Proactive RSA

The notion of \proactive security" of basic primitives and cryptosystems has been introduced by Ostrovsky and Yung to deal with a very strong \mobile adversary" who may corrupt all participants (servers, each with private memory) throughout the lifetime of the system in a non-monotonic fashion (i.e. recoveries are possible), but who is not able to corrupt too many participants during any short period of time. The servers engage in a \proactive maintenance" that self-secures them against the mobile adversary that tries to learn the secret or disrupt their operation. We present a proactive RSA system in which a threshold of servers applies the RSA signature (or decryption) function in a distributed manner. Our protocol enables the dynamic updating of the servers (which hold the RSA key distributively); it is secure even when a linear number of the servers are corrupted during any time period (linear redundancy); it eeciently self-maintains the security of the function and its messages (ciphertexts or signatures); and it enables continuous availability, namely, correct function application using the shared key is possible at any time. The servers are able to eeciently self-secure the RSA key by changing its local representation, doing so without knowing the order ((N)) of the RSA multiplicative group Z N in which the global key maintenance protocol would naturally compute (where N is a multiple of two large primes). Instead, the servers compute and work with the shares as elements of the group of integers under addition. We present a way in which l servers can share an RSA key d so that: A gateway G can combine information from any set of (1 2 +)l (honest) servers to deduce M d for any authorized message M. Our protocol is secure against a polynomial time adversary who controls the gateway G and time-variant sets of up to (1 2 ?)l servers. The share-size is always bounded logarithmically in N .