computation [2] • Exploit advantages of (t,n)-threshold schemes Problem: What if a party is not truthful about their algorithm/key part? verifiable secret sharing (VSS, [3]) J. Erasmus — Multi Signing 17
What Now? Interesting Questions • Is multi-party signing needed? (+) Strong cryptographic cipher (-) Can be replaced by company policy • Use multi-signing to spread power (crowd sourced CAs?) • IoT application (already used with attribute based signing) Questions / Ideas ? J. Erasmus — Multi Signing 18
Bibliography [1] C. Boyd. Some application of multi key ciphers. Advances in Cryptology - EUROCRYPT ’88 , 1988. [2] A. Mauland. Realizing distributed rsa using secure multiparty computations. 2009. [3] T. P . Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. Advances in Cryptology — CRYPTO ’91 , pages 129–140, 1992. [4] A. Shamir. How to share a secret. Communications of the ACM. 22 (11) , 22:612–613, 1979. J. Erasmus — Multi Signing 19
Recommend
More recommend