Implementation and Discussion of Threshold RSA

A threshold cryptosystem involves collaboration among k of n users to take some cryptographic action. These actions could include encrypting, decrypting, signing and verifying. Threshold schemes are advantageous in situations where the involved parties wish to divide the power to sign or decrypt a message, so that no one party can take action without the support of some other parties, and in situations in which the parties wish to minimize the damage that a single compromised secret could cause. Such schemes are closely related to and often dependent on secretsharing protocols such as Shamir’s polynomial-based secret sharing scheme. When analyzing threshold cryptosystems, it’s important to consider factors such as interactivity, trusted third parties, amount of required re-computation, efficiency, and burden on outside users. For our project, we implemented Threshold RSA, a system that is a variant of standard RSA signatures and that enables a size-k subset of n parties to produce a valid RSA signature on a message. Our project contributes a Python implementation of the scheme as well as a discussion of its advantages, disadvantages and performance. We intended to further extend Threshold RSA to support anonymity and deniability, such that parties could not determine which k parties participated in producing the signature. However, we did not implement this extra feature due to time constants. 1 Overview of Threshold RSA In Threshold RSA, the RSA modulus N and public key e are publicly known. The two primes p and q, as well as the private key d are kept secret and are unknown to anyone. The parties engage in collaborative but untrusting protocols to generate additive shares, pi, qi and di, of the secrets. The protocols are collaborative because they requires parties to broadcast certain calculated values to other parties, and are untrusting because all parties can verify certain properties about the broadcast messages to ensure that other parties are honest. Threshold RSA has several desirable properties: • No trusted third party; no trusted central server • Distributed system; distributed computation can parallelize work for greater efficiency • A subset of fewer than k people cannot produce a valid RSA signature on a message • An attacker cannot use an existing signature to gain information about how to produce future signatures • Parties do not need to reshuffle or regenerate their secrets after each signature • Receivers of signatures produced by Threshold RSA can verify those signatures in the exact same manner as they would signatures produced by standard RSA; no extra work required One potential drawback of Threshold RSA is that the members of the size-k subset that collaborates to sign a message is known to the other parties. We imagined that this could lead to coercion, in the case that one party does not wish for the message to be signed, and therefore pressures or even threatens other parties to not sign, and is capable of knowing