Optimal-resilience, proactive, public-key cryptographic system and method
First Claim
1. A method of providing a cryptographic service comprising the steps of:
- selecting a first function having properties useful for providing the cryptographic service;
re-expressing the first function as a first plurality of alternate functions;
distributing the first plurality of alternate functions to a plurality of distinct, electronic, cryptographic processing apparatus;
during a first operational period, (i) at each of a selected set of cryptographic processing apparatus, electronically applying at least one of the first plurality of alternate functions to a first input message to obtain first partial results, and (ii) combining first partial results to obtain a first final electronic output associated with the input message, said output-being identical to the output that would have been obtained by applying the first function to the input message;
during an update period, (i) generating a second plurality of alternate functions that re-express the first function, and (ii) distributing the second plurality of alternate functions to distinct cryptographic processing apparatus; and
during a second operational period, (i) at each of a selected set of cryptographic processing apparatus, electronically applying at least one of the second plurality of alternate functions to a second input message to obtain second partial results, and (ii) combining second partial results to obtain a second final electronic output associated with the input message, said second output being identical to the output that would have been obtained by applying the first function to the second input message.
2 Assignments
0 Petitions
Accused Products
Abstract
Proactive robust threshold schemes are presented for general "homomorphic-type" public key systems, as well as optimized systems for the RSA function. Proactive security employs dynamic memory refreshing and enables us to tolerate a "mobile adversary" that dynamically corrupts the components of the systems (perhaps all of them) as long as the number of corruptions (faults) is bounded within a time period. The systems are optimal-resilience. Namely they withstand any corruption of minority of servers at any time-period by an active (malicious) adversary (i.e., any subset less than half. Also disclosed are general optimal-resilience public key systems which are "robust threshold" schemes (against stationary adversary), and are extended to "proactive" systems (against the mobile one). The added advantage of proactivization in practical situations is the fact that, in a long-lived threshold system, an adversary has a long time (e.g., years) to break into any t out of the l servers. In contrast, the adversary in a proactive systems has only a short period of time (e.g., a week) to break into any t servers. The model of mobile adversary seems to be crucial to such "long-lived" systems that are expected to span the secure network and electronic commerce infrastructure.
104 Citations
71 Claims
-
1. A method of providing a cryptographic service comprising the steps of:
-
selecting a first function having properties useful for providing the cryptographic service; re-expressing the first function as a first plurality of alternate functions; distributing the first plurality of alternate functions to a plurality of distinct, electronic, cryptographic processing apparatus; during a first operational period, (i) at each of a selected set of cryptographic processing apparatus, electronically applying at least one of the first plurality of alternate functions to a first input message to obtain first partial results, and (ii) combining first partial results to obtain a first final electronic output associated with the input message, said output-being identical to the output that would have been obtained by applying the first function to the input message; during an update period, (i) generating a second plurality of alternate functions that re-express the first function, and (ii) distributing the second plurality of alternate functions to distinct cryptographic processing apparatus; and during a second operational period, (i) at each of a selected set of cryptographic processing apparatus, electronically applying at least one of the second plurality of alternate functions to a second input message to obtain second partial results, and (ii) combining second partial results to obtain a second final electronic output associated with the input message, said second output being identical to the output that would have been obtained by applying the first function to the second input message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A method of providing a public-key cryptographic service comprising the steps of:
-
selecting an RSA function having associated public and private keys; re-expressing the RSA function as a first plurality of alternate functions; distributing the first plurality of alternate functions to a plurality of distinct, electronic, cryptographic processing apparatus; during a first operational period, (i) at each of a selected set of cryptographic processing apparatus, electronically applying at least one of the first plurality of alternate functions to a first input message to obtain first partial results, and (ii) combining first partial results to obtain a first final electronic output associated with the first input message, said first output being identical to the output that would have been obtained by applying the RSA function to the first input message; during an update period, updating the plurality of distinct cryptographic processing apparatus by (i) generating a second plurality of alternate functions that re-express the RSA function, and (ii) distributing the second plurality of alternate functions to distinct cryptographic processing apparatus; and during a second operational period, (i) at each of a selected set of cryptographic processing apparatus, electronically applying at least one of the second plurality of alternate functions to a second input message to obtain second partial results, and (ii) combining second partial results to obtain a second final electronic output associated with the second input message, said second output being identical to the output that-would have been obtained by applying the RSA function to the second input message. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A method of providing a cryptographic service comprising the steps of:
-
selecting a first relation, said relation having properties useful for providing a cryptographic service, in connection with a public key and a private key drawn from a domain for which neither the order nor a multiple of the order is publicly known; re-expressing the first relation as a first plurality of alternate relations; distributing the first plurality of alternate relations to a plurality of distinct, electronic, cryptographic processing apparatus; during a first operational period, (i) at each of a selected set of cryptographic processing apparatus, electronically applying at least one of the first plurality of alternate relations to a first input message to obtain first partial results, and (ii) combining first partial results to obtain a first final electronic output associated with the input message, said first output being a legitimate result that can be processed using one of said public and private keys as if it had been obtained by applying the first relation to the first input message; during an update period, updating the plurality of distinct cryptographic processing apparatus by (i) generating a second plurality of alternate relations that re-express the first relation, and (ii) distributing the second plurality of alternate relations to distinct cryptographic processing apparatus; and during a second operational period, (i) at each of a selected set of cryptographic processing apparatus, electronically applying at least one of the second plurality of alternate relations to a second input message to obtain second partial results, and (ii) combining second partial results to obtain a second final electronic output associated with the second input message, said second output being a legitimate result that can be processed using one of said public and private keys as if it had been obtained by applying the first relation to the second input message. - View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71)
-
Specification