Proactive Secret Sharing and Public Key Cryptosystems

Secret sharing schemes protect secrecy and integrity of information by dividing it into shares and distributing these shares among different locations. In k + 1 out of n threshold schemes, security is assured if throughout the entire life-time of the secret the adversary compromises no more than k of the n locations. For long-lived and sensitive secrets this protection may be insufficient. We propose a new type of secret sharing scheme, called proactive, in which the share holders periodically (e.g. once a day) rerandomize the distribution of the secret into shares in such a way that if the adversary learns no more than k shares before the rerandomization, this information is useless for attacking the secret afterwards. In other words, the adversary willing to learn or destroy the secret has to break to at least k + 1 locations during the same time period, i.e. between consecutive executions of the rerandomization protocol. We extend proactive secret sharing schemes to function sharing, which allows for various proactive public key cryptosystems. As example, we construct with n = 2k+ 1 servers a proactive Certification Authority, such that the adversary who wants to learn or destroy its secret signature key has to break to more than k servers during a single time period. We propose two efficient proactive secret sharing protocols. We define the security notions of proactive secret sharing and we provide the proofs of security of the two protocols we propose. Our solutions assume broadcast channel between servers and the computational hardness of some cryptographic primitives. Thesis Supervisor: Ronald L. Rivest Title: Professor Thesis Supervisor: Hugo Krawczyk Title: IBM Research Thesis Supervisor: Moti Yung Title: IBM Research