This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ustees). (1) Alice chooses five integers, s1 , s2, s3, s4, and s5, each less than p 1. Alice’s private key is s = (s1 + s2 + s3 + s4 + s5) mod p - 1 and her public key is t = gs mod p Alice also computes ti = gsi mod p, for i = 1 to 5 Alice’s public shares are ti, and her private shares are si. (2) Alice sends a private piece and corresponding public piece to each trustee. For example, she sends s1 and t1 to trustee 1. She sends t to the KDC. (3) Each trustee verifies that ti = gsi mod p If it does, the trustee signs ti and sends it to the KDC. The trustee stores si in a secure place. (4) After receiving all five public pieces, the KDC verifies that t = (t1 * t2 * t3 * t4 * t5) mod p If it does, the KDC approves the public key. At this point, the KDC knows that the trustees each have a valid piece, and that they can reconstruct the private key if required. However, neither the KDC nor any four of the trustees working together can reconstruct Alice’s private key. Micali’s papers [1084,1085] also contain a procedure for making RSA fair and for combining a threshold scheme with the fair cryptosystem, so that m out of n trustees can reconstruct the private key. Failsafe Diffie-Hellman
Like the previous protocol, a group of users share a prime, p, and a generator, g. Alice’s private key is s, and her public key is t =gs mod p. (1) The KDC chooses a random number, B, between 0 and p - 2, and commits to B using a bit-commitment protocol (see Section 4.9). (2) Alice chooses a random number, A, between 0 and p - 2. She sends gA mod p to the KDC. (3) The user “shares” A with each trustee using a verifiable secret-sharing scheme (see Section 3.7). (4) The KDC reveals B to Alice. (5) Alice verifies the commitment from step (1). Then she sets her public key as t = (gA)gB mod p She sets her private key as s = (A + B) mod (p - 1) The trustees can reconstruct A. Since the KDC knows B, this is enough to reconstruct s. And Alice cannot make use of any subliminal channels to send unauthorized information. This protocol, discussed in [946,833] is being patented. 23.11 Ze...
View Full Document
- Fall '10