Method For Authenticated Communication In Dynamic Federated Environments

Information

  • Patent Application
  • 20100037055
  • Publication Number
    20100037055
  • Date Filed
    August 11, 2008
    16 years ago
  • Date Published
    February 11, 2010
    14 years ago
Abstract
According to one embodiment of the present invention, a method for protecting authenticated communication in dynamic federated environments is provided. The method includes distributing shares of a private signature key to a group of users. When switching from an existing to a new group of users, the method includes producing a plurality of sub-shares from each of the distributed shares of existing users, with each sub-share being accompanied by a corresponding validity proof. The sub-shares from multiple existing users are combined to generate a set of shares for new users, with each new share being derived from sub-shares from multiple existing users.
Description
BACKGROUND

The present invention relates to authenticated communication, and more specifically, to authenticated communication in dynamic federated environments.


Some cryptosystems, called “threshold cryptosystems” require a number of parties to cooperate in a decryption protocol in order to decrypt a message. In such systems, a message may be encrypted using a public key and the corresponding private key may be shared among participating parties. A minimum threshold number of the total number of parties must participate in order to decrypt the message. One example of a threshold cryptosystem is a “threshold signature scheme”, where a minimum number of parties are required for creating a signature.


Threshold signature schemes enable a group of distributed processes to create cryptographic signatures on messages in a way that does not require any individual group member to know the signature key. Instead, each member process receives a share of the key which it can use to generate signature fragments, and any other process (either member or third-party client) can combine the fragments to generate a complete signature. A minimum threshold number of member processes ought to generate valid fragments in order to enable the reconstruction of complete signatures by other processes.


In threshold signature schemes it is desirable to be able to render the key share of ex-members useless. Proactive signature schemes, a special class of threshold signature schemes where private key shares held by the cluster members can be refreshed by means of an interactive protocol.


Another desirable feature in threshold signature schemes is to be able to grant new shares to incoming members. Verifiable secret redistribution (VSR) is a protocol that redistributes shares of a secret (for example, a private key) from an old set of members to a new, possibly disjoint one, in such a way that new shares cannot be combined with old shares to reconstruct the original secret.


SUMMARY

According to one embodiment of the present invention, a method comprises: distributing shares of a private signature key to a group of users; producing a plurality of sub-shares from each of the distributed shares, with each sub-share being accompanied by a corresponding validity proof; and combining the sub-shares from multiple existing users at each one of a set of new users to generate a set of new shares, each new share being derived from sub-shares from multiple users.


According to another embodiment of the present invention, a method comprises: distributing shares of a private key to a group of computer systems; allowing members of the group to authenticate to at least one client that knows a public key for the group; and redistributing shares from the group to another set of computer systems.


According to a further embodiment of the present invention, a system comprises: a plurality of computer systems, each having a share of a private signature key; the plurality of computer systems each having a means for producing a plurality of sub-shares from each of the shares, with each sub-share being accompanied by a corresponding validity proof; a client computer receiving the sub-shares and the corresponding validity proofs, and generating a set of new shares, each new share being derived from sub-shares from multiple ones of the computer systems; and the client computer redistributing the new set of shares to a new group of users.


According to another embodiment of the present invention, a computer program product for authenticating communications comprises: a computer usable medium having computer usable program code embodied therewith, the computer usable program code comprising: computer usable program code configured to: distribute shares of a private signature key to a group of users; produce a plurality of sub-shares from each of the distributed shares, with each sub-share being accompanied by a corresponding validity proof; and combine the sub-shares from multiple existing users at each one of a set of new users to generate a set of new shares, each new share being derived from sub-shares from multiple users.





BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS


FIG. 1 shows a diagram of a threshold sharing process in accordance with an embodiment of the invention;



FIG. 2 shows a diagram of a redistribution of key shares process in accordance with an embodiment of the invention;



FIG. 3 shows a diagram of a process for the redistribution of key shares with failed shares in accordance with an embodiment of the invention;



FIG. 4 shows a diagram of a process for the redistribution of key shares with validity proofs in accordance with an embodiment of the invention;



FIG. 5 shows a table of performance parameters in authenticating communications in accordance with an embodiment of the invention;



FIG. 6 shows a flowchart of a method for authenticated communication in accordance with an embodiment of the invention;



FIG. 7 shows a high level block diagram of an information processing system useful for implementing one embodiment of the present invention.





DETAILED DESCRIPTION

Embodiments of the invention provide service authentication in applications that are structured as dynamically changing federation of distributed agents. One aspect of the invention is a method for verifiable threshold signature redistribution (VTSR) schemes. The invention builds on the work of threshold and proactive signature schemes, and on VSR protocols, but it overcomes the limitations of alternative solutions based only on threshold and proactive signature schemes and on VSR protocols (discussed above) by integrating efficient techniques for Non-Interactive Zero-Knowledge (NIZK) proofs and for Dispute Control.


Embodiments of the invention have the ability to redistribute shares of a private key from old cluster to a new set of agent workers, so that signature fragments created with old key shares cannot be combined with fragments created with new key shares to generate a valid signature.


Embodiments also incorporate a verification capability that enables replacement workers to confirm that they have received valid shares of the private key. In particular, the protocol includes a phase for catching malicious old agents that try to cause new agents to receive bogus shares that would generate signature fragments which cannot be combined together to generate a proper signature.


Embodiments of the invention also offer improvements over solutions based on VSR protocols in terms of both functionality and efficiency. In terms of functionality, the improvement over the state of the art results from a distributed signature generation method. With the present invention, the signing key is split into key shares that can individually be used to generate signature fragments. A complete signature can then be recovered by recombining m-out-of-n valid signature fragments. Thus, with the present invention, there is no point in time when the secret signing key is entirely stored at a single place in the system.


As for efficiency, embodiments of the invention may dramatically reduce the amount of work necessary in the redistribution phase to verify the correctness of the redistributed shares. In solutions based on prior art, such verification may have required expensive combinatorial checks that could lead to a run-time exponential in the number of agents in the cluster. The present invention may employ non-interactive zero-knowledge (NIZK) proofs and other verification techniques to guarantee a worst-case run-time that is only polynomial in the cluster's size. A short analysis of the expected computation time for various phases of the new scheme shows that the NIZK-related steps do not create a bottleneck for the system, as they are an order of magnitude faster than some of the signature-related operations (discussed in more detail below).


Furthermore, embodiments of the present invention have dynamic capabilities to permit the adjustments to the quorum requirements, “on the fly”, without reinitialization. That is redistribution does not require reconstruction of the whole private signing key from the individual shares, thus avoiding the security hazard of reconstructing the whole signing private key at a single point.


The present invention may be used in a number of different applications, including, but not limited to secure communication in dynamic airborne environments, earth observation systems, information database storage systems, secure satellite communications for satellite clusters, and other secure communications applications in dynamic federated environments.


The following section will discuss one of these applications, where the invention is used in the software architecture for a fractionated satellite system. The goal of such fractionated satellite systems is to increase the value and flexibility of satellite missions by moving away from monolithic satellite single-architectures to clustered multi-satellite architectures. Such multi-satellite architectures can yield increased value by enabling incremental scale-up of the cluster size in response to changing mission resource requirements, and by providing some mission capability even with only partial system deployment, or in the face of individual satellite failures. They can also enable missions that cannot be accomplished with monolithic architectures due to maximum launch size and mass constraints on satellites. In contrast, monolithic architectures must provide sufficient resources to cover all potential mission requirements, which often lead to increases in satellite size, mass, and design complexity. Moreover, monolithic architectures provide no mission capability before complete system deployment or after a satellite failure. Many of the benefits one can obtain from the transition to fractionated satellite systems have clear analogs in the transition away from mainframe to distributed computer systems.


A feature of embodiments of the present invention is a protocol to support applications that are structured as federations of distributed “agents”. As used in the context of a fractionated satellite system, the term “agent” means an application thread or a process running on one of the processors aboard a satellite. An application may have multiple “worker” agents that span a cluster of satellites. For example, in an earth-observation system comprising several camera-enabled satellites, the imaging application may have an agent running on each satellite to gather and process images from the local camera. The workers federate by electing one of their members as a “manager” agent that handles application-wide operations, e.g., in the earth-observation system, the manager would process images from workers to synthesize higher-resolution images, and control the main space-ground data communication downlink. The manager maintains the current view of live workers, detecting failed workers through a heartbeat mechanism. A manager must be able to exchange heartbeat messages with a quorum of workers; otherwise, it ceases being the manager. The size of the quorum is an application-specific parameter. Workers detect a failed manager with the same heartbeat mechanism, and can re-elect a new manager if the old one stops exchanging heartbeat messages with them.


Embodiments of the invention include a federation protocol that incorporates a threshold public-key signature scheme to help defend against Byzantine (arbitrary) agent failures. When an administrator sets up the initial cluster of application workers, it creates a public/private key pair and distributes shares of the private key to the worker agents using a threshold sharing scheme. Each worker can use its share to generate a signature fragment on a message. A client of the application can combine a quorum of such fragments to generate a complete signature on a message, and use the public key to verify the signature. Alternatively, the manager can perform the signature reconstruction on behalf of the clients, thus ensuring compatibility with legacy clients that are only able to process traditional, non-threshold public-key signatures. This mechanism can also be used by a client or a worker to verify that the current manager can in fact exchange heartbeat messages with a quorum of workers. Thus, an operational manager with a quorum can obtain enough signature fragments to generate a complete signature for any challenge message sent by the client/worker, but a faulty manager without a quorum cannot.


An important requirement of the federation protocol is for a method of revoking shares of private keys from failed workers, and of issuing new shares to replacement workers. Existing technologies provide some useful building blocks for these methods, but in and of themselves do not form complete solutions. These technologies include proactive signature schemes and a verifiable secret redistribution (VSR) protocols.


Proactive signature schemes are a special class of threshold signature schemes, where the private key shares held by the cluster members can be refreshed by means of an interactive protocol. Proactive signature schemes, however, do not offer a way to invalidate shares of revoked members, nor do they lend themselves easily to the distributed generation of new shares for replacement members.


The VSR protocol redistributes shares of a secret (here, a private key) from an old set of members to a new, possibly disjoint one, in such a way that new shares cannot be combined with old shares to reconstruct the original secret. A drawback of the protocol is that verification of the correctness of the new shares after redistribution has a computational time that is exponential in the size of the set of old members. Another drawback is that the protocol does not work well with existing threshold public-key signature schemes; members must temporarily reconstruct the private key to generate signatures, which has obvious problems with vulnerability.


In accordance with one embodiment of the present invention, three procedures are used to achieve authenticated communication in dynamic federated environments. The three procedures are called herein “INIT”, “SIGN”, and “REDIST”.


The INIT procedure is used to distribute shares of a new private signature key to a group. It establishes a private/public key pair for the group, splits the private key among the initial group members via an m-out-of-n threshold sharing scheme, and sets up additional parameters that will be used in conjunction with validity proofs to validate the computations carried out by the SIGN and REDIST algorithms.


The SIGN procedure enables group members to authenticate to clients who know the group public key. Each active member of the group produces a signature fragment, along with a corresponding NIZK validity proof, and sends them both to the invoking client. When collecting these signature fragment/NIZK proof pairs, the client will discard any fragment for which the validity proof does not check out. The integration of NIZK validity proofs removes the need to consider all possible size-m subsets of the n shares till successful reconstruction of the secret, which instead would be necessary in the case of alternative solutions based only on prior systems. In this way, the client can efficiently reconstruct a complete signature even in the presence of several subverted group members


The REDIST procedure is used to redistribute signing shares from the current set of members to a new set. This procedure occurs in three steps: the first step is to select a core set among the current members that will carry out the distribution of new shares to the members of the new set. The second step consists of the core set actually generating new sub-shares and delivering them to all the members of the new set, along with a proof of correctness. The third step is for members of the new set to collect the sub-shares generated by the core set, and combine the sub-shares into a new set of shares, each new share being derived from sub-shares from multiple users. The third step also comprises the verification of the validity of the newly received share. Note that, the first step of REDIST (i.e., the choice of the core subset that will carry out the redistribution of the signing key share) is implemented with the use of the Dispute Control technique (described in more detail below). The goal of dispute control is to reduce the frequency of faults, by localizing each pair of disputing players (at least one of whom is corrupted) whenever a fault is observed and preventing this pair from participating to the redistribution phase any longer. Doing so avoids having to pick a new core set from scratch every time a fault is detected during the redistribution phase.



FIGS. 1-4 present a high-level illustration of the INIT, SIGN and REDIST processes in accordance with an embodiment of the invention. Referring now to FIG. 1 there is shown a diagram of the basic concept of threshold sharing as used by embodiments of the invention. At the left side of FIG. 1, a private key k is split into separate fragments of the keys, or shares labeled s1, . . . , sm, . . . , sn. These shares may be distributed to individual users. The shares may then be combined to produce the original private key k. At the right side of FIG. 1, a similar process is depicted with the key k being replaced by a signing key sk. Each user receives a key share of the signing key, shown as sk1, . . . , skm, . . . , skn. Each user also receives a document and signs the document resulting in signature fragments, sig1, . . . , sigm, . . . , sign. The signature fragments may then be combined to produce the complete signature, sig. One issue with this configuration is that if one of the users is malicious, the corresponding signature fragment may be incorrect, shown by the question mark. It is desirable to be able to detect the presence of the incorrect signature fragment.



FIG. 2 shows a technique for redistributing shares of a private key, or a sign key, to a new set of users. In particular, a key k is split into individual key shares, s1, . . . , sm, . . . , sn, as shown in FIG. 1. A first user, with share s1 then divides up its share into sub-shares, 10, 12 and 14. Likewise, another user, sm divides up its share into sub-shares, 16, 18 and 20. It will be appreciated that only two users and three sub-shares are illustrated but that a large number of users and sub-shares may be used in various embodiments of the invention. The manner in which the sub-shares are divided up by the users may be defined by a particular protocol.


The sub-shares are then combined as follows. The sub-shares in the first column, such as sub-shares 10 and 16 are combined to form a first new share s′1′. The sub-shares in the second column, such as 12 and 18 are combined to form new share s′m, and so on, until all n new shares have been formed. The new shares may then be distributed to a new set of users. In particular, a first new user may receive new share s′1′, a second new user may receive new share s′m′, and so on. The sub-shares are formed such that when all the new shares are combined the original key k may be produced. As a threshold scheme it is noted that not all users must participate to produce the original key. This shown by the old share sn of one user, share 28, who does not participate, but does not prevent the original key k from being generated.



FIG. 3 shows another diagram of a technique for redistributing shares of a private key. As shown in FIG. 2, a first user receives a share of key k, s1 and splits that share into multiple sub-shares 10, 12 and 14. In this instance, however, a malicious user 29 splits up its share of k, sm, into multiple sub-shares 30, 32 and 34. Malicious user 29, however, does not use the correct protocol for splitting up the share into sub-shares as do the legitimate users. As a result, the final new shares 36, 38 and 40 will not combine correctly to form the original key, and instead will produce a useless key 42. In this way a malicious user 29 may be able to prevent the legitimate users from extracting the original key, k.



FIG. 4 shows a diagram of a technique for redistributing shares of a private key in accordance with an embodiment of the invention. This technique addresses the above-mentioned problems that result from the presence of malicious users who either generate incorrect sub-shares, or who do not generate sub-shares at all such that the legitimate users may still extract the original key k. The original key k has a validity proof 44 attached to it. This may be, for example a NIZK validity proof as discussed in more detail below. This proof 44 is attached to each of the shares s1, . . . , sm, . . . , sn.


A first user may then divide up the share s1 into a plurality of sub-shares, such as sub-shares 46 and 48. This may be done in a manner similar to the technique shown in FIG. 3, except that each sub-share will have a new proof appended to it. In particular, sub-share 46 will have a concatenation of the original validity proof 44 and a new sub-share validity proof 50 appended to it. Likewise, sub-share 48 will have appended to it a concatenation of the original validity proof and a new sub-share proof 54, and so on for each sub-share. In a similar manner a second user may receive a second key share sm 29 with validity proof 44 attached to it. The second user may then generate sub-shares, 52 and 54, each having the original validity proof attached to it along with a new sub-share validity proof 56, 58 appended to it.


As a result, all of the sub-shares in the first column may be combined to form new shares 60 and 62. Note that each of the new shares 60, 62 may have the original validity proof 44 appended to it. Each new share, such as 60 and 62, may then be distributed to a new set of users and combined by them to extract the original key k with the original validity proof 44 attached to it. This configuration will still yield the correct original key k, even in the case of the two kinds of previously mentioned attacks, where a user does not contribute and where a user contributes incorrect sub-shares.


The following discussion will provide further technical details of the INIT, SIGN and REDIST procedures in accordance with an embodiment of the invention. As a preliminarily matter, we first discuss notation. Consider a trusted dealer and a set P of m players, indexed i=1, . . . , m. We assume at most t of the players are corrupted and that k signature fragments are sufficient to obtain a valid signature, where k=t+1 and m≧3t+1. Let p, q be two random primes of equal length, such that p=2p′+1 and q=2q′+1; let n=pq and n′=φ(n)/4=p′q′. In what follows, Zn* denotes the multiplicative group of integers modulo n, while Qn denotes the subgroup of quadratic residues of Zn*. Moreover, during each time period z, we let δz=k!, where k is the number of signature fragments needed to reconstruct a complete signatures during period z, while





Δzu=1zδu.


Definition 1: An access structure ΓPm,k, where m=|P| and k≦m, is a collection of subsets of P of size exactly k.


The following section will discuss the NIZK Proofs. Let R be a relation for which one can efficiently check whether a pair (x,w) is in R or not. Let 1κ be a security parameter such that the lengths of x and w are polynomial in κ. Let LR={x|∃w:(x,w)εR}.


A non-interactive zero-knowledge (NIZK) proof system (in the R.O.M.) for R is a triple of efficient algorithms (P, V, S), all having access to a common random oracle O(•), where:

    • PO(•)(1κ,x,w) is a probabilistic algorithm run by a prover. It takes as input x and w such that (x,w)εR, and outputs a string Π as a non-interactive zero-knowledge proof that xεLR;
    • VO(•)(1κ,x,Π) is a deterministic 0/1-valued algorithm run by a verifer,


satisfying the following correctness property: for all K-instances x and w such that (x,w)εR, it holds that:







Pr
[


V


(


1
κ

,
x
,
π

)


=

1
|

π



r



P


(


1
κ

,
x
,
w

)





]

=
1




where the probability is over the choice of O and the random coins of P;

    • SO(•)(1κ,x) is a probabilistic algorithm (known as simulator). It takes as input an xεLR, and outputs a simulated proof π and a simulated oracle Ō(•);
    • SOUNDNESS: For any probabilistic polynomial-time algorithm P, and any xεLR:






Pr


[



V

O


(
·
)





(


1
κ

,
x
,
π

)


=

1
|

π



r





P
_


O


(
·
)





(


1
κ

,
x
,
w

)





]







    • is negligible in K, where the probability is over the choice of O and the random coins of P;

    • ZERO-KNOWLEDGE: For any probabilistic polynomial-time 0/1-valued algorithm D, and any (x,w)εR:






















Pr


[



D

O


(
·
)





(


1
κ

,
x
,
π

)




π



r




P

O


(
·
)





(


1
κ

,
x
,
w

)




]


-






Pr


[



D


O
_



(
·
)





(


1
κ

,
x
,
π

)





(

π
,


O
_



(
·
)



)




r



S


(


1
κ

,
x

)




]














    • is negligible in κ, where the probability is over the choice of O and the random coins of S.





Consider a prover P and a verifier V, both of which get a Decisional Diffie-Hellman (DDH) tuple (g1, g2, h1, h2) as common input, where g1, h1εQn, and g2=g1w mod n, h2=h1w mod n, for some wεZn′. Additionally, P gets was private input.


Let L(n) be the bit-length of n and let H′ be a hash function, whose output is an L1-bit integer, where L1 is a secondary parameter (say, L1=128). To construct a proof of correctness Π, P selects a random number rε{0, . . . , 2L(n)+2L1−1} and computes:





g′=g1r mod n, h′=h1r mod n






c=H′(g1,g2,h1,h2,g′,h′)






z=wc+r


The proof of correctness Π is (z, c).


To verify the validity of Π, verifier V checks that:






c=H′(g1,g2,h1,h2,g1z·g2−c,h1z,h2−c).


The notion of dispute control has been discussed in the prior art as a means to reduce the frequency of faults that can occur during the execution of a multi-party computation protocol. Briefly, the idea is to publicly localize a pair of disputing players (at least one of them corrupted) whenever a fault is observed, and preventing this pair from getting into dispute ever again. Hence, the number of faults that can occur during the whole protocol is limited to be t(t+1).


As discussed above, in one embodiment of the invention, authenticated communication is achieved using three procedures: INIT, REDIST, and SIGN.


In the INIT procedure, the dealer chooses two random primes p, q of equal length, such that p=2p′+1 and q=2q′+1, where p′, q′ are also prime. Let n=pq and n′=φ(n)/4=p′q′. The dealer also selects a prime e>m and computes the value dεZ*n′, such that de≡1 mod n′. The pair (n, e) constitutes the public key of the system: it will remain the same during the entire lifetime of the system. Then, the dealer selects a k-degree polynomial F0(•)εZn/4≦k−1 subject to F0(0)=d.


To distribute secret d, we use Shamir's threshold secret sharing. More specifically, for each player i, the dealer computes the value si=F0(i) and delivers it to player i via a private channel. The dealer also chooses a random value gεQn, and sets the public information of time instant O to be






PUB
0≡(gF0(a0), gF0(a1), . . . , gF0(ak1))


where a0=0 and a1, . . . , ak−1 are special indexes, never assigned to any user joining the system.


Finally, using secret value d, the dealer produces an RSA signature Σ0 on PUB0 as Σ0=H(PUB0)d, where H is a hash function mapping messages to elements of Z*n′.


Each player i can verify the authenticity of the public information by checking signature Σ0 with the RSA public key (n, e).


Let ε0=k! and b*il0bil, where











b
il

=





j
=
1


k
-
1



j

l









i
-

a
j




a
l

-

a
j





,

l
=
0

,





,

k
-
1.





(
1
)







By definition, b*il is an integer value. Each player i stores the secret value si and the public information PUB0. Note that player i can verify the validity of the received secret value si by checking that:










g


δ
0


Si


=




l
=
0


k
-
1










(

g


F
0



(

a
l

)



)


b
il
*


.






(
2
)







Test in Equation (2) is very similar to the one in Feldman's Verifiable Secret Sharing scheme, used by the shareholders of a secret to verify the validity of their shares.


REDIST: To redistribute the secret d at time z from ΓPm,k to the new access structure ΓP′m′,k′, a set BεΓPm,k is selected to guide the evolution of the public information from PUBz−1 to PUBz.


Remark 1 To select a set B, we can either select k random users in P, or establish a lexicographical order in P and select the first k players in the list. If the chosen set B contains a corrupted player j, we will replace j (via the technique of Dispute Control) with another player from P, until none of the players in B is corrupted.


Since set P′ may contain new users, each player iεP starts by broadcasting the signature Σz−1 on the public information PUBz−1 to all users in P′, as a proof of validity of PUBz−1.


Each player jεB runs an instance of Shamir's threshold secret sharing scheme to distribute its own secret share sj to the players in P′. More precisely, user j selects a random k′-degree polynomial fj(•)εZn/4≦k′-1 subject to fj(0)=sj. User j now broadcasts values gfj(0), gfj(a1), . . . , gfj(ak′-1), which will be later used to compute the new public info PUBz.


For each i′εP′, user j computes sub-share sji′=fj(i′), and delivers this value to player i′ (over a private channel).


Let δz−1=k′! and b*jl′z−1bjl′, l′=0, . . . , k′−1. To compute its new sub-share, player i′ first verifies the validity of gfj(0) by checking that:











(

g

fj


(
0
)



)


δ

z_

1



=




l
=
0


k
-
1









(

g

F

z
-

1


(
al
)





)


b
jl
*







(
3
)







which, by Equation (2) written for point j and PUBz−1, must hold true if player j broadcasts the correct value for gfj(0).


Then, player i′ verifies validity of sji′ by checking that:












j


B


:







g


δ
z



s

ji








=





l


=
0


k
-
1










(

g

fj


(

ai


)



)


b


i




l



*


.






(
4
)







If, for some jεB, test in Equation (4) fails, then j is removed from B (and ī too, if īεB); we then select a fresh player from P to provide the redistribution of its sub-share as described above. To guarantee termination, we also mark player j and ī, so we will not put them back in B in subsequent rounds of the current execution of the redistribution protocol.


Player i′ can now compute its new sub-share as:











s

i




=




j

B





c
j
*



s

ji






,


c
j
*

=


δ

z
-
1







l


B

\


{
j
}











l

l
-
j


.








(
5
)







We now describe how the new public information PUBz is generated. For 0≦l′≦k′−1, player i′εP′ computes the values:










g


F
z



(

al


)



=




j

B










(

g

fj


(

al


)



)


c
j
*


.






(
6
)







The new public information is set to be






PUB
z≡(gFz(0), gFz(a1), . . . , gFz(ak′-1)).


The final step of the REDIST protocol produces a signature for the newly created public information PUBz, using the just distributed shares s′i′ for i′εP′.


Let Δzu=1z δu; notice that, by construction, it holds that Fz(0)=ΔzF0(0)=Δzd.


Let x=H(PUBz) and {tilde over (x)}=x4; each i′εP′ uses the new sub-share s′i′ to compute a fragment signature on PUBz as σz(i′)=xzs′i′. Player i′ broadcasts σz(i′) to all other players in P′, along with an associated non-interactive zero-knowledge (NIZK) proof πz(i′) that (g, gzδzs′i′, {tilde over (x)}, (σz(i′))2) is a Decisional Diffie-Hellman (DDH) tuple.


Each player i′εP determines a set of at least k′ signature fragments with a valid associated NIZK proof; these valid fragments can be used to derive a complete signature Σz=H(PUBz)d as follows: First, i′ recombines these values into:













W
z

=






j

s









[


(

σ
z

(
j
)


)

2

]


b
j
*









=






j

s









(


H


(

PUB
z

)



4


δ
z



s
j




)


b
j
*











=




(

HPUB
z

)


4


δ
z



s
j





)


b
j
*









=




(

HPUB
z

)


4


δ
z



s
j
*




)





j

S





b
j
*



s
j












=




(

HPUB
z

)


4


δ
z




)



F
Z



(
0
)










=




(

HPUB
z

)

d


)


4


δ
z



Δ
z








=




z

4


Δ
z



Δ
z










(
7
)







where







b
j
*

=


δ
z






i


s

\


{
j
}











i

i
-
j


.







Then, each player i′εP′ can now recover Σz from Wz, using the following standard technique. Let e′=4δzΔz; it holds that Wzze′. As ed=1 mod n′, we also have H(PUBz)=Σze. Now, since e is chosen as a large prime and e′ only has small factors, it holds that gcd(e′,e)=1, and so, by the extended Euclidean algorithm, we get integers α, β such that e′α+eβ=1. Thus, i′ can compute Σz as:






W
z
α·(H(PUBz))βze′α·Σzze′α+eβz  (8)


Notice that each player i′εP′ can verify the correctness of the signature Σz so computed by checking that:





Σze=H(PUBz).


At this point, each i′εP′ commits its new share s′i′, completing the REDIST protocol.


SIGN: When a client requests a signature on a message M during time period z, as a preliminary step, each player iεP sends a copy of the signature Σz on the current public information PUBz.


Then, each iεP creates a fragment signature Σz(i)=H(M)zson message M, and sends it back to the client, together with an associated NIZK proof Πz(i) that (g, gδzsi, {tilde over (x)}, (Σz(i))2) is a DDH tuple. Using public info (n, e) (stored in the client's ROM), the client can verify the validity of Σz(i), and then compute values gδzsvia Equation (2).


Finally, the client determines a set S of k valid fragment signatures and recombines them into a complete signature Σ on M as described in the REDIST phase.


We now present a short analysis to estimate the computational cost of the SIGN and REDIST procedures. (We omit an analysis for the INIT procedure, since its cost is incurred only once; we just observe that the presence of a central dealer during system initialization only makes things computationally easier, so that INIT is the cheapest phase of our protocol.) Peeking ahead, we notice that the NIZK-related steps do not create a computational bottleneck for the system; in fact, the modular arithmetic necessary for correct signature reconstruction turns out to use the largest cost share (by roughly an order of magnitude).


We will be assuming primes p and q of 512 bits, which is typical of RSA-based cryptosystems. Let λ denote the bit-length of the RSA modulus n=pq, i.e., λ=|n|=1024. Recall that raising a value αεZ*n to a power e can be done without knowledge of the factorization of n in time O(|e||n|2).


To provide an analysis independent of the specific hardware/software architectures in which our application will run, we express run-time for the various operations in our protocol in terms of time to compute a modular exponentiation with exponent size len(e)=λ, and modulus size len(n)=λ. For the sake of concreteness, however, it is useful to bear in mind that on a 1.5 GHz CPU with 1.5 GB RAM, an unoptimized, open-source software implementation leads to value of X in the order of 13 msec.


We start by analyzing the cost of generating and verifying a NIZK proof as discussed above. The most expensive step in the generation of a NIZK proof is the computation of two exponentiations (for g′ and h′) with exponent r and modulo n, where |r|=1024+2*128=1280 bits and |n|=λ. Additional steps consist of computing a hash function with a 128-bit output (to compute c), and summing integer values (to compute z), which both add a negligible cost with respect to the computation of an exponentiation:






T(NIZK−Gen)≈T(g′)+T(h′)≈O(1280λ2)≈1.25X.


To verify the validity of an NIZK proof, we need to compute two exponentiations with a 128-bit exponent and λ-bit modulus (g2−c,h2−c), two exponentiations with a 1280-bit exponent and a λ-bit modulus (g1z,h12z), and a hash function with a 128-bit output. Again, the computation of a hash function is negligible with respect to the time to compute an exponentiation.










T


(

NIZK


-


Ver

)







T


(

g
2

-
c


)


+

T


(

h
2

-
c


)


+

T


(

g
1
z

)


+

T


(

h
1
z

)














O


(

128


λ
2


)


+

O


(

1280






λ
2


)














(

0.12
+
1.25

)


X











1.37


X
.









We now analyze the running time of the SIGN procedure, distinguishing between the cost of generating signature fragments, which is incurred by each individual player in P, and the cost of recombining the fragments into a stand-alone signature, which is incurred by the client (or by one of the players on behalf of the client).


Each player iεP creates a signature fragment Σz(i), which requires one exponentiation modulo n. An upper bound on the size of δz is k log k, while the bit-length of the player's share si (computed according to Eq. 5) is at most λ+2 k log U+log k, where U is an upper bound on the number of satellites (or other computer systems in non-satellite applications) in production (say, U=256), m is the typical size of the cluster (e.g., m=10), and k denotes the number of valid signature fragments sufficient to reconstruct a valid signature (e.g., k=4). An upper bound on the length of the exponent is thus λ+2 k log U+(k+1) log k.







T


(


z

(
i
)


)




O


(


(

λ
+

2

k





log





U

+


(

k
+
1

)


log





k


)



λ
2


)





1.07


X
.






Additionally, each iεP generates an NIZK proof which, as shown above, takes time T(NIZK−Gen)≈1.25X, so the generation of a signature fragment takes roughly time:







T


(

SIGN


-


FRAGMENT

)





T


(


z

(
i
)


)


+

T


(

NIZK


-


Gen

)





1.32

X





The first step to reconstruct a complete signature on a message M is to find k valid signature fragments. As showed above, the verification of an NIZK proof takes time T(NIZK−Ver)≈1.37X: if all users in P are honest, this step takes time roughly (1.37X)≈5.48X; otherwise the worst-case running-time is approximately |P|(1.37X)=m(1.37X)≈13.7X.


Once k valid signature fragments are found, the reconstruction of the signature requires the computation of Lagrange interpolation in the exponent (according to Equation 7), followed by the Extended Euclidean algorithm (per Equation 8), and by two further modular exponentiations to the powers α and β computed under the Extended Euclidean Algorithm. The cost of Lagrangian interpolation boils down to the time to compute k modular exponentiation with exponent of length at most k log k+k log U:










T


(

Eq
.




7

)






kO


(


k


(


log





k

+

log





U


)




λ
2


)












4


O


(

40






λ
2


)













0.16


X
.









For given integers a and b, the Extended Euclidean Algorithm computes s and t s.t. as+bt=d (where d=gcd(a, b)) in time O(|a||b|). The bit-lengths corresponding to the computation of the values α and β for Equation 8 are approximately λ (for e) and Ik log k (for e′), where I is the number of redistributions that have occurred since the initial system setup (which we can bound from above with, for example, 128). Let us denote by Y the time it takes to execute the Extended Euclidean Algorithm on inputs of equal size λ=1024. Notice that, on a 1.5 GHz CPU with 1.5 GB RAM, an unoptimized, open-source software implementation leads to value of Y on the order of 0.13 msec.


Computing the values α and β for Equation 8 then takes at most:






T(Euclid-Inverse)≈O(Ik log kλ)≈Y


As for the modular exponentiations carried out according to Equation 8 to the powers α and β (whose sizes are bounded by the sizes of the inputs to the previous step, respectively λ and Ik log k), we get






T(Eq.8)≈O(Ik log 2)+O3)≈2X


Overall, the SIGN procedure takes time:






T(SIGN-RECOMBINE)≈t·T(NIZK−Ver)+T(Eq.7)+T(Euclid-Inverse)+T(Eq.8)


where t is the number of NIZK proofs that the client verifies before obtaining k correct signature fragments. In the best case, t=k, and T(SIGN-RECOMBINE) is 7.64X+Y; in the worst case, t=m, and T(SIGN-RECOMBINE) is 15.86X+Y.


We now analyze the running time of the REDIST procedure. Each user jεB computes k exponentiations (gfj(0), gfj(a1), . . . , gfj(ak−1)), each with exponent size λ+k log m and modulus λ:






T(gfj(•))=O((λ+k log m2)=1.03X






kT(gfj(•))=4.12X


To compute its new sub-share, each member i′εP′ first checks the validity of gfj(0) (cf. Equation (3)). This step requires (k+1) exponentiations, each with exponent size k log U:






T(Eq.(3))=(k+1)O((k log U2)=0.20X


Next, i′ needs to verify the validity of the received new sub-share for each member jεB (cf. Equation (4)). This step requires k exponentiations, each with exponent size k log U:






T(Eq.(4))=kO((k log U2)=0.16X


To generate the new public information, each i′εP′ computes k exponentiations, each with exponent size k log U (cf. Equation (6)), yielding again time:






T(Eq.(6))=kO((k log U2)=0.16X


The last step of the REDIST procedure is the generation of a signature fragment on the new value public info, which, as discussed above, requires time roughly:






T(PUB-Sign)=T(SIGN-FRAGMENT)=1.32X


Overall, the REDIST procedure runs in time:










T


(
REDIST
)


=




kT


(

g

fj


(
·
)



)


+

T


(

Eq
.





(
3
)


)


+


T


(

Eq
.





(
4
)


)


++












T


(

Eq
.





(
5
)


)


+

T


(

Eq
.





(
6
)


)


+

T


(

PUB


-


Sign

)









=





4.12

X

+

0.20

X

+

0.16

X

+

0.16

X

+

1.32

X


=







=



5.96


X
.










FIG. 5 shows a table of micro-benchmarks for the main stages of an embodiment of the present invention. This table assumes a 1.5 GHz CPU with 1.5 GB RAM and assuming a typical choice of parameters for an RSA crypto-system (|p|=|q|=512 bits).



FIG. 6 shows a flowchart of a process for authenticated communication in dynamic federated environments in accordance with an embodiment of the invention. In step 70 shares of a private key are distributed to a group of computer systems in the dynamic federated environment. In step 72, a plurality of sub-shares are produced from each of the distributed shares, each sub-share comprising a sub-fragment of the private signature key and a corresponding validity proof. The sub-shares from multiple users are combined, to generate a set of new key share, in step 74. Note that each new key share is derived from sub-shares from multiple users. In step 76, the validity of each sub-share in the new set of sub-shares is determined. If the current sub-share is not valid it is discarded, in step 78. If the current sub-share is valid, step 80 determines if the minimum number of valid sub-shares has been received. If not, the process returns to step 76 to determine the validity of the next sub-share. If the minimum number of the redistributed sub-shares has been received, then a new share can be reconstructed using the redistributed set of sub-shares, in step 82.


As will be appreciated by one skilled in the art, the present invention may be embodied as a system, method or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, the present invention may take the form of a computer program product embodied in any tangible medium of expression having computer usable program code embodied in the medium.


Any combination of one or more computer usable or computer readable medium(s) may be utilized. The computer-usable or computer-readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CDROM), an optical storage device, a transmission media such as those supporting the Internet or an intranet, or a magnetic storage device. Note that the computer-usable or computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory. In the context of this document, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The computer-usable medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave. The computer usable program code may be transmitted using any appropriate medium, including but not limited to wireless, wire line, optical fiber cable, RF, etc.


Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).


The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.


These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.


The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.


The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.



FIG. 7 is a high level block diagram showing an information processing system useful for implementing one embodiment of the present invention. The computer system includes one or more processors, such as processor 102. The processor 102 is connected to a communication infrastructure 104 (e.g., a communications bus, cross-over bar, or network). Various software embodiments are described in terms of this exemplary computer system. After reading this description, it will become apparent to a person of ordinary skill in the relevant art(s) how to implement the invention using other computer systems and/or computer architectures.


The computer system can include a display interface 106 that forwards graphics, text, and other data from the communication infrastructure 104 (or from a frame buffer not shown) for display on a display unit 108. The computer system also includes a main memory 110, preferably random access memory (RAM), and may also include a secondary memory 112. The secondary memory 112 may include, for example, a hard disk drive 114 and/or a removable storage drive 116, representing, for example, a floppy disk drive, a magnetic tape drive, or an optical disk drive. The removable storage drive 116 reads from and/or writes to a removable storage unit 118 in a manner well known to those having ordinary skill in the art. Removable storage unit 118 represents, for example, a floppy disk, a compact disc, a magnetic tape, or an optical disk, etc. which is read by and written to by removable storage drive 116. As will be appreciated, the removable storage unit 118 includes a computer readable medium having stored therein computer software and/or data.


In alternative embodiments, the secondary memory 112 may include other similar means for allowing computer programs or other instructions to be loaded into the computer system. Such means may include, for example, a removable storage unit 120 and an interface 122. Examples of such means may include a program cartridge and cartridge interface (such as that found in video game devices), a removable memory chip (such as an EPROM, or PROM) and associated socket, and other removable storage units 120 and interfaces 122 which allow software and data to be transferred from the removable storage unit 120 to the computer system.


The computer system may also include a communications interface 124. Communications interface 124 allows software and data to be transferred between the computer system and external devices. Examples of communications interface 124 may include a modem, a network interface (such as an Ethernet card), a communications port, or a PCMCIA slot and card, etc. Software and data transferred via communications interface 124 are in the form of signals which may be, for example, electronic, electromagnetic, optical, or other signals capable of being received by communications interface 124. These signals are provided to communications interface 124 via a communications path (i.e., channel) 126. This communications path 126 carries signals and may be implemented using wire or cable, fiber optics, a phone line, a cellular phone link, an RF link, and/or other communications channels.


In this document, the terms “computer program medium,” “computer usable medium,” and “computer readable medium” are used to generally refer to media such as main memory 110 and secondary memory 112, removable storage drive 116, and a hard disk installed in hard disk drive 114.


Computer programs (also called computer control logic) are stored in main memory 110 and/or secondary memory 112. Computer programs may also be received via communications interface 124. Such computer programs, when executed, enable the computer system to perform the features of the present invention as discussed herein. In particular, the computer programs, when executed, enable the processor 102 to perform the features of the computer system. Accordingly, such computer programs represent controllers of the computer system.


From the above description, it can be seen that the present invention provides a system, computer program product, and method for implementing the embodiments of the invention. References in the claims to an element in the singular is not intended to mean “one and only” unless explicitly so stated, but rather “one or more.” All structural and functional equivalents to the elements of the above-described exemplary embodiment that are currently known or later come to be known to those of ordinary skill in the art are intended to be encompassed by the present claims. No claim element herein is to be construed under the provisions of 35 U.S.C. section 112, sixth paragraph, unless the element is expressly recited using the phrase “means for” or “step for.”


The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.


The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of the present invention has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the invention. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims
  • 1. A method comprising: distributing shares of a private signature key to a group of users;producing a plurality of sub-shares from each of said distributed shares, with each sub-share being accompanied by a corresponding validity proof; andcombining said sub-shares from multiple existing users at each one of a set of new users to generate a set of new shares, each said new share being derived from sub-shares from multiple users.
  • 2. A method according to claim 1 further comprising: determining if a minimum number of said sub-shares have been received; andif said minimum number has been received, said new users constructing a new share using said sub-shares.
  • 3. A method according to claim 2 further comprising verifying the validity of each share in said new set of shares.
  • 4. A method according to claim 3 further comprising, if said verifying determines that a share in said new set shares is not valid due to a sub-share not being valid, not using said invalid sub-share in said constructing.
  • 5. A method according to claim 3 wherein said validity proof is a non-interactive zero-knowledge validity proof.
  • 6. A method according to claim 1 wherein each said new share includes a corresponding validity proof.
  • 7. A method according to claim 1 further comprising: sending said share and corresponding validity proof to a client; andsaid client reconstructing said private signature key by combining said new shares and corresponding validity proofs.
  • 8. A method according to claim 1 wherein said users are computer systems.
  • 9. A method according to claim 1 wherein said users are individual satellites.
  • 10. A method comprising: distributing shares of a private key to a group of computer systems;allowing members of said group to authenticate to at least one client that knows a public key for said group; andredistributing shares from said group to another set of computer systems.
  • 11. A method according to claim 10 wherein said group of computer systems comprises a dynamic federated environment.
  • 12. A method according to claim 10 wherein said distributing comprises establishing a private/public key pair for said group.
  • 13. A method according to claim 12 further comprising splitting said private key among the initial members of said group via and m-out-of-n threshold sharing.
  • 14. A method according to claim 13 further comprising setting up additional parameters to use in conjunction with validity proofs to validate computations carried out by said allowing and said redistributing.
  • 15. A method according to claim 10 further comprising preventing said distributed shares and said new shares from operating together.
  • 16. A method according to claim 15 further comprising: each member of said group producing a validity proof that corresponds to said share produced by said member; andeach member of said group sending said share and said proof to said client.
  • 17. A system comprising: a plurality of computer systems, each having a share of a private signature key;said plurality of computer systems each having a means for producing a plurality of sub-shares from each of said shares, with each sub-share being accompanied by a corresponding validity proof;a client computer receiving said sub-shares and said corresponding validity proofs, and generating a set of new shares, each said new share being derived from sub-shares from multiple ones of said computer systems; andsaid client computer redistributing said new set of shares to a new group of users.
  • 18. A system according to claim 17 wherein said validity proof is a non-interactive zero-knowledge validity proof.
  • 19. A computer program product for authenticating communications, said computer program product comprising: a computer usable medium having computer usable program code embodied therewith, said computer usable program code comprising:computer usable program code configured to:distribute shares of a private signature key to a group of users;produce a plurality of sub-shares from each of said distributed shares, with each sub-share being accompanied by a corresponding validity proof; andcombine said sub-shares from multiple existing users at each one of a set of new users to generate a set of new shares, each said new share being derived from sub-shares from multiple users.
  • 20. A computer program product according to claim 19 wherein said computer usable program code is further configured to: select a core set of users among said group of users;said core set of users generating said sub-shares and delivering said sub-shares to said new group of users;each user in said new group of users generating a new share from said sub-shares; andeach user in said new group of users verifying the validity of said new shares.