Secure Password-Protected Threshold Signatures Explained

1 university of warsaw poland n.w
1 / 23
Embed
Share

Explore the concept of password-protected threshold signatures and the importance of security in blockchain wallet management. Learn about key properties, use cases, and the prevention of security vulnerabilities.

  • Security
  • Threshold Signatures
  • Blockchain
  • Password Protection
  • Cryptography
rayaanacharya
jveron Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. 1 University of Warsaw, Poland Password-Protected ThresholdSignatures 2 IDEAS NCBR, Poland 3 University of California Irvine, USA 4 Amazon Web Services, USA 5 Privacy + Scaling Explorations, Vietnam Stefan Dziembowski12, Stanis aw Jarecki3, Pawe K dzior1, Hugo Krawczyk4, Chan Nam Ngo5, JiayuXu6 6 Oregon State University, USA

  2. As of recent estimates, there are roughly 400 million blockchain wallet users worldwide. Some also use custodial wallets...(How to trust that they are secure) Custodial wallets may be distributed among many servers for security reasons. 2 https://www.thebusinessresearchcompany.com/report/crypto-wallet-global-market-report

  3. Case 1: n servers n passwords Case 2: n servers one password password pw2 password password_file: (pw1,pw2,pw3) Too much to memorize! User outputs signature Strawman solution creates n points of failure 3

  4. We define 4 properties of a good Password-Protected Threshold Signature scheme: 1. One protocol execution = one online password guess. password password* Correct password guess: password* = password 4

  5. We define 4 properties of a good Password-Protected Threshold Signature scheme: 1. One protocol execution = one online password guess. 2. Compromising t servers = no security loss. password 5

  6. We define 4 properties of a good Password-Protected Threshold Signature scheme: 1. One protocol execution = one online password guess. 2. Compromising t servers = no security loss. 3. Compromising > t servers (even all n) without successful ODA = no security loss. password Offline dictionary attack: password* = password (recover password using brute force) password* 6

  7. We define 4 properties of a good Password-Protected Threshold Signature scheme: 1. One protocol execution = one online password guess. 2. Compromising t servers = no security loss. 3. Compromising > t servers (even all n) without successful ODA = no security loss. password 4. An attacker who knows the password, can sign only one message per each interaction with t + 1 servers. No signature can be created! Signature is created! 7

  8. We define 4 properties of a good Password-Protected Threshold Signature scheme: 1. One protocol execution = one online password guess. Password Authenticated Key Exchange (tPAKE) + threshold signature scheme (tSIG). 2. Compromising t servers = no security loss. 3. Compromising > t servers (even all n) without successful ODA = no security loss. Property 4. addssecurity mechanisms: - rate-limiting - multi-factor authentication - application policy - protects the user in case of a break into the client machine 4. An attacker who knows the password, can sign only one message per each interaction with t + 1 servers. 8

  9. augmented password-protected threshold SIGnature (aptSIG) aptSIG 1. One protocol execution = one online password guess. aPPSS 2. Compromising t servers = no security loss. 3. Compromising > t servers (even all n) without successful ODA = no security loss. OPRF 4. An attacker who knows the password, can sign only one message per each interaction with t + 1 servers. tSIG Proven secure in Universally Composable (UC) framework. 9

  10. augmented password-protected threshold SIGnature (aptSIG) Run between a User and n Servers. The only input of the User is her password. Two phases: 1. Initialization 2. Signing password At the end of Signing the User outputs (m, ). At the beginning of both phases parties run aPPSS protocol [BJSL11]. Bagherzandi, Jarecki, Saxena, Lu; CCS11 10

  11. aPPSS Initialization phase We extend security proof of [JKK14] to the augmented setting (protocol remains unchanged) Protocol begins with a computation of oblivious PRF (OPRF) [JKKX16] between the User and each server. password Jarecki, Kiayias, Krawczyk; Asiacrypt14 11 Jarecki, Kiayias, Krawczyk, Xu; EuroS&P16

  12. aPPSS Initialization phase password 12

  13. aPPSS Initialization phase Oblivious PRF (OPRF) password 13

  14. Adaptive Oblivious Pseudorandom Function (OPRF) 2HashDH USER SERVER Input: k Input: pw Choose random a= H(pw) a Compute b= ak b Compute c=H'(pw,b1/ ) Output c 14

  15. aPPSS Initialization phase Can be replaced by tOPRF [GJKNX] to achieve security against proactive adversary! SERVER 1 SERVER 2 password SERVER 3 Gu, Jarecki, Kedzior, Nazarian, Xu; Asiacrypt24 15

  16. aPPSS Initialization Phase Run OPRF User chooses random s , key1 Generates SS (s1, ,sn) of s ei= siXOR i Parses e= (e1, ,en) (C || sk):=H(pw,e,s), :=(e,C) , key2 password Sends to each server Server saves key3 , 16

  17. aPPSS Reconstruction Phase Run OPRF get ifrom each server , key1 Parse = (C,e) si= eiXOR i Recover s Parse H(pw,e,s) as (C' || sk) , key2 password If C' = C output sk, else output error message key3 , 17

  18. aptSIG Initialization Phase Run aPPSS Run tBLSKey Generation key1 key2 password sk key3 18

  19. Threshold BLS Signature (tBLS) Introduced by Boldyreva in 2003 Threshold BLS scheme for the 1+t access structure Key generation Input: (P0, P1, ,Pn) Output: (i,sig_keyi,V,V) Signing Server: On m computes i:= H(m)siand sends (i, i) to all other parties P0computes full signature using Lagrange interpolation 19 Boldyreva; PKC03

  20. aptSIG Initialization Phase Run aPPSSInitialization between the user and all servers get sk key1, V1 aecU Run tBLSKey generation Encrypt user's partial signing key with sk : aecU= Encsk(s0) key2, V1 aecU password sk Send aecUto each server key3, V1 aecU 20

  21. aptSIG Signing Phase Run aPPSS Reconstruction key1, V1 aecU Run tBLSSigning on message m Efficiency minimal overhead key2, V1 aecU password sk UC secure against an adaptive adversary (m, ) Applications to blockchain wallets Extensions to Password-Protected MPC key3, V1 aecU MPC for Obfuscated Point Function 21

  22. Our contributions Future Work password-protected (arbitrary) keyed function e.g. threshold encryption or blind signatures We introduce a new notion of augmented password-protected threshold signature (aptSIG) aPPSS a new variant of PPSS, with better security Concrete instantiations for ECDSA (t = n-1) and BLS signature schemes Security proven in UC framework 22

  23. Thank you for your attention! eprint.iacr.org/2024/1469 23

Related


Visual Presentation Slides from Griffin & Pustay on International Business

Visual Presentation Slides from Griffin & Pustay on International Business

langston
Tentative Timeline for Submission Process and Visual Slides

Tentative Timeline for Submission Process and Visual Slides

severin
Visual Presentation Slides for Webinar

Visual Presentation Slides for Webinar

adelheid
ARGOS Inventory by Fund Queries Presentation Slides

ARGOS Inventory by Fund Queries Presentation Slides

fionn
Slides Gallery for Presentation

Slides Gallery for Presentation

arav
Beautiful Slides Showcase

Beautiful Slides Showcase

emilie
Collection of Beautiful Slides for Presentation

Collection of Beautiful Slides for Presentation

delphi
Instructions for Using These Slides

Instructions for Using These Slides

mars
Physics Presentation Slides on Rotational Motion, Thermodynamics, and Data-Based Questions

Physics Presentation Slides on Rotational Motion, Thermodynamics, and Data-Based Questions

laila
Visual Presentation Slides Showcase

Visual Presentation Slides Showcase

luella
Collection of Slides with Descriptions

Collection of Slides with Descriptions

astraea
Visual Presentation Slides Collection

Visual Presentation Slides Collection

xochitl
Guidelines for Using UPMC PowerPoint Template

Guidelines for Using UPMC PowerPoint Template

zayd
Visual Presentation Slides Collection

Visual Presentation Slides Collection

tansy
Beautiful Presentation Slides Showcase

Beautiful Presentation Slides Showcase

asta
Visual Drill and Alphabet Presentation Slides Collection

Visual Drill and Alphabet Presentation Slides Collection

dulcie
Analysis of 'The Scholarship Jacket' by Marta Salinas

Analysis of 'The Scholarship Jacket' by Marta Salinas

absalom
Visual Presentation Slides Collection

Visual Presentation Slides Collection

talullah
Presentation Slides Showcase

Presentation Slides Showcase

aoife
Collection of Slides for Presentation

Collection of Slides for Presentation

imelda
Visual Highlights from OP-ED Slides

Visual Highlights from OP-ED Slides

numair
Efficient Method for Importing Slides into a New Presentation

Efficient Method for Importing Slides into a New Presentation

arno

More Related Content