Proactive Linear Integer Secret Sharing

Transcription

1 Proactve Lnear Integer Secret Sharng Rune Thorbek BRICS, Dept. of Computer Scence, Unversty of Aarhus Abstract. In [3] Damgard and Thorbek proposed the lnear nteger secret sharng (LISS) scheme. In ths note we show that the LISS scheme can be made proactve. 1 Introducton Secret sharng schemes protect secrets by dstrbutng them over dfferent locatons (partes). In a threshold-t scheme, the adversary s restrcted to corrupt no more than t out of n partes throughout the lfetme of the scheme. If ths assumpton s fulflled, then the adversary wll not learn the secret. But n some long-lved schemes wth senstve secrets ths guarantee may be nsuffcent. In [9] Ostrovsky and Yung proposed the proactve model. In the proactve model the lfe span of the protocol s dvded nto separate tme perods, where the adversary can corrupt at most t partes n each perod. The set of corrupted partes may change from perod to perod, and the protocol must reman secure, even though every party may have been corrupt at some pont. One way to acheve ths, s by lettng the partes re-randomze the shares they hold between each tme perod and erase the old shares. Ths procedure s called the refreshment. Ths should be done n such a way, that the partes are stll guaranteed the correctness and the prvacy of the scheme. Furthermore, to avod gradual destructon of the secret by corrupton of shares, t s necessary to be able to recover lost or corrupted shares wthout compromsng the secrecy of any shares. Proactve secret sharng has shown very useful n threshold RSA sgnature schemes [5], snce t provdes securty n a long-lved system, e.g., for the master keys whch cannot be perodcally changed. Whle ths area has been studed n great detal [4, 10, 8, 1, 6], we consder the LISS scheme n a proactve settng wthout a dstrbuted exponentaton protocol n ths chapter. There are manly two strateges to make a secret sharng scheme proactve. One way to mplement the refreshment phase s to let every party re-share hs share components and by the lnearty of LISS

2 reconstruct the secret n a new sngle secret sharng n LISS. Dong ths straghtforward has the dsadvantage, that the share szes grow very fast, snce the LISS scheme s done over the ntegers and needs some addtonal bts n each round to hde the secret. Another strategy s to add a secret shared zero to the secret. In ths strategy the share component szes grow amortzed less than one bt. Whle ths solves the problem for a passve adversary, we need some means to detect tampered shares and recover them f we consder an actve adversary. All ths wll be solved n ths chapter. 2 Prelmnares In a lnear nteger secret sharng [3] (LISS) scheme a dealer D can share a secret s from a publcally know nterval [ 2 l..2 l ] over an access structure Γ between the party P such that only qualfed subsets can reconstruct the secret whle other subsets do not gan any nformaton about the secret. More precsely, Defnton 1. A LISS scheme s correct, f the secret can be reconstructed from shares of any qualfed set n A Γ, by takng an nteger lnear combnaton of the shares wth coeffcent that depends only on the ndex set A. Defnton 2. A LISS scheme s prvate, f for any forbdden set B, any two secret s, s [ 2 l..2 l ], and ndependent random cons r and r, the statstcal dstance between the dstrbutons of the shares {s (s, r, k) B} and {s (s, r, k) B} s neglgble n the securty parameter k. A labeled matrx conssts of a d e matrx M and a correspondng surjectve functon ψ : {1,..., d} {1,..., n}. We say that the -th row s labeled by ψ() or owned by party P ψ(). For any subset A P, we let M A denote the restrcton of M to the rows labeled by some P ψ() A. For any d-vector x, we smlarly denote x A to be the restrcton of entres wth P ψ() A. For any two vectors a and b, let a, b denote the nner product. Defnton 3 ([2]). An Integer Span Program (ISP) for a monotone access structure Γ conssts of a tuple M = (M, ψ, ε), where M Z d,e s a labeled matrx wth a surjectve functon ψ : {1,..., d} {1,..., n}, and the target vector ε = (1, 0,..., 0) T Z e. Furthermore, for every A P the followng holds,

3 - for every A Γ there exsts a reconstructon vector λ Z d such that M T A λ = ε. - for every A / Γ there exsts a sweepng vector κ Z e such that M A κ = 0 and κ, ε = 1. The sze of M s defned to be d. In [3] t was shown how to construct a correct and prvate LISS scheme from any ISP. For a gven ISP we defne l 0 = l + log 2 (κ max (e 1)) + 1, where κ max = max{ a a s an entry n some sweepng vector }. To share a secret s [ 2 l..2 l ], we use a dstrbuton vector ρ whch s a unformly random vector n [ 2 l 0+k..2 l 0+k ] e wth the restrcton that ρ, ε = s. The share vector s computed by Mρ = s = (s 1,..., s d ) T, where the share component s s gven to party P ψ() for 1 d. The share of party P j s the subset of share components s {Pj }. 3 Proactve Securty All the enttes are Interactve Turng machnes (ITM). The partes P 1,..., P n are PPT ITMs whch proactvely secret share a secret. The adversary A attackng the protocol s a ITM wth unbounded computng power. See Secton 5.1 for further dscusson on the computng power of the adversary. For smplcty we assume authentcated secure pont-to-pont channels between all partes. Ths assumpton wll be dscussed n more detal n secton 6. Furthermore, we assume a synchronous network, whch proceeds n rounds. P 1 A P 2. π P n Snce we assume pont-to-pont channels, the adversary cannot see the communcaton between the partes. The adversary only sees the vew of the partes she corrupts,.e., the messages receved by the partes. A proactve secret sharng scheme s dvded nto phases. We dstngush between an operatonal phase and a refreshment phase, whch occur

4 alternately. The operatonal phases are where the secret sharng can be used for whatever purpose t was ntended, whle the refreshment phases are used to re-randomze the secret sharng, such that attacks n dfferent phases wll not be able to beneft from each other. A stage conssts of an openng refreshment phase, an operatonal phase, and a closng refreshment phase. Note, that f a refreshment phase s the closng refreshment phase of stage u, then t s the openng refreshment phase of stage u + 1. stage u stage u + 1 operatonal phase refreshment phase The adversary A decdes when the refreshment phases start by sendng a command to all partes. Whle the refreshment ends when all honest partes have output a specal symbol ndcatng the end of refreshment. In a proactve secret sharng scheme realzng the adversary may adaptvely corrupt any party durng any phase, wth the restrcton that the set C of corrupted partes s n n every stage. Hence, f a party s corrupted durng a refreshment phase, she s consdered corrupt n both stages that the phase belongs to. If a party s corrupted durng an operatonal phase the adversary s gven the vew of the party from the begnnng of the phase. Furthermore, f a party s corrupted durng a refreshment phase, then the adversary s gven the vew startng from the begnnng of the precedng operatonal phase. The adversary can decorrupt a party at the end of any operatonal phase, and the party wll be consdered honest agan. We dstngush between a passve and an actve adversary. When a passve adversary corrupts a party, she s gven the nternal state of the party and the control. However the passve adversary follows the protocol and on decorrupton she leaves the nternal state of the party n a consstent state wth the protocol. When an actve adversary corrupts a party, she s gven the nternal state of the party, but she may devate arbtrary from the protocol and leave the party on decorrupton n an arbtrary nternal state. The partes are assumed to get randomness from an ncorruptble source and are seeded wth new fresh randomness whenever requred. I.e. after decorrupton the adversary does not know the random choces made by the party. We need the followng defnton n order to formally defne proactve securty.

5 Defnton 4. Let y be a share vector and let H be the set of all honest partes. If y, λ A = y for all qualfed A H, where λ A s the reconstructon vector for A and y s a fxed value, then y s sad to have correct reconstructablty. Defnton 5. A proactve secret sharng scheme s robust, f t has correct reconstructblty for the same value n each operatonal phase. Defnton 6. A proactve secret sharng scheme realzng s proactvely prvate, f the adversary may corrupt and decorrupt, as descrbed above, s prvate n all phases. 4 Proactve Protocol The protocol s as follows. Protocol Refresh Intally a dealer has computed sharng vector (s 1,..., s d ) T = Mρ, where ρ [ 2 l0+k..2 l0+k ] e was chosen at random wth the restrcton that ρ, ε = s the secret. 1. For = 1,..., n party P secret shares a zero, usng unformly random ρ 0 [ 2 l0+k..2 l0+k ] e, wth the restrcton that ρ 0, ε = 0, to obtan share vector by (s 1,..., s d ) T = Mρ 0 and for j = 1,..., d send s j to party P ψ(j). 2. For each = 1,..., d party P ψ() lets s (new) = s + n j=1 s j be the new share component. Note 1. If the above protocol s used r tmes, then each share component sze grows at most log(n) + log(r) + 1 bts,.e., amortzed each share component grows O(log(r)/r) bts. Theorem 1. If the Refresh protocol s used polynomal many tmes, then t s robust and proactvely prvate for a passve adversary. Proof. By nspecton of the protocol t follows that the protocol s robust. In order to prove that the protocol provdes proactve prvacy we provde a smulator. In each phase the adversary can corrupt and decorrupt as many partes she wants wth the restrctons descrbed n Secton 3. The dea behnd the smulator s as follows. The smulator generates a LISS secret sharng of 0 and keeps the shares on behalf of each honest party and provdes the adversary wth the shares for the corrupted partes. The smulator then nteracts n the protocols on behalf of each honest

6 party throughout the run. When a party s corrupted, the smulator wll have the requred data of the honest party nternal state and provdes the adversary wth t. On decorrupton of a party, the smulator wll receve the nternal state from the adversary, and hence, has a consstent nternal state of the now honest party. For notatonal convenence we let 0, 1,..., u denote the phases, and let s 0, s 1,..., s u denote the nternal states of the honest partes. Note, that the nternal state of honest party P n phase j s gven by (s j ) {P }. Furthermore, we let the entres n s j owned by the corrupted partes all contan the last known state. If j s a refreshment phase, then we let s j denote the fnal state of the phase,.e., s j = s j+1. Fnally, let denote the adversary structure for the LISS scheme. The smulator acts as follows when ever requred. In the frst phase the smulator chooses ρ 0 [ 2 l 0+k..2 l 0+k ] e unformly at random wth the restrcton that ρ 0, ε = 0. Computes s 0 = Mρ 0, the nternal states of all partes. If the partes A are corrupted at ths pont, the adversary s provded wth (s 0 ) A. At the begnnng of each refreshment phase the smulator runs the Refresh protocol on behalf of each honest party. When a party P s corrupted n phase j, the smulator provdes the adversary wth (s j ) {P }. When a party P s decorrupted n phase j the smulator updates the state (s j ) {P } wth the provded data from the adversary. In the end of the last phase u when the secret s s revealed, the smulator lets s u = s u + smκ, where κ s the sweepng vector for A, the set of currently corrupted partes, and reveals (s u) A to the adversary. We need to show that ths vew s statstcally close to a run of the real protocol. Frst two observatons of the corrupton n the phases. Frst, snce only corruptons and decorruptons happens n the operatonal phases,.e., the nternal state does not change of any party, we can assume that all partes are corrupted n the begnnng of the phase. Secondly, snce we assume that all corruptons happen n the begnnng of each round and the Refresh protocol takes one round, we can also assume that all corruptons of the refreshment phase happen n the begnnng of the phase. Let A 0, A 1,..., A u denote the unqualfed set of corrupted partes n each phase. Let κ 0, κ 1,..., κ u be the sweepng vectors for A 0, A 1,..., A u, respectvely.

7 Assume frst that the adversary only has corrupted partes n the operatonal phases, that s, n each refreshment phases all partes are honest. Frst of all, each operatonal phase solated s prvate. We need to show, that gven two vews of operatonal phases, the scheme s stll prvate. Let share vector s = s smκ. Then note, that the adversary knows (s ) A = (s ) A for all = 0, 1,..., u. However the share vectors are also dependent, s 1 = s 0 + s 2 = s 1 +. =1 =1 s u = s u 1 + z (0) z (1) =1 z (u 1), where z (j) s a zero-sharng for all = 1,..., n and j = 0,..., u 1. Consder the followng. s 0 = s 0 + smκ 0 s 1 = s 0 smκ 0 + s 2 = s 1 smκ 1 +. =1 =1 s u = s t 1 smκ u 1 + z (0) + smκ 1 z (1) + smκ 2 =1 z (u 1) + smκ u, where the vew of the adversary s exactly the same, but the secret s s proactvely shared nstead of 0. Consder, s j = s j 1 smκ j 1 + z (j 1) + smκ j, whch also can be represented by the dstrbuton vectors, ρ j = ρ j 1 sκ j 1 + ρ (j 1) z, + sκ j, =1 =1

8 such that s j = Mρ j, s j 1 = Mρ j 1 and z(j 1) = Mρ j 1 z, for = 1,... n. Note that the term sκ j does not nfluence the vew of the adversary, and the term sκ j 1 can be subtracted from an honest 0-sharng z (j 1) and therefore not change the vew of the adversary. Furthermore note, that the adversary does not have any partal nformaton on any of the z (j 1), snce we assumed that the adversary only corrupted partes n the operatonal phase. That s, f the protocol s only used polynomal many tmes then the prvacy of LISS ensures that the vews are ndstngushable wth all but neglgble probablty n the securty parameter k f the adversary has no corrupted partes n the refreshment phases. We only need to argue, that f the adversary corrupts a party durng a refreshng phase, t does not help her. However consder the followng. ρ j = ρ j 1 sκ j 1 + =1 ρ (j 1) z, + sκ j. If j s a refreshment phase, then note, that f partes A j P were corrupted durng that phase, then A j = A j 1 A j A j+1. Hence, the two terms sκ j 1 and sκ j do not change any of the corrupted partes shares. We therefore conclude, that the vew s exactly the same and therefore the adversary does not proft from the corrupton of the partes n A durng the refreshment phase. 5 Actve Securty 5.1 Verfable Secret Sharng In order to make the LISS scheme and the Refresh protocol secure aganst an actve adversary we need a lnear nteger commtment scheme. Let C a = com(a) denote the commtment of a. Strctly speakng a commtment C a = com(a, r) ncludes the commtment a and some randomness r. One can open a commtment by revealng a and r, then everybody can check that com(a, r) = C a. For smplcty we exclude the randomness used n the commtment. A commtment com(a) = C a s bndng f the commtter cannot open the commtment to any other value b a. A commtment com(a) = C a s hdng f C a does not reveal anythng about a. Both the bndng and the hdng property come n a computatonal, statstcal, and perfect flavor. Snce we do not consder any specfc commtment scheme one should just remember, that the securty s no stronger than the commtment scheme.

9 By lnearty we mean, gven two commtments C a = com(a) and C b = com(b) and constant c t s possble to compute commtment C = com(a+ cb), such that beng able to open com(a) and com(b) makes t possble to open com(a+cb). We use the followng notaton for smplcty C = C a Cb c. Gven a lnear nteger commtment scheme com, then verfable secret sharng (VSS) for the LISS scheme s constructed as follows. A dstrbuton vector s chosen ρ [ 2 l0+k..2 l0+k ] wth ρ, ε = s [ 2 l..2 l ] the secret to be VSSed. Then commt to C 1 = com(s), C 2 = com(ρ 2 ),..., C e = com(ρ e ) and broadcast them to all partes nvolved. Then compute s = Mρ for ISP M = (M, ψ, ε). For = 1,..., n send share s {P } to P. By the lnearty of the scheme every party can check that the receved share components are consstent wth the broadcast commtments. Smply note, com(s ) = C m,1 1 C m,2 2 C m,e e, where M = [m,j ]. Furthermore, ths ensures the partes that the VSS value s consstently opened. 5.2 The Refresh Protocol wth Actve Securty The smple observaton s, that n order for a party to convnce the others that he secret shares a 0, he smply uses the trval commtment 1 whch commts to 0 usng randomness 0. In the followng protocol we frst assume, that all honest partes nternal states are consstent, that s, ther shares and commtments are correct. We wll come back to ths ssue n the next subsecton. Protocol Refresh Intally a dealer has computed sharng vector (s 1,..., s d ) T = Mρ, where ρ [ 2 l0+k..2 l0+k ] e was chosen at random wth the restrcton that ρ, ε = s the secret. Furthermore, all partes have commtments C 1 = com(s), C 2 = com(ρ 2 ),..., C e = com(ρ e ). 1. Refreshment. For = 1,..., n party P secret shares a zero, usng unformly random ρ [ 2 l0+k..2 l0+k ] e, wth the restrcton that ρ, ε = 0, to obtan share vector by (s 1,..., s d ) T = Mρ. He broadcasts commtments C 2 = com(ρ 2 ),..., C e = com(ρ e ) and for j = 1,..., d send s j to party P ψ(j). 2. Verfcaton. For j = 1,..., n and = 1,..., d party P ψ() verfes that com(s j ) = C m j,2 j 2 C m j,e j e, f not, then broadcast (Complant, P j ) 3. Accusaton. If P j receves (Complant, P j ) from P, then P j broadcasts all prvate nformaton he sent to P. If P j sends nformaton

10 that fals the verfcaton n step 2 or sends nothng, then P j s added to an ntally empty set B, otherwse P s added to B. If B s qualfed, then abort the protocol. 4. Update. For each = 1,..., d party P ψ() lets s (new) = s + n j=1,j / B s j be the new share component, and C (new) j = C j n =1,j / B C j for j = 2,..., e. For now, we just assume that nformaton broadcast n step 3 s the same send prvately to P. See Note 3 and Secton 6 for a soluton of the problem. Then fnally note, f the access structure s Q3, then the problem can be solved by addng both partes to P and P j to B n step 3. If a corrupt party P complans about an honestly generated zerosharng, then obvously she wll be added to B. If a corrupt party P j shares an nconsstent zero-sharng, then an honest party wll complan, and P j wll be added to B. Hence, B cannot become qualfed. Whle ths ensures that the refreshment s done correctly, ths does not ensure that the nternal states are correct of the honest partes. 5.3 Detecton of Corrupted Shares and Recovery of Shares The actve adversary can leave the nternal state of the decorrupted party n an arbtrary way. Frst of all, a party does not know whether he was corrupted or not, hence we need a detecton protocol, whch can clarfy ths matter for each currently honest party. Consder the followng protocol. Protocol Detect Each party P nternal state conssts of a share s {P } and commtments (S (), R () 2,..., R() e ) of supposedly ρ = (s, ρ 2,..., ρ e ) T for s = Mρ and a Recover bt whch s set f he knows the nternal state has been tampered. 1. Each party P broadcasts commtments (S (), R () 2,..., R() e ) 2. Each party P collects B = {P j P (S (j), R (j) 2,..., R(j) e ) = (S (), R () 2,..., R() e )}. If B s not qualfed or the share components known by P are not consstent wth (S (), R () 2,..., R() e ), then the state of P s corrupted and flps on the Recover bt.

11 Lemma 1. Let be a Q2 adversary structure, let C be the set of corrupted partes, and D be the set of decorrupted partes. If the adversary cannot break the bndng property of the commtment scheme n use and C D, then the Detect protocol wll put all honest partes wth tampered nternal state n Recover state. Proof. Dvde the partes n three groups. Let H be the set of partes whch has never been corrupted, C the set of partes whch are corrupted, and D the set of partes whch are honest but are decorrupted. Note that the sets are mutually dsjont but the unon cover the entre set of partes. The set H wll follow the protocol and ther set collected n step 2 of the protocol wll be qualfed snce the adversary structure s Q2,.e., H = (C D) s qualfed. The set D do not necessarly have tampered nput. But f a party has tampered commtments he cannot receve a qualfed set of the same commtments, snce they must come from other partes n the set C or D. If only the share components are tampered, they wll not open the rght combnatons of the commtments under the assumpton that the adversary cannot break the bndng property of the commtment scheme. The recovery process can be acheved by the followng protocol. The protocol assumes that the honest partes agree on the commtments. Ths can be acheved by runnng the Detect protocol. Protocol Recovery The honest partes mutually agree on the followng commtments, C 1 = com(s), C 2 = com(ρ 2 ),..., C e = com(ρ e ), where ρ = (s, ρ 2,..., ρ e ) T [ 2 l0+k..2 l0+k ] e was chosen at random wth the restrcton that ρ, ε = s [ 2 l..2 l ]. Then for each = 1,..., n P receved s {P } prvately from the dealer, where s = (s 1,..., s d ) T = Mρ for an ISP M = (M, ψ, ε), where M Z d,e. Let l (max) be the maxmal bt-length of any share component. 1. Recovery. For each = 1,..., d party P ψ() VSS share component s by choosng dstrbuton vector ρ = (s, ρ 2,..., ρ e ) T [ 2 l(max) 0 +k..2 l(max) 0 +k ] e unformly at random, wth ρ, ε = s. Computes share vector s = Mρ. Broadcasts commtments C () 2 = com(ρ 2 ),..., C e () = com(ρ e ). For j = 1,..., n send (s ) {Pj } to party P j. 2. Verfcaton. When any party P j receves broadcast commtments (C () 2,..., C() e ) from P ψ() along wth prvately receved shares

12 (s ) {Pj } verfy for each share components s ι (s ) {Pj } that com(s ι ) = C m ι,1 s (C () 2 )m ι,2 (C e () ) mι,e, where C s = C m,1 1 C m,2 2 C m,e e and M = [m,j ]. If not, broadcast (Complant, P ). 3. Accusaton. When party P receves broadcast (Complant, P ) from P j he broadcasts all the prvate nformaton send to P j n the recovery step (step 1). 4. Verfcaton of Accusaton. When a party receves a opened share of P j from party P n step 3 he verfes f the opened share can open the correct commtments, f not, P s added to an ntally empty lst B otherwse P j s added to lst. 5. Reconstructon. They chose a reconstructon vector λ = (λ 1,..., λ d ) T whch excludes all partes n B and for all = 1,..., d party P ψ() lets s (new) = j λ js j be the new share. Let the commtments C (new) 1 = d =1 Cλ s and for j = 2,..., e let C (new) j = d =1 (C() j ) λ. Fnally, clear the nternal state for everythng except the new commtments and share. Note 2. If the access structure nvolved n above protocol s Q3, then step 3 and 4 n the protocol are not necessary, snce we can just add both partes n the set B. Note 3. If step 3 and 4 are ncluded n the protocol, then we need a way to ensure, that the nformaton broadcast n step 3 s the same as party P j receved n step 1. For smplcty we assume that ths s forflled. For further dscusson and solutons of the problem, see Secton 6. In the refreshment phase the partes should run the Detect and the Refresh protocol n parallel, that way each honest party knows whether hs nternal state has been tampered. Note, that the Recover protocol assumes that the nternal states of the commtment are consstent, ths can be acheved by runnng the Detect protocol n parallel. Furthermore, an honest party wth tampered shares wll be ncluded n the lst B from step 4 n the Recover protocol, snce at the pont of verfcaton every honest party agrees on whch commtments are the correct ones. Remark 1. The reconstructon vector chosen n step 5 can be chosen determnstcally based on the set B from step 4, hence, no further communcaton s requred. Theorem 2. If the commtment scheme s bndng then all honest partes wll have consstent nternal state after a parallel run of the Detect and the Refresh protocol.

13 Proof. Frst we consder an honest party wth consstent nternal state,.e., a state whch the adversary has not tampered. If he receves some counterfet shares from a party, then he wll complan and under the assumpton n Note 3 the accused party wll broadcast the same nformaton such that all partes can verfy that the clam s correct. Note, that the problem s only relevant f the access structure s not Q3. An honest party wth tampered nternal state wll ether dscover the nconsstency due to the Detect protocol or otherwse he wll be excluded from the protocol by complants n step 2. Fnally note, that he wll receve correctly generated shares from all honest partes and recover the state. 6 Dynamcally Authentcated Secure Pont-to-Pont Channels The assumpton of authentcated secure pont-to-pont channels between all partes mght not be realstc even n the case of a passve adversary. In real lfe ths model would be mplemented by usng some knd of publc key nfrastructure. Whle the adversary breaks nto the dfferent partes, she could steel the prvate key. After a couple of stages she would know all the partes prvate keys, and hence, be able to decrypt all messages send n the network. If we consder an actve adversary, then two further problems appear. Frstly, how to resolve the problem f the adversary removes or changes the prvate key and/or uses t. Secondly, the problem ponted out n Note 3. Herzberg et al. [7] proposed to have ntalzed publc/secret key pars, such that party P knows all partes correct publc keys pk (0) 1,..., pk(0) n and has hs own prvate key sk (0). Then at each refreshment phase, each party P generates a new publc/secret key par sk (1) /pk (1) new publc key by sk (0) and broadcasts t. and sgns the If the adversary knows sk (u) but has decorrupted party P,.e., party P s honest agan, then obvously she can decrypt all messages encrypted to P. But when P decdes to generate a new par pk (u+1) and sk (u+1) and broadcasts pk (u+1) know sk (u+1) sgned wth pk (u), then the adversary does not snce the adversary does not know the randomness used to generate the key par. Ths solves the problem wth passve corrupton. Wth an actve adversary we frst consder the problem ponted out n Note 3. It can be solved by usng the publc key nfrastructure descrbed above. Smply, nstead of party P sends prvate messages to, say, P j, then P encrypts the prvate messages under publc key pk (u) j, sgns everythng

14 he sends under hs secret key sk (u), and broadcasts everythng. Then when P s asked to open the message send to P j, he smply broadcasts the messages and the randomness used to encrypt under the publc key pk (u) j of P j. If P fals to do ths, he s consdered corrupt, otherwse the accuser P j s consdered corrupt. Note agan, that ths s only a problem when we consder access structures whch are not Q3. Consder the problem when the adversary A uses some decorrupted honest party s P secret key sk (u), whle the secret key has not been tampered n the nternal state by the adversary,.e., P stll has the same copy of sk (u). Herzberg et al. [7] suggest to let the honest party P send a sgned dsqualfcaton of hs own secret key. Then a reboot procedure should be started, where all partes are rebooted,.e., the adversary s removed from all of them, and a new consstent publc key nfrastructure s provded to the partes. The reason ths strategy s necessary s that the partes cannot dstngush whch messages come from the adversary A and whch come from the honest party P. Fnally consder the case where the adversary A tampers or removes the prvate key sk (u) of P. Ths obvously makes t mpossble for P to sgn a message to start a reboot process. The smple soluton s to send an unsgned reboot symbol to ntate the reboot. Ths opens up for the possblty that the adversary can start a reboot process wthout corruptng any party. But to our knowledge there s no way to elegantly handle ths problem. 7 Acknowledgments Ivan Damgård, Martn Gesler, Mkkel Krøgård, and Gert Læssøe Mkkelsen. References 1. R. Canett, R. Gennaro, S. Jareck, H. Krawczyk, and T. Rabn. Adaptve securty for threshold cryptosystems. In M. J. Wener, edtor, CRYPTO, volume 1666 of Lecture Notes n Computer Scence, pages Sprnger, R. Cramer and S. Fehr. Optmal black-box secret sharng over arbtrary abelan groups. In M. Yung, edtor, CRYPTO, volume 2442 of Lecture Notes n Computer Scence, pages Sprnger, I. Damgård and R. Thorbek. Lnear nteger secret sharng and dstrbuted exponentaton. In M. Yung, Y. Dods, A. Kayas, and T. Malkn, edtors, Publc Key Cryptography, volume 3958 of Lecture Notes n Computer Scence, pages Sprnger, Y. Frankel, P. Gemmell, P. D. MacKenze, and M. Yung. Optmal reslence proactve publc-key cryptosystems. In FOCS, pages , 1997.

15 5. Y. Frankel, P. Gemmell, P. D. MacKenze, and M. Yung. Proactve rsa. In B. S. K. Jr., edtor, CRYPTO, volume 1294 of Lecture Notes n Computer Scence, pages Sprnger, Y. Frankel, P. D. MacKenze, and M. Yung. Adaptve securty for the addtvesharng based proactve rsa. In K. Km, edtor, Publc Key Cryptography, volume 1992 of Lecture Notes n Computer Scence, pages Sprnger, A. Herzberg, S. Jareck, H. Krawczyk, and M. Yung. Proactve secret sharng or: How to cope wth perpetual leakage. In D. Coppersmth, edtor, CRYPTO, volume 963 of Lecture Notes n Computer Scence, pages Sprnger, S. Jareck and N. Saxena. Further smplfcatons n proactve rsa sgnatures. In J. Klan, edtor, TCC, volume 3378 of Lecture Notes n Computer Scence, pages Sprnger, R. Ostrovsky and M. Yung. How to wthstand moble vrus attacks (extended abstract). In PODC, pages 51 59, T. Rabn. A smplfed approach to threshold and proactve rsa. In H. Krawczyk, edtor, CRYPTO, volume 1462 of Lecture Notes n Computer Scence, pages Sprnger, 1998.