Threshold cryptography in P2P and MANETsgts/paps/COMPNW3557.pdfOur work uses group membership certi...

This article was originally published in a journal published byElsevier, and the attached copy is provided by Elsevier for the

author’s benefit and for the benefit of the author’s institution, fornon-commercial research and educational use including without

limitation use in instruction at your institution, sending it to specificcolleagues that you know, and providing a copy to your institution’s

administrator.

All other uses, reproduction and distribution, including withoutlimitation commercial reprints, selling or licensing copies or access,

or posting on open internet sites, your personal or institution’swebsite or repository, are prohibited. For exceptions, permission

may be sought for such use through Elsevier’s permissions site at:

http://www.elsevier.com/locate/permissionusematerial

http://www.elsevier.com/locate/permissionusematerial

Autho

r's

pers

onal

co

py

Threshold cryptography in P2P and MANETs:The case of access control q

Nitesh Saxena a, Gene Tsudik b, Jeong Hyun Yi c,*,1

a Computer and Information Science, Polytechnic University, United Statesb Computer Science Department, University of California, Irvine, United States

c Communication and Networking Lab, Samsung Advanced Institute of Technology, Republic of Korea

Received 4 September 2006; received in revised form 29 January 2007; accepted 9 March 2007Available online 23 March 2007

Responsible Editor: L. Salgarelli

Abstract

Ad hoc groups, such as peer-to-peer (P2P) systems and mobile ad hoc networks (MANETs) represent recent techno-logical advancements. They support low-cost, scalable and fault-tolerant computing and communication. Since suchgroups do not require any pre-deployed infrastructure or any trusted centralized authority they have many valuable appli-cations in military and commercial as well as in emergency and rescue operations. However, due to lack of centralized con-trol, ad hoc groups are inherently insecure and vulnerable to attacks from both within and outside the group.

Decentralized access control is the fundamental security service for ad hoc groups. It is needed not only to prevent unau-thorized nodes from becoming members but also to bootstrap other security services such as key management and securerouting. In this paper, we construct several distributed access control mechanisms for ad hoc groups. We investigate, inparticular, the applicability and the utility of threshold cryptography (more specifically, various flavors of existing thresh-old signatures) towards this goal.� 2007 Elsevier B.V. All rights reserved.

Keywords: Mobile ad hoc networks; Key management; Access control; Threshold cryptography; Membership management

1. Introduction

Ad hoc groups, such as peer-to-peer (P2P) sys-tems and mobile ad hoc networks (MANETs), are

very popular in today’s computing, especially inthe research community. They lack infrastructureand do not need any trusted authority. Moreover,they are inherently scalable and fault tolerant. Suchcharacteristics find many interesting applications inmilitary and commercial settings as well as in emer-gency and rescue operations. However, their opennature and lack of centralized control result in somesecurity challenges.

The security research community recognized theneed for specialized security services in ad hoc

1389-1286/$ - see front matter � 2007 Elsevier B.V. All rights reserved.

doi:10.1016/j.comnet.2007.03.001

q Portions of this paper appeared in [26,37,38].* Corresponding author. Tel.: +82 10 2481 0826; fax: +82 31

280 9555.E-mail addresses: [email protected] (N. Saxena),

[email protected] (G. Tsudik), [email protected] (J.H. Yi).1 This work has been done while at UC Irvine.

Computer Networks 51 (2007) 3632–3649

www.elsevier.com/locate/comnet

Autho

r's

pers

onal

co

py

groups. Access Control is particularly importantsince most other traditional security are based uponit. In this context, an access control mechanismmust prevent unauthorized nodes from becominga part of the group and to establish trust amongmembers in the absence of a trusted authority.Access control is also essential to bootstrap othersecurity services, such as secure group communica-tion [44,43] and secure routing (in MANETs), suchas Ariadne [17], SPINS [33], etc.

The concept of threshold cryptography involvesdistributing cryptographic primitives (such asdecryption and digital signatures) in order to securethem against a corruption of a certain number ofparties, i.e., a threshold. For example, a (t � 1,n)threshold signature scheme [6] allows, in a groupof a total of n parties, to share the ability to digitallysign messages in such a way that any t parties can doso jointly, whereas no coalition of up to t � 1 par-ties can.

1.1. Related work

Zhou and Haas [45] first suggested using thresh-old cryptography [45] to secure mobile ad hoc net-works. Their intuition was to distribute trustamong the nodes of the network such that no lessthan a certain threshold of nodes are trusted. Theyproposed a distributed certification authority (CA)[16] which issues certificates (using some thresholdsignature [6] protocol) to the nodes joining the net-work. Certificates enable the nodes to communicatewith each other in a secure and authenticated man-ner. This work also led to the development ofCOCA [46], an online certification authority forwired networks. Although attractive, this idea isnot applicable to ad hoc groups. Their approach ishierarchical: only select nodes can serve as part ofthe certification authority and thus take part inadmission decisions. Moreover, contacting the dis-tributed CA nodes in a MANET setting is difficultsince such nodes might be many hops away.

Luo et al. considered the same problem in [23]and Kong et al. in [21,20] as well as [24,22]. Thisbody of work proposed a set of protocols for ubiq-uitous and robust access control in MANETs. Theyamended the model of Zhou and Haas to allowevery member to participate in access control deci-sions, thus maintaining the true ‘‘peer’’ nature ofad hoc groups and providing increased availability.Unfortunately, this otherwise elegant scheme hasbeen shown to be insecure [26,18].

Recently, Kim et al. [19] developed a groupaccess control framework based on a menu of cryp-tographic techniques. This framework classifiesgroup admission policy according to the entity (orentities) making admission decisions. The classifica-tion included simple access control policies, such asstatic ACL (Access Control List)- or attribute-basedadmission, as well as admission based on the deci-sion of a fixed entity: external (e.g., a CA or aTTP) or internal (e.g., a group founder). Such sim-ple policies are relatively easy to support and do notpresent much of a technical challenge. However,they are inflexible and ultimately unsuitable fordynamic ad hoc networks. Static ACLs enumerateall possible members and hence cannot supporttruly dynamic membership (although they workwell for closed networks). Admission decisionsmade by a TTP or a group founder violate the peernature of the underlying ad hoc group.

In our prior work [37], we constructed accesscontrol mechanisms based on plain RSA signaturesand accountable subgroup multisignatures [28].However, we realize that such mechanisms havelineage problem. This problem occurs when a mem-bership certificate is issued to a new member: eachmember (sponsor) who takes part in the admissionprocess needs to confirm (by signing) its agreementto admit this new member. Essentially, a member-ship certificate has to be signed by some numberof membership sponsors.2 However, each sponsorneeds to attach its own certificate to its signatureon a new member’s certificate in order to makegroup certificates universally verifiable. However, asponsor’s own certificate also has to be counter-signed by its erstwhile sponsors, and so on, and soforth. This is clearly unworkable since a member’scertificate would have to be accompanied by a num-ber of certificate chains that affirm its lineage.

1.2. Our contributions

In this paper, we explore the utility of thresholdcryptography (more specifically various existingthreshold signatures) in constructing decentralizedaccess control mechanisms for ad hoc groups. Wefirst point out the inapplicability of known thresh-old RSA signatures towards this goal, and carry

2 This number is determined by the group admission policy;common examples are a certain fraction of current members or afixed threshold. See [19] for a detailed discussion of admissionpolicies.

N. Saxena et al. / Computer Networks 51 (2007) 3632–3649 3633

Autho

r's

pers

onal

co

py

on to build access control mechanisms based on var-ious flavors of discrete logarithm based thresholdsignatures, namely, threshold DSA [11], thresholdSchnorr [12], and threshold BLS [2]. We compareand evaluate these mechanisms, via theoretical andexperimental analysis in a real MANET setting.3

1.3. Scope

Group access control is a broad topic whichincludes access control mechanisms and the moregeneral issue of group security policy. This work isconcerned only with access control and does notaddress the specification and negotiation of groupsecurity policy. In the following, we assume the exis-tence of such a policy. Furthermore, in an effort tokeep our discussion general, we do not consider theimpact of the underlying physical-layer characteris-tics of the ad hoc group. Moreover, although werecognize that proactivity [30,15,14] is an importantissue to cope up with stronger mobile adversaries,we do not consider it here. However, the thresholdsignature schemes that we employ have proactivesupport and the software implementation of thesame is left as an avenue for future work.

Our work uses group membership certificates toassert group membership. Certificates, as usual,prompt the revocation headache. However, certifi-cate revocation issues are beyond the scope of thiswork.

1.4. Organization

The rest of the paper is organized as follows: Sec-tion 2 summarizes notations. Section 3 provides thehigh-level description of the access control protocol.Next, Section 4 discusses inapplicability of knownthreshold RSA schemes and points out the robust-ness problem with a recently proposed thresholdRSA signature scheme [21]. Sections 5–7 presentthe proposed access control protocols based on dif-ferent threshold signature schemes. Then, experi-mental results are presented and analyzed inSection 8. (Appendix A recalls some cryptographicprimitives and Appendix B summarizes the thresh-old RSA scheme of [21]).

2. Notation

Notation used in this paper is summarized inTable 1. In the rest of the paper, we use the termsmember/node/player and group/network/systeminterchangeably.

3. Group access control

A threshold signature scheme enables any sub-group of t members in a group to collaborativelysign messages on behalf of that group. This isachieved by secret-sharing the signature key amongthe group members, and allowing them to computea signature on some message via a distributed proto-col in which the members use the shares of the sig-nature key instead of the key itself. Thresholdsignature schemes can tolerate up to t � 1 corrup-tions in the whole lifetime of the system.

The idea of threshold signatures applies directlyto build access control mechanisms by making col-laborative decisions. Next, we overview a genericaccess control protocol. Similar to the securitymodel of underlying threshold signature schemes,in our access control mechanisms we consider anadversary who is capable of corrupting at mostt � 1 members and tries to come up with an existen-tial forgery under the adaptively chosen messageattack model.

The access control mechanism is initiated by aprospective member or an ‘‘applicant’’. At the

3 Although in this paper we report only on the experimentalevaluation performed in a MANET setting, our access controlmechanisms are also generally applicable in various P2P systems.

Table 1Notation

Pi Group member i

idi Identity for Pi

t Admission thresholdn Total number of group membersG Cyclic group in finite fieldsg Generator of group G

G1;G2 Cyclic GDH groups of order qP Generator of group G1

e Bilinear map s.t. e : G1 �G1 ! G2

H Hash function such as SHA-1 or MD5H1 Special hash function s.t. H 1 : f0; 1g� ! G�1xi Secret share of Pi

xð jÞi Partial share for Pi by Pj

GMCi Group membership certificate for Pi

SLi List of sponsors for Pi

Si(m) Pi’s signature on message m

Kij Pairwise key between Pi and Pj

EKij Encryption with Kij

/(N) Euler’s Totient for RSA modulus N

3634 N. Saxena et al. / Computer Networks 51 (2007) 3632–3649

Autho

r's

pers

onal

co

py

end, given that enough honest members (Pt)approve admission, the applicant becomes a mem-ber of the group and possesses its share of the groupsecret (called ‘‘secret share’’) and its group member-ship certificate (GMC).

1. Bootstrapping: The group is initialized by either atrusted dealer or a set of founding members. Thedealer or founding members initialize the groupby choosing a group secret key, and computingand publishing the corresponding public parame-ters in the group certificate. The group secret isshared among the founding member(s) usingeither Shamir’s threshold secret sharing (TSS)or joint secret sharing (JSS) techniques pre-sented in Appendix A.1 or Appendix A.2, respec-tively.

2. Member admission: A prospective member Pn+1

who wishes to join the group must be issued itssecret share and membership certificate by cur-rent members. Fig. 1 gives a high-level view ofgroup admission protocol.• Pn+1 initiates the admission protocol by send-

ing a JOIN_REQ message to the group.• A member, that receives this JOIN_REQ mes-

sage and approves the admission of Pn+1,replies, over a secure channel, with a partialsecret share and a partial signature derivedfrom its secret share for Pn+1.

• Once Pn+1 receives partial shares and signa-tures from at least t different members, it usesthem to compute its secret share and member-ship certificate.

• Finally, Pn+1 verifies the validity of its recon-structed secret share and group membershipcertificate before using them. Also, whenPn+1 detects that its secret share or member-ship certificate is invalid, it must be able toidentify the bogus partial share(s) and/or par-

tial signature(s), and thus trace the maliciousgroup member(s).Note that, this step may involve multiplerounds and/or co-ordination among the mem-bers who commit to the requesting member,depending on the underlying cryptographictechniques.

3. Membership authentication: To ensure only genu-ine members are involved in communication,every member must be able to prove membershipto other members.

4. Threshold RSA schemes

Various flavors of threshold signatures exist in lit-erature: RSA based, DSA based, Schnorr based andmore recently, BLS [4] based. However, knownprovably secure threshold RSA signatures do notyield access control mechanisms for ad hoc groups.In this section, we begin by carefully considering var-ious threshold RSA schemes, explain why they arenot applicable for access control in ad hoc groups,and point out the robustness problem with a recentlyproposed threshold RSA scheme [21,20,24,22].

4.1. Analysis of known schemes

Several threshold RSA signatures are proposedin literature [9,10,35,42,21,20,24,22] that might beused to construct the group access control protocol.Unfortunately, none of these schemes are directlyapplicable.

1. Schemes by Frankel et al. and Rabin. The cur-rently known provably secure threshold RSA sig-nature schemes, two schemes by Frankel et al.[9,10] and a scheme by Rabin [35], are notapplicable for access control in ad hoc groups.

Pn+1

quorum oft peers

JOIN_REQP

...P

P

PM

P

P

M

JOIN_RLY

P

(honest) PeerP

Malicious AdversaryM

Fig. 1. Group admission protocol.


Autho

r's

pers

onal

co

py

In particular, the RSA signature scheme of [9] ispractical only for small groups, while in the othertwo provably secure threshold RSA schemesknown today [10,35] (which employ additivesecret sharing as opposed to polynomial secretsharing of [41]) the members participating inthe threshold signature protocol need to recon-struct the secret shares of the group membersthat are currently inaccessible to them. In thisway both protocols essentially equate a tempo-rarily inaccessible group member with a corruptone, whose secrets might just as well be fabri-cated. This is an undesirable feature for asyn-chronous ad hoc groups where members areoften inaccessible to one another. In such settingswe need to enable isolated but large enough sub-groups of members to operate without recon-structing everyone else’s secrets.

2. Scheme by Shoup. Another well known and morerecent provably secure threshold RSA schemewas proposed by Shoup [42]. This scheme is moreelegant than the above ones because the signaturegeneration and verification is fully non-interac-tive and it also avoids the inaccessibility problemby employing the polynomial (t,n) secret sharingof Shamir [41]. However, since the secret sharingis performed over secret modulo /(N) (unlikeover publicly known integers in the schemes dis-cussed above), it is not possible for the groupmembers to provide a new member with its secretshare. Moreover, Shoup’s scheme requires atrusted dealer to generate the RSA keys, whichis an undesirable feature in ad hoc groups. Bonehand Franklin [3] developed a method to generatean RSA modulus in a distributed fashion. Alas, itmight not be possible to use this method, sinceShoup’s scheme requires that the common RSAmodulus N be a product of two safe primes.4

Furthermore, we believe that using any methodto generate RSA keys in a distributed mannerinvolves prohibitively high communication and/or computation overhead which severely impactsthe practicality of such techniques in many groupsetting such as MANETs.

3. Scheme by Kong et al. In an effort to mitigate theabove problem of the known threshold RSA sig-natures, Kong et al. [21] proposed a new thresh-old RSA scheme, geared toward providing

security services in MANETs. Unfortunately,this scheme, contrary to what its authors claimed,is neither robust (i.e., it cannot tolerate maliciousgroup members) nor secure. We first pointed outthe robustness problem in [26]. This problem ispresented in detail in the following section. Wealso presented an attack on the scheme in whichan admissible threshold of malicious group mem-bers can completely recover the RSA secret keyin the course of the lifetime of this scheme [18].

4.2. Robustness problem with URSA RSA signature

scheme

Recently, Kong et al. in a series of papers[21,20,24,22] proposed a set of protocols for provid-ing ubiquitous and robust access control, so-calledURSA, in MANETs without relying on a central-ized authority. In this section we argue that thisscheme is not robust against malicious adversaries[26], i.e., it fails to provide the verifiability of partialsecret shares ðxðjÞnþ1 � sÞ as well as combined secretshare (xn+1) and the partial signatures (sj � s). Asa result, malicious or compromised members cansend fake shares and fake signatures to new mem-bers without being detected and in turn disruptthe admission service. The reason is as follows:

1. Verifiability of partial secret shares and combined

secret share.

Since xðjÞnþ1s and xn+1 are computed modulo N and

not /(N), it is impossible to verify the correctness

using publicly known witnesses. The value of /(N)

is known only to the dealer during group initializa-

tion and destroyed thereafter. Obviously, groupmembers must not know the value of /(N).

Therefore, we cannot apply verifiability mecha-nisms VPSS and VSS (over modulus N) describedin Appendixes A.7 and A.4 to determine the cor-rectness of the partial secret shares and the secretshare respectively. In other words,

gxðjÞnþ1 6¼

Yt�1

k¼0

ðW kÞidknþ1

" #kjðidnþ1Þ

ðmod NÞ ð1Þ

and

gxnþ1 6¼Yt�1

k¼0

ðW iÞidknþ1 ðmod NÞ: ð2Þ

Example. We now provide a trivial exampleto illustrate the problem. Let us assume that

4 Informally, a large prime p is safe if p = 2q + 1 where q isitself a large prime.


Autho

r's

pers

onal

co

py

the secret polynomial is f(z) = 77 + 2z + 5z2

(mod 119), where N = 119 the product of twoprimes: 7 and 17, and g = 3. (Note that thedegree of the polynomial is 2, hence, the thresh-old t = 3). The witnesses of f(z), which are pub-

licly known, are as follows: W0 = 377 = 12,W1 = 32 = 9, and W2 = 35 = 5 (mod 119). Sup-pose a new member P7 receives the following par-tial shares from t existing members P2, P3, andP5: xð2Þ7 ¼ 71, xð3Þ7 ¼ 74, and xð5Þ7 ¼ 72 ðmod 119Þ.P7 computes its share x7 ¼ xð2Þ7 þ xð3Þ7 þ xð5Þ7 ¼98 ðmod 119Þ. To check verifiability of the secretshare, he computes gx7 ¼ 398 ¼ 9 ðmod 119Þ:Also, using the witness values, P7 can get theright hand side of Eq. (2) as follows:

ðW 0ÞðW 1Þ7ðW 2Þ72

¼ 1 ðmod 119Þ:Therefore, even though x7 is correctly computed,gx7 6¼

Q2i¼0ðW iÞ7

i

ðmod 119Þ:2. Verifiability of partial signatures. In case the sig-

nature reconstruction fails, Pn+1 must verify thecorrectness of each partial signature sj and tracethe faulty signer(s) in the process. This involvesa zero knowledge proof of knowledge (ZKPK)protocol [40] fZKPKðdj : sj ¼mdj ðmod NÞ^W j ¼gdj ðmod NÞÞg between Pn+1 and the signer Pj.However, due to the reasons explained above, itis impossible to compute Wj using the public wit-ness values. Explicitly,

W j 6¼Yt�1

k¼0

ðW kÞidkj

" #kjð0Þ

ðmod NÞ ð3Þ

and therefore, performing the above ZKPK pro-tocol is meaningless. Thus, it is impossible for theprospective member to trace the faulty signer(s).

5. Threshold DSA based access control

In this section, we describe the access controlmechanism (referred to as TS-DSA) [26,37] basedon the threshold DSA scheme [11] of Gennaro et al.

5.1. DSA

The DSA [27] is a signature scheme based on theEl Gamal signature scheme [7]. In our description ofthe TS-DSA protocol we follow the notation intro-duced in [11], which differs from the original presen-tation by switching k and k�1. This change allows aclearer presentation.

1. Key Generation. DSA uses the system-wideparameters (p,q,g) where q is a 160-bit primenumber, p is a large prime number such that q

divides (p � 1), and g is an element of order qin Z�p. Each user selects a random integer x 2 Zq

as a private key and computes a public key y suchthat y = gx (mod p).

2. Signing. To generate a signature on the messagem, the signer picks a random number k 2 Zq

and calculates r ¼ ðgk�1 ðmod pÞÞ mod q ands = k(m + xr) (mod q). The signature for m isthe pair (r, s).

3. Verification. To verify a DSA signature, the ver-ifier computes r0 ¼ ðgms�1

yrs�1 ðmod pÞÞ mod qand checks if r 0 = r.

5.2. Bootstrapping

TS-DSA can be initialized by either: (1) a trusteddealer or (2) a group of 3t � 2 or more foundingmembers.5

1. Centralized Initialization. The trusted dealer TD

does the following:(a) The TD generates the system parameters

(p,q,g), selects a random polynomialf(z) = a0 + a1z + � � � + at�1zt�1 over Zq ofdegree (t � 1) such that f(0) = a0 = x whereais, for i 2 [0, t � 1], are the coefficients ofthe polynomial and x is a group secret. Inorder to enable VSS (refer to AppendixA.4) the TD computes and publishes the wit-nesses W k ¼ gak for k 2 [0, t � 1]. Note thatthe witness value W0 = gx, also denoted byy, is actually the group public key.

(b) For each Pi (i 2 [1, 3t � 2]), the TD computesthe secret share xi such that xi = f(idi)(mod q) and issues the group membershipcertificate GMCi. Note that the TD is notrequired hereafter.

2. Decentralized Initialization. A set of foundingmembers Pi (i 2 [1,3t � 2]) do the following:(a) Each Pi selects an individual polynomial fi(z)

over Zq of degree (t � 1) as in JSS protocol(refer to Appendix A.2).

5 Since threshold schemes must tolerate up to t � 1 corruptions,it is assumed that there are at most (t � 1) malicious or faultymembers. Hence, the minimum number of founding members is3t � 2; i.e., (2t � 1) non-faulty members (as required in thresholdDSA [11]) and (t � 1) faulty members.


Autho

r's

pers

onal

co

py

(b) Then, each Pi computes its own secret sharexi such that xi ¼

P3t�2j¼1 fjðidiÞ mod q. Note

that during this process the VSS protocol isapplied to check the validity of xi.

(c) Now, in order to provide each member with amembership certificate, any set of (2t � 1)founding members must collaborate.

5.3. Member admission

Let n (P3t � 2) be the number of current groupmembers. The prospective member Pn+1 invokes theadmission process described in Section 3. Thedetailed steps of the protocol are described below.Fig. 2 shows the message flow of the TS-DSA proto-col required to obtain GMCn+1.

1. A prospective member Pn+1 broadcasts signedJOIN_REQ6 message m containing its identitycertificate PKCn+1 which contains its public keyPKn+1 and identity idn+1 in order to prove theknowledge of the corresponding private key.7

2. After verifying the signed JOIN_REQ, groupmembers8 who wish to participate in the admis-sion of Pn+1 reply with a signed message9 con-taining their respective membership certificatesGMCis which include idi where i 2 [1, t 0] and2t � 1 6 t 0 6 n.

3. Pn+1 picks at random (2t � 1) out of t 0 (P2t � 1)sponsors, Pjs, collects their idjs from their respec-tive GMCjs to form a sponsor list SLn+1 andreplies with a signed acknowledgment messageto each of them.

4. Each Pj randomly chooses polynomials kj(z) andbj(z) in Zq of degree (t � 1). Pj computes kj(idi)and bj(idi) for all co-signers Pi (i 2 [1,2t � 1]) inSLn+1, and then distributes kj(idi) and bj(idi) tothem using JSS protocol. Also, the witness valuesfor these polynomials are broadcast by each Pj inorder to enable VSS. After receiving the partialshares from other co-signers, Pj computes itsshares: kj ¼ kðidjÞ ¼

P2t�1l¼1 klðidjÞ ðmod qÞ and

bj ¼ bðidjÞ ¼P2t�1

l¼1 blðidjÞ ðmod qÞ. Then, Pj

computes uj = kjbj and vj ¼ gbj , and sends themback to Pn+1.

5. Pn+1 now computes: u ¼P2t�1

j¼1 ujkjð0Þ ðmod qÞand v ¼

Q2t�1j¼1 ðvjÞkjð0Þ ðmod pÞ which finally

equals to kb and gb, respectively. Next, Pn+1 com-putes the inverse u�1 (mod q) and finally com-putes r such that r ¼ ðvu�1

mod pÞ mod q whichequals ðgk�1

mod pÞ mod q. Then, Pn+1 sends r

to Pj. Note that in order to compute r withoutrevealing any information about k or k�1, eachPj must choose two polynomials [11].

6. Pj computes a partial signature sj = kj(m + xjr)(mod q) and sends it to Pn+1. Pj also sends toPn+1 its shuffled partial secret share ~xðjÞnþ1 forPn+1 using the PSRS protocol (refer to AppendixA.6): ~xðjÞnþ1 ¼ xjkjðidnþ1Þ þ Rjkjð0Þ ðmod qÞ, wherekjðxÞ ¼

Qtl¼1;l6¼j

x�idlidj�idl

ðmod qÞ and Rj is a random

share of the shared secret zero. Note that thecomputation of kj(x) only requires t members.Then, Pj computes a pairwise key Kjn+1 usingthe technique in [5], and sends the encrypted sj

and ~xðjÞnþ1 to Pn+1.7. Pn+1 computes the threshold signature s ¼P2t�1

j¼1 sjkjð0Þ ðmod qÞ which equals k(m + xr)(mod q). Also, Pn+1 computes its own sharexn+1 by summing up ~xðjÞnþ1 for j 2 [1, t]. Pn+1 veri-fies the reconstructed signature (r, s) and thereconstructed share xn+1, using the standardDSA verification and the VSS protocol, respec-tively. If these verifications succeed, Pn+1 createsits membership certificate GMCn+1 which con-tains m = {idn+1,PKn+1, etc.} and its signature(r, s). Otherwise, the technique for tracing mali-cious members must be employed as follows:

(a) Partial share tracing. Correctness of thepartial secret share ~xðjÞnþ1 can be checked usingthe VPSS technique discussed in AppendixA.7.

(b) Partial signature tracing. Correctness of eachindividual partial signature sj is verified by

gms�1j � yrs�1

jj ¼ gk�1

j , where yj ¼ gxj using the

6 We note that it is necessary to include timestamps, nonces andprotocol message identifiers in order to secure the protocolagainst replay attacks [25]. However, we omit these values to keepour description simple.

7 We assume that there exists an offline CA that issues long-term certificates to each node. In practice, the existence of such aCA can be avoided – a secret channel between the joining nodeand other nodes can be established by making use of physical outof band channels, as in [36,13]. Of course, this way of establishingsecret channels would require more overhead and some userinvolvement.

8 We note that multiple sponsors may reply in parallel.9 Note that how to provide authenticity of protocol messages is

implementation-dependent. Here, the signature can be replacedwith a message authentication code (MAC) [25], provided thatDiffie-Hellman key exchange is available.


Autho

r's

pers

onal

co

py

witnesses for VSS as in [5] and gk�1j is com-

puted as vu�1

jj from the steps (2) and (5) in

Fig. 2.If either of the above tracing functions fail, Pn+1

concludes that Pj is cheating.

5.4. Membership authentication

Every legitimate member is able to prove itsmembership using its own membership certificate.This involves a verifier sending a challenge to thegroup member, and the group member responding

back with a signed challenge along with its member-ship certificate. The verifier first verifies the DSAsignature on the certificate (using the public key ofthe group) and then the signature on the challenge(using the group member’s public key extractedfrom its membership certificate).

6. Threshold Schnorr based access control

In this section, we describe the access controlmechanism (referred to as TS-Sch) based on thethreshold Schnorr scheme [12].

Fig. 2. TS-DSA admission protocol.


Autho

r's

pers

onal

co

py

6.1. Schnorr signature scheme

The Schnorr signature scheme [39] is a variant ofthe El Gamal scheme and its security is based on theDL assumptions [34].

1. Key generation. The method to generate keys isthe same as DSA key generation, except thatthere are no constraints on the sizes of p and q.

2. Signing. To generate a signature, the signerselects a random secret integer k 2 Zq, computesr = gk mod p, e = H(mkr), and s = k � ex modq. The pair (e, s) is the signature of the messagem.

3. Verification. To verify a signature, the verifiercomputes r 0 = gsye mod p and e 0 = H(mkr 0) andaccepts the signature if and only if e 0 = e.

6.2. Bootstrapping

TS-Sch can be initialized in the same way as TS-DSA, except the minimum number of foundingmembers required for decentralized initialization is(2t � 1).


Let n (P2t � 1) be the number of current groupmembers. The protocol steps are described belowand in Fig. 3.

1. Same as the step (1) in Section 5.3.2. Each Pi (i 2 [1, t 0]) where t 6 t 0 6 n, who partici-

pates in the admission of Pn+1 randomly chooseski in Zq, computes ri such that ri ¼ gki ðmod pÞ,and then replies with a signed message containingri and GMCi.

3. Pn+1 picks at random t out of t 0 (Pt) sponsors,Pjs and collects idjs from the respective GMCjsto form a sponsor list SLn+1. Also, Pn+1 com-putes r ¼

Qtj¼1rj ðmod pÞ and e = H(mkr). Then,

Pn+1 replies with a signed acknowledgment mes-sage containing e, SLn+1 to each of the t

members.4. Each Pj then computes the partial signature sj

and the shuffled partial secret share ~xðjÞnþ1 suchthat sj = kj + exj (mod q) and ~xðjÞnþ1 ¼ xjkjðidnþ1ÞþRjkjð0Þ ðmod qÞ. Then Pj sends sj and ~xðjÞnþ1 toPn+1 over secure channel with Kjn+1 as in the step(6) in Section 5.3.

Fig. 3. TS-Sch admission protocol.


Autho

r's

pers

onal

co

py

5. Pn+1 first computes the signature s and its sharexn+1 such that s ¼

Ptj¼1sj � kjð0Þ ðmod qÞ and

xnþ1 ¼Pt

j¼1~xðjÞnþ1 ðmod qÞ. Pn+1 verifies the signa-

ture (e, s) and xn+1 using normal Schnorr verifica-tion and VSS, respectively. If it succeeds, Pn+1

creates its membership certificate GMCn+1 whichcontains m = {idn+1,PKn+1,etc.} and (e, s). if ver-ification fails, Pn+1 traces sj and ~xðjÞnþ1 using tech-niques presented in the following:(a) Partial Share Tracing. Correctness of partial

secret share ~xðjÞnþ1 can be checked using VPSS.(b) Partial Signature Tracing. Correctness of

individual partial signature sj is verified by:gsj ¼ rjye

j ðmod pÞ, where yj ¼ gxj is calcu-lated using the witnesses for VSS as in [5].


Same as described in Section 5.4, except that thesignature on the certificate is verified using Schnorrsignature verification.

7. Threshold BLS based access control

We now describe the access control mechanism(referred to as TS-BLS10) based on the thresholdBLS [4] scheme of [2].

7.1. BLS signature scheme

Boneh et al. [4] proposed a short signaturescheme (referred to as BLS). BLS uses the system-wide parameters ðp; Fp; a; b; P ; qÞ based on EllipticCurves (EC). The curve is represented by a equa-tion: y2 = x3 + ax + b. G1 is set to be a group oforder q generated by P, G2 is a subgroup of F�p2 oforder q, and e : G1 �G1 ! G2 is defined to bea public bilinear mapping, satisfying eðaP ; bQÞ ¼eðP ;QÞab and non-degeneracy, eðP ; P Þ 6¼> 1 for alla; b 2 Z�q and P ;Q 2 G1. Also, H 1 : f0; 1g� ! G1 isthe hash function that maps binary strings to non-zero points in G1. All of this information is pub-lished. In brief, the BLS signature scheme operatesas follows:

1. Key generation. Pick random x 2 Z�q and computeQ = xP. x is the private key and Q is the corre-sponding public key.

2. Signing. To sign a message m, compute s =xH1(m), where H1 is a special hash function thatmaps binary strings onto points in G1. s is the sig-nature on m.

3. Verification. Given (P,Q,m, s), check if eðQ;H 1ðmÞÞ ¼ eðP ; sÞ.

7.2. Bootstrapping

Similar to TS-DSA and TS-Sch, TS-BLS can beinitialized by either: (1) a trusted dealer or (2) agroup of (2t � 1) or more founding members. Thebootstrapping procedure is exactly the same as inTS-DSA. Only difference is that the VSS operationsare performed in the elliptic curve domain andthreshold BLS signing is used to issue certificates.


Let n (P2t � 1) be the number of current groupmembers. The protocol steps are described belowand Fig. 4 shows the protocol message flow.

1. Same as the step (1) in Section 5.3.2. Group members who participate in admission

reply with their respective GMCis to Pn+1 alongwith its signature.

3. Pn+1 picks t out of t 0 (Pt) sponsors, forms a listSLn+1 which contains the ids of t sponsors, signsit, and sends it to each Pj.

4. Each sponsoring member computes the partialsignature sj and the shuffled partial share of thesecret ~xðjÞnþ1 such that sj = xjH1(m) and ~xðjÞnþ1 ¼xjkjðidnþ1Þ þ Rjkjð0Þ ðmod qÞ. Note that, unlikeTS-DSA and TS-Sch, sj is computed withoutLagrange coefficient kj(0) which means that TS-BLS signing does not require any interactionamong t sponsoring members.

5. Pn+1 first computes the signature s and its sharexn+1 such that s ¼

Ptj¼1sjkjð0Þ ¼

Ptj¼1ðxjkjð0ÞÞ

H 1ðmÞ ¼ xH 1ðmÞ and xnþ1 ¼Pt

j¼1~xðjÞnþ1 ðmod qÞ.

Pn+1 verifies the signature s using normal BLSverification. Also, Pn+1 verifies xn+1 using the fol-lowing ECC-version of VSS protocol such thatxnþ1P ¼

Pt�1i¼0ðidnþ1ÞiW i. If it succeeds, Pn+1 cre-

ates its membership certificate GMCn+1 whichcontains m = {idn+1,PKn+1, etc.} and s. If verifi-cation fails, Pn+1 traces sj and ~xðjÞnþ1 using tech-niques presented in the following:(a) Partial share tracing. Correctness of partial

secret share ~xðjÞnþ1 can be checked using10 The identity-based version of this scheme appeared in [38].


Autho

r's

pers

onal

co

pythe following ECC-version of the VPSStechnique: ~xðjÞnþ1P ¼ kjðidnþ1Þ

Pt�1i¼0ðidjÞiW iþ

kjð0ÞRjP .(b) Partial signature tracing. Correctness of each

partial signature sj can be verified byeðsj; PÞ ¼ eðH 1ðmÞ; kjð0Þ

Pt�1i¼0idi

jW iÞ.


Same as described in Section 5.4, except that thesignature on the certificate is verified using BLS sig-nature verification.

8. Performance evaluation

In this section, we compares the three access con-trol mechanisms, TS-DSA, TS-Sch, and TS-BLS, interms of their respective key features and theirperformance.

8.1. Complexity comparison

Table 2 summarizes the key features of eachmechanism. In TS-DSA, (2t � 1) signers are requiredto tolerate (t � 1) faults, while t partial shares are

needed to reconstruct the secret share for joining.Both TS-Sch and TS-BLS schemes require t partialsignatures as well as t partial shares. Thus, to com-plete admission protocol, the group populationshould be at least (2t � 1) in TS-Sch and TS-BLSprotocols, and (3t � 2) in TS-DSA. Both TS-DSAand TS-Sch require, by construction, the generationof a random value (and in turn interaction) amongsponsors, while TS-BLS has a fully non-interactive

signature generation.Table 3 compares computation and communica-

tion costs of the three protocols11. As with compu-tation costs, for admission, TS-DSA and TS-Schrequire O(t2) exponentiations. TS-BLS requiresO(t2) M operations (which are computationallyequivalent to modula exponentiations in finitefields) and 2 P operations. For traceability, TS-DSA and TS-Sch schemes require O(t2) exponentia-tions, while TS-BLS requires O(t2) M and 2t Poperations. This means that TS-DSA and TS-Schshould perform better than TS-BLS as far as

Fig. 4. TS-BLS admission protocol.

11 The costs required for protecting each protocol message arenot taken into account since these costs vary with the specificsignature scheme.


Autho

r's

pers

onal

co

pytraceability is concerned. For membership authenti-cation, both TS-DSA and TS-Sch requires 2 expon-entiations. On the other hand, TS-BLS requires 2 Poperations.

In terms of overall communication costs, all pro-tocols require at least O(t2) unicasts and consumeO(t2 logq + t logp) bits. However, we observe thatTS-DSA requires significantly more rounds andhigher bandwidth.

8.2. Experimental setups

We now describe the experimental testbeds formeasuring the performance of our proposed proto-cols. We ran experiments in a real wireless MANETenvironment and also measured energy costs foreach scheme with power measuring system below.

8.2.1. Wireless mobile ad hoc networksWe used five laptop computers for our wireless

experimental set-up: four laptop computers withPentium-3 800 MHz CPU and 256 MB memoryand one laptop computer with Mobile Pentium

1.8 GHz CPU and 512 MB memory. Each machineis configured with 802.11b in ad hoc mode and runsthe Optimized Link State Routing Protocol (OLSR)[29]. Each machine runs Linux kernel 2.4. To simu-late more than five nodes using just five laptops, weran more than one client process on each laptop.

8.2.1.1. Effect of mobility. Node mobility certainlyaffects the performance of our access control mech-anisms. Clearly, if nodes move around (and becomeunreachable to each other and to the joining node)while the protocol is in execution, the protocolmight not terminate successfully. On the otherhand, mobility can help the joining node to moveto a new, more dense location, where it has enoughneighbors to sponsor its admission.

In our experimental evaluation to follow, we didnot include the affect of mobility due to the follow-ing reason: our evaluation measures the protocol(computation, communication, power) overheadunder the assumption that the protocol successfullyterminates, i.e., under the assumption that the join-ing node has enough online neighbors available forthe duration the protocol is executed. In otherwords, we assume that the nodes who sponsoradmission do not move around (and becomeunreachable to each other and to the joining node)during the execution of the protocol.

8.2.2. Power measurement systems

To measure consumption of battery power, weconfigured the following equipment, as shown inFig. 5. The test machine was an iPAQ (modelH5555) running Linux (Familiar-0.7.2). The CPU

Table 2Feature comparison

Key features TS-DSA TS-Sch TS-BLS

Security (foradmission)

DL DL EC-DL

Minimum group size 3t � 2 2t � 1 2t � 1DoS resistance Yes Yes YesInteraction among

sponsors requiredYes Yes No

PSRS required Yes Yes Yes

Table 3Computation and communication complexities

Category TS-DSA TS-Sch TS-BLS

Computation Admission E 5t2 + 6t t2 + 2t + 3 N/AM N/A N/A 2t2 + t + 1P N/A N/A 2

Traceability E 3t2 + 9t � 3 2t2 + 5t N/AM N/A N/A 2t2 + 3t

P N/A N/A 2t

Membership Authentication E 2 2 N/AM N/A N/A 3P N/A N/A 2

Communication Round Broadcast 1 1 1Unicast 4t2 t2 + 2t t2 + 2t

Bandwidth logq-bit 5t2 + 4t � 3 2t2 + 3t 2t2 + 2t

logp-bit 14t � 7 6t 3t

E: modular exponentiation, M: scalar-point-multiplication in ECC, P: Tate pairing operation in ECC.


Autho

r's

pers

onal

co

py

on the iPAQ is a 400 MHz Intel XScale with 48MBof flash memory and 128MB of SDRAM. Inorder to obtain accurate power measurements, weremoved the battery from the iPAQ during theexperiment and placed a resistor in series withpower supply. We used a National InstrumentsPCI DAQ (Data AcQuisition) board to sample thevoltage drops across the resistor to calculate the cur-rent at 1000 samples per second.

8.3. Test methodology

1. Parameter selection. To perform fair compari-sons, the size of the parameter q was set to be160-bit and p to be 1024-bit except for TS-BLS.For TS-BLS experiments, we used the ellipticcurve E defined by the equation: y2 = x3 + 1 overFp with p > 3 a prime satisfying p = 2 (mod) 3and q being a prime factor12 of p + 1. The param-eter p is a 512-bit prime in order to make surethat the security of pairing e is equivalent tothe security as in finite field of 1024 bits.13 Themeasurements were performed with different

threshold values t from 1 to 9. We used 1024-bit RSA signature with the fixed public exponent65537 (= 216 + 1) for protocol message authenti-cation. All experiments were repeated 1000 timesfor each measurement in order to get fairly accu-rate average results.14

2. Test cases. We measured the respective costs ofadmission, energy consumption (of admission),traceability, and membership authentication.

8.4. Basic operations

We first present the costs of the primitive opera-tions in Table 4. For measuring the costs of basicoperations, we used a machine with Mobile Pentium1.8 GHz CPU and 512 MB memory.

8.5. Experimental results

We now present and discuss the performancemeasurement results for the proposed TS-DSA,TS-Sch and TS-BLS schemes.

8.5.1. Admission results

Fig. 6a shows the admission cost with varyingthreshold for TS-DSA, TS-Sch and TS-BLS schemes.The admission costs also include the verification ofthe membership certificate and the secret share.

As shown in Fig. 6a, TS-BLS exhibits appreciablybetter performance that TS-DSA. The results implythat the amount of communication in TS-DSA

Fig. 5. Power measurement testbed.

12 By Euler’s theorem, q must divide #EðFpÞ. For the curvey2 = x3 + 1, #EðFpÞ ¼ p þ 1.13 The G1 is a subgroup of points generated by P such that

P 2 EðFpÞ. The G2 is a subgroup of F�p2 of order q. The bilinearmap e : G1 �G1 ! G2 is the well-known Tate pairing. Comput-ing discrete log in Fp2 is sufficient for computing discrete log inG1. Therefore, for proper security of discrete log in Fp2 the primep should be at least 512-bits long (so that the group size is at least1024-bits long). 14 The source code is publicly available at [32].


Autho

r's

pers

onal

co

pycontributes significantly to the overall cost of admis-sion, although computation-wise it is still quite effi-cient (see Table 3).

8.5.2. Energy consumption resultsThis experiment is quite tricky to measure fairly.

The energy consumption is directly proportional tothe processing time and thus it is meaningless tomeasure energy consumption with all the test cases

above. However, it is well known that, in manysmall devices such as low-end MANET nodes orsensors, sending a single bit is roughly equivalentto performing 1000 32-bit computations in termsof batter power consumption [1]. Therefore, wemeasured power consumption in terms of communi-cation bandwidth required by each admission pro-tocol. For more details, we sent some bulk data(e.g., 100 Mbytes) from a single iPAQ PDA (referto Fig. 5), measured power consumed while sendingout this data, and then computed the average powerconsumption per bit. After that, we calculatedpower consumption of each admission protocol bymultiplying this measurement result by the bitlength of the transmitted data.

Energy consumption results are plotted inFig. 6b. These results clearly illustrate that TS-BLS is the most energy-efficient, since they requirethe smallest amount of bandwidth amongst therespective admission protocols.

Table 4Costs of primitive operations (Mobile Pentium 1.8 GHz)

Function Modulus(bits)

Exponent(bits)

Average time(ms)

Signing DSA 1024 160 2.58Schnorr 1024 160 2.20BLS 512 160 4.81

Verification DSA 1024 160 4.17Schnorr 1024 160 4.20BLS 512 160 27.05

0

5

10

15

20

25

987654321

Ave

rage

Pro

cess

ing

Tim

e (in

sec

onds

)

Admision Threshold (t)

TS-DSATS-SchTS-BLS

0

50

100

150

200

250

300

350

400

987654321

Con

sum

ed E

nerg

y (in

μJ)


TS-DSATS-SchTS-BLS

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

1.8

2

987654321

Ave

rage

Pro

cess

ing

Tim

e (in

sec

onds

)


TS-DSATS-SchTS-BLS

1

10

100

1000

987654321

Ave

rage

Pro

cess

ing

Tim

e (in

mill

isec

onds

)


(loga

rithm

ic s

cale

)

TS-DSATS-SchTS-BLS

Fig. 6. Cost comparison: (a) member admission, (b) energy consumption, (c) traceability and (d) membership authentication.


Autho

r's

pers

onal

co

py

8.5.3. Traceability results

Traceability costs are presented in Fig. 6c. Due tothe costly computation of Tate pairings, TS-BLSperforms poorly, as compared to TS-DSA and TS-Sch. However, since the misbehavior in the admis-sion protocol leads ultimately to the eviction ofthe corresponding group member, we argue thattraceability is a rare exceptional measure; thus weconsider its costs to be relatively unimportant.

8.5.4. Membership authentication results

The costs of membership authentication areshown in Fig. 6d. The results show that costs forTS-DSA and TS-Sch are very close to each otherand relatively constant while TS-BLS cost is veryhigh due to expensive pairing operation.

9. Conclusion

In this paper, we explored the utility of variousexisting threshold signature schemes in building dis-tributed access control mechanisms for ad hocgroups. We first showed that none of the threshold(or proactive) RSA signature schemes in the litera-ture are applicable for our purpose. Next, we imple-mented three access control mechanisms basedon discrete-logarithm based threshold signatures,threshold DSA (TS-DSA), threshold Schnorr(TS-Sch) and threshold BLS (TS-BLS), and evalu-ated them in a real MANET setting. Based on ourevaluation, we conclude that overall TS-Sch is themost efficient mechanism, followed by TS-BLS andTS-DSA.

Appendix A. Cryptographic primitives

A.1. Threshold secret sharing (TSS)

In this section, we present Shamir’s secret sharingscheme [41] which is based on polynomial interpola-tion. We will refer to it as TSS. To distribute sharesof a secret x among n entities, a trusted dealer TD

chooses a polynomial f(z) over Zq of degreeðt � 1Þ : f ðzÞ ¼

Pt�1i¼0aizi ðmod qÞ, where the con-

stant term a0 is set to the group secret x;f(0) = a0 = x. TD computes each entity’s share xi

such that xi = f(idi), where idi is an identifier ofentity Pi, and securely transfers xi to Pi. Note thatafter distributing at least t secret shares, the dealeris no longer required.

Then, any group of t entities who have theirshares can recover the secret using the Lagrange

interpolation formula: f ðzÞ ¼Pt

i¼1xikiðzÞ ðmod qÞ,where kiðzÞ ¼

Qtj¼1;j 6¼i

z�idj

idi�idjðmod qÞ. Since f(0) =

x, the shared secret may be expressed as:x ¼ f ð0Þ ¼

Pti¼1xi kið0Þ ðmod qÞ. Thus, the secret

x can be recovered only if at least t shares are com-bined. In other words, no coalition of less than tentities yields any information about x.

A.2. Joint secret sharing (JSS)

This scheme (due to Pederson [31]), denoted byJSS, extends Shamir’s secret sharing by removingthe need for a centralized dealer to choose a polyno-mial and distribute shares. In this scheme, the enti-ties collectively choose shares corresponding toShamir’s secret sharing of a random value withoutthe dealer. The main idea here is that the polyno-mial itself is shared such that f(z) = f1(z) + � � � +fn(z), where fi(z) is the polynomial of each entityPi over Zq.

Suppose there are n entities in a system(P1, . . . ,Pn). It will be assumed that all entities ofthe group have previously agreed on the prime q.Each Pi chooses at random a polynomial fiðzÞ 2Zq of degree (t � 1) such that fi(0) = ri where ri isa random secret that Pi selects. Let fi(z) = ai0 +ai1z + � � � + ai,t�1zt�1 (mod q), where ai0 = ri. Pi

computes Pj’s share xðiÞj ¼ fiðidjÞ for Pj (j 2 [1, n]),and securely sends it to Pj (in particular Pi keepsxðiÞi ). Note that the share values should be transmit-ted over the secure channel. Pj computes its share xj

of the secret x as the sum of all shares received:xj ¼

Pni¼1xðiÞj .

Let f(z) denote the combined polynomial over Zq.It is given by: f(z) = f1(z) + � � � + fn(z) (mod q). Byconstruction xj = f(idj) for j 2 [1,n], and thereforexj is a share of x such that xj ¼ f ðidjÞ ¼Pn

i¼1fiðidjÞ ¼Pn

i¼1xðiÞj and x ¼ f ð0Þ ¼Pn

i¼1fið0Þ ¼Pni¼1ai0 ¼

Pni¼1ri ðmod qÞ. Once every entity has

its own share, any coalition of t entities can jointlyrecover the secret x using Lagrange interpolationas in TSS in Appendix A.1.

A.3. Joint zero secret sharing (JZSS)

This scheme, which first appeared in [15], is a var-iant of joint secret sharing where the shared secret iszero. In other words, this scheme is the same asJSS except that in first step, each entity picks arandom (t � 1)-degree polynomial fiðzÞ 2 Zq suchthat fi(0) = 0. We refer to it as a Joint Zero SecretSharing, denoted by JZSS. It is used in proactive


Autho

r's

pers

onal

co

py

secret sharing and partial share random shuffling forre-randomizing a secret share.

A.4. Verifiable secret sharing (VSS)

If we suppose that some entities can become mali-cious or compromised by an adversary, they mayattempt to ‘‘cheat’’ by using incorrect secret sharesin order to deny/disrupt the service. To remedy thesituation, a more advanced technique, Verifiable

Secret Sharing [8], denoted by VSS, can be used. Itbasically provides a means to detect incorrect secretshares. To be more specific, VSS setup involves twolarge primes p and q, and an element g 2 Z�p chosenin a way that q divides p � 1 and g is an element ofZ�p which has order q. The procedure for the TD todistribute the shares is the same as in AppendixA.1. VSS is achieved by the following procedure:

1. Witness generation. The TD randomly selects apolynomial f ðzÞ ¼

Pt�1i¼0aizi, computes secret

shares xi, and transfers them to each entitysecurely. Also, TD chooses an element g 2 Z�pof order q, and computes Wi, for i 2 [0, t � 1],called witness, such that W i ¼ gai : Then, TD pub-lishes these Wis in some public domain (e.g., adirectory server).15

2. Share verification. When each entity Pi receivesits share xi, it verifies xi by checking: gxi ¼Qt�1

j¼0½W j�ðidiÞj ðmod pÞ.

A.5. Partial secret sharing (PSS)

As a result of secret sharing, each honest entity Pi

obtains a secret share xi. Then, the share xn+1 for aprospective entity Pn+1 can be computed throughcollaboration of t existing entities in the group whenthe TD is no longer available. We call this a Partial

Secret Share, referring it to as PSS. Pn+1 receives t

partial shares xðjÞnþ1s from a set of t entities calledsponsors. It will be assumed that the t number ofindices, j (= 1, . . . , t), are given to each Pj by Pn+1.The details are as follows: each Pj computes a

partial secret share for Pn+1 as: xðjÞnþ1 ¼ xj�kjðidnþ1Þ ðmod pÞ, where xj is Pj’s own secret share.

Then, Pj securely sends xðjÞnþ1 to Pn+1. Given t partialshares and an identity of Pn+1, the secret share

xn+1 can be computed: xnþ1 ¼Pt

j¼1xðjÞnþ1 ¼Pt

j¼1xj�h

kjðidnþ1Þiðmod qÞ. Recall that f ðzÞ ¼

Pti¼1xikiðzÞ

and xn+1 = f(idn+1).

A.6. Partial share random shuffling (PSRS)

In PSS the above, Pn+1 needs to be provided (in adistributed manner) with its share xn+1 of the groupsecret x. However, in case that each sponsor Pj issuesPn+1 a partial secret share xðjÞnþ1 such that xðjÞnþ1 ¼xjkðidnþ1Þ, Pn+1 (or an adversary who corruptsPn+1) can easily recover each xj and in turn the groupsecret x, since Lagrange coefficients kj(idn+1) are pub-

licly known, Pn+1 can obtain xj by dividing xðjÞnþ1 bykj(idn+1). To remedy this, Pjs must randomize theissued partial shares. We call this procedure as Partial

Share Random Shuffling, denoted by PSRS.The detailed procedure is as follows. All of the t

sponsors perform the JZSS, as in Appendix A.3, bysetting the constant term of their respective polyno-mials to zero. Also, the witness values of the polyno-mials are broadcast to enable VSS. At the end ofJZSS, every Pj possesses a random share Rj of theshared secret zero. Now, Pj provides the shuffled par-tial secret share ~xðjÞnþ1 for P nþ1 : ~xðjÞnþ1 ¼ xðjÞnþ1 þ Rjkjð0Þ ¼xjkjðidnþ1Þ þ Rjkjð0Þ ðmod qÞ. Since

Ptj¼1Rjkjð0Þ¼

0, Pn+1’s secret share xn+1 is given by xnþ1¼Pt�1

j¼0~xðjÞnþ1.

A.7. Verifiable partial secret sharing (VPSS)

The idea of VSS can be easily extended to verifycorrectness of partial shares that Pn+1 receives fromsponsors. We call this a Verifiable Partial Secret Shar-

ing, referred to as VPSS. Since ~xðjÞnþ1 ¼ xjkjðidnþ1ÞþRjkjð0Þ where Rj is the random number for the PSRStechnique as explained above, to check if ~xðjÞnþ1 is cor-rectly computed and trace which of the Pjs sent backfalse values, if any, following equation is verified:

g~xðjÞnþ1 ¼

Qt�1k¼0ðW kÞid

kj

h ikjðidnþ1ÞgRjkjð0Þ ðmod pÞ, where

gRj is computed using the broadcast witness valuesof the shared polynomial among the sponsors.

Appendix B. Threshold RSA scheme of[23,21,20,24,22]

A TD is involved in a one-time setup to bootstrapthe system. TD generates the standard RSA private/public key pair, i.e., it picks two random primes p

and q, sets N = pq, sets (e,N) as a public key wheregcd(e,N) = 1, and as a private key it sets a numberd < N s.t. ed = 1 mod /(N). Once the standard

15 In case of JSS, where the group polynomial is jointly selectedby the entities, this step is carried out by each of the entitiesindividually.


Autho

r's

pers

onal

co

py

RSA key pair is chosen, TD secret-shares the RSAsecret key d using a slight modification of TSS.Namely, TD selects a random polynomial f(z) =a0 + a1z + � � � + atz

t over ZN of degree t, such thatthe group secret is f(0) = d (mod N). Next, TD givesto each member Pi, for i = 1, . . . ,n, a secret sharexi = f(idi) (mod N). Notice that the secret d is sharedover a public composite modulus N as opposed to aprime modulus as in the original scheme of Shamirand a secret modulus /(N) in Shoup’s scheme. Sincethere may be compromised members who can gen-erate false shares and false signatures thereafter,the dealer provides a witness of f(z) which is repre-sented by fga0 ; ga1 ; . . . ; gat�1gðmod NÞ for a certaing 2 Z�N , and publishes it for VSS [8].

Fig. 7 shows the message flows for the admissionprotocol. Each member Pj, for idj 2 SLn+1, outputsits partial signature sj on m as sj ¼ mdj ðmod NÞ,where dj = xjkj(0) (mod N). In addition, Pj also pro-vides Pn+1 with its partial secret share ~xðjÞnþ1 (com-puted over modulus N) after shuffling using PSRS.Pn+1 reconstructs the RSA signature using the t-

bounded offsetting algorithm (refer to [21] fordetails) and its secret share xn+1 such that xnþ1 ¼P

idj2SLnþ1~xðjÞnþ1 ðmod NÞ.

References

[1] K. Barr, K. Asanovic, Energy aware lossless data compres-sion, in: International Conference on Mobile Systems,Applications, and Services (MobiSys), May 2003.

[2] A. Boldyreva, Efficient threshold signatures, multisignaturesand blind signatures based on the Gap-Diffie-Hellman-groupsignature scheme, in: Proceedings of International Work-shop on Practice and Theory in Public Key Cryptography,LNCS, vol. 2567, 2003, pp. 31–46.

[3] D. Boneh, M. Franklin, Efficient generation of shared RSAkey, in: CRYPTO’97, LNCS, vol. 1294, 1997, pp. 425–439.

[4] D. Boneh, B. Lynn, H. Shacham, Short signatures from theWeil pairing, in: C. Boyd (Ed.), ASIACRYPT’01, LNCS,vol. 2248, 2001, IACR, pp. 514–532.

[5] C. Castelluccia, N. Saxena, J.H. Yi, Self-configurable keypre-distribution in mobile ad hoc networks, in: IFIPNetworking Conference, May 2005.

[6] Y. Desmedt, Y. Frankel, Threshold Cryptosystems, in:CRYPTO’89, LNCS, vol. 435, 1990, pp. 307–315.

[7] T. El Gamal, A public key cryptosystem and a signaturescheme based on discrete logarithms, in: IEEE Transactionson Information Theory, vol. 31 (July), 1985, pp. 469–472.

[8] P. Feldman, A practical scheme for non-interactive verifiablesecret sharing, in: 28th Symposium on Foundations ofComputer Science (FOCS), 1987, pp. 427–437.

[9] Y. Frankel, P. Gemmell, P.D. MacKenzie, M. Yung,Proactive RSA, in: CRYPTO’97, LNCS, vol. 1294 (August),1997, pp. 440–454.

[10] Y. Frankel, P.D. MacKenzie, M. Yung. Adaptive securityfor the additive-sharing based proactive RSA, in: Public KeyCryptography 2001, LNCS, vol. 1992, 2001, pp. 240–263.

[11] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, Robustthreshold DSS signatures, in: EURO-CRYPT’96, LNCS,vol. 1070, 1996, pp. 354–371.

[12] R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin. Secureapplications of Pedersen’s distributed key generation protocol,in: RSA Conference – The Cryptographers’ Track, April 2003.

[13] M.T. Goodrich, M. Sirivianos, J. Solis, G. Tsudik, E. Uzun,Loud and Clear: Human-verifiable authentication based onaudio, in: International Conference on Distributed Comput-ing Systems (ICDCS), July 2006. Available from: <http://www.ics.uci.edu/ccsp/lac>.

[14] A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, M.Yung, Proactive public key and signature systems, in: ACMConference on Computers and Communication Security,1997.

[15] A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, Proactivesecret sharing, or how to cope with perpetual leakage, in:CRYPTO’95, LNCS, vol. 963, 1995, pp. 339–352.

[16] R. Housley, W. Polk, W. Ford, D. Solo, Internet X.509public key infrastructure certificate and certificate revocationlist (CRL) profile, RFC 3280, IETF, April 2002.

[17] Y.-C. Hu, A. Perrig, D. B. Johnson, Ariadne: a secure on-demand routing protocol for ad hoc networks, in: Proceed-ings of the Eighth ACM International Conference on MobileComputing and Networking (Mobicom 2002), September2002.

[18] S. Jarecki, N. Saxena, J.H. Yi, An attack on the proactiveRSA signature scheme in the URSA ad hoc network accesscontrol protocol, in: ACM Workshop on Security of Ad Hocand Sensor Networks (SASN), October 2004, pp. 1–9.

[19] Y. Kim, D. Mazzocchi, G. Tsudik, Admission control inpeer groups, in: IEEE International Symposium on NetworkComputing and Applications (NCA), April 2003.

[20] J. Kong, H. Luo, K. Xu, D.L. Gu, M. Gerla, S. Lu, Adaptivesecurity for multi-level ad-hoc networks, Journal of WirelessCommunications and Mobile Computing (WCMC) 2 (2002)533–547.

[21] J. Kong, P. Zerfos, H. Luo, S. Lu, L. Zhang, Providingrobust and ubiquitous security support for MANET, in:IEEE 9th International Conference on Network Protocols(ICNP), 2001, pp. 251–260.

[22] H. Luo, J. Kong, P. Zerfos, S. Lu, L. Zhang, URSA:ubiquitous and robust access control for mobile ad hocnetworks, in: IEEE/ACM Transactions on Networking(ToN), December 2004.

[23] H. Luo, S. Lu, Ubiquitous and robust authenticationservices for ad hoc wireless networks, Technical ReportTR-200030, Department of Computer Science, UCLA, 2000.Available online at <http://citeseer.ist.psu.edu/luo00ubiqui-tous.html>.

[24] H. Luo, P. Zerfos, J. Kong, S. Lu, L. Zhang, Self-securing adhoc wireless networks, in: Seventh IEEE Symposium onComputers and Communications (ISCC’02), 2002.

Fig. 7. TS-RSA admission protocol.


Autho

r's

pers

onal

co

py

[25] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbookof applied cryptography, CRC Press series on discretemathematics and its applications, 1997, ISBN 0-8493-8523-7.

[26] M. Narasimha, G. Tsudik, J.H. Yi, On the utility ofdistributed cryptography in P2P and MANETs: the case ofmembership control, in: IEEE International Conference onNetwork Protocol (ICNP), November 2003, pp. 336–345.

[27] NIST, Digital Signature Standard. Technical Report 169,August 1991.

[28] K. Ohta, S. Micali, L. Reyzin, Accountable subgroupmultisignatures, in: ACM Conference on Computer andCommunications Security, November 2001, pp. 245–254.

[29] OLSR Protocol, <http://menetou.inria.fr/olsr>.[30] R. Ostrovsky, M. Yung, How to withstand mobile virus

attacks, in: 10th ACM Symp. on the Princ. of Distr. Comp.,1991, pp. 51–61.

[31] T.P. Pedersen, A threshold cryptosystem without a trustedparty, in: D. Davies (Ed.), EURO-CRYPT’91, LNCS, vol.547, 1991, IACR, pp. 552–526.

[32] Peer Group Admission Control Project. <http://sconce.ic-s.uci.edu/gac>.

[33] A. Perrig, R. Szewczyk, V. Wen, D. Culler, J.D. Tygar,Spins: security protocols for sensor networks, in: MobileComputing and Networking, 2001.

[34] D. Pointcheval, J. Stern, Security proofs for signatureschemes, in: EUROCRYPT’96, LNCS, vol. 1070, May1996, pp. 387–398.

[35] T. Rabin, A simplified approach to threshold and proactiveRSA, in: CRYPTO’98, LNCS, vol. 1462, 1998, pp. 89–104.

[36] N. Saxena, J.-E. Ekberg, K. Kostiainen, N. Asokan, Securedevice pairing based on a visual channel (short paper), in:IEEE Symposium on Security and Privacy (ISP’06), May2006.

[37] N. Saxena, G. Tsudik, J.H. Yi, Admission control in peer-to-peer: design and performance evaluation, in: ACM Work-shop on Security of Ad Hoc and Sensor Networks (SASN),October 2003, pp. 104–114.

[38] N. Saxena, G. Tsudik, J.H. Yi, Identity-based access controlfor ad-hoc groups, in: International Conference on Infor-mation Security and Cryptology (ICISC), December 2004.

[39] C.P. Schnorr, Efficient signature generation by smart cards,Journal of Cryptology 4 (3) (1991) 161–174.

[40] B. Schoenmakers, A simple publicly verifiable secret sharingscheme and its application to electronic voting, in: M.Wiener (Ed.), CRYPTO’99, LNCS, 1666, 1999, IACR, pp.148–164.

[41] A. Shamir, How to share a secret, Communications of theACM 22 (11) (1979) 612–613.

[42] V. Shoup, Practical Threshold Signatures. In EURO-CRYPT’00, LNCS, vol. 1807, 2000, pp. 207–220.

[43] M. Steiner, G. Tsudik, M. Waidner, Cliques: a new approachto group key agreement, IEEE Transactions on Parallel andDistributed Systems (August) (2000).

[44] M. Steiner, G. Tsudik, M. Waidner, Key agreement indynamic peer groups, IEEE Transactions on Parallel andDistributed Systems (July) (2000).

[45] L. Zhou, Z.J. Haas, Securing ad hoc networks, IEEENetwork Magazine 13 (6) (1999) 24–30.

[46] L. Zhou, F. Schneider, R. van Renesse, COCA: a securedistributed on-line certification authority, ACM Transac-tions on Computer Systems 20 (4) (2002) 329–368.

Nitesh Saxena is an Assistant Professorin the department of Computer andInformation Science at PolytechnicUniversity, starting Fall 2006. Heobtained his Ph.D. in Information andComputer Science from University ofCalifornia, Irvine, in summer 2006. Heholds an M.S. degree in Computer Sci-ence from UC Santa Barbara, and aBachelor’s degree in Mathematics andComputing from Indian Institute of

Technology, Kharagpur, India. His research spans all areas ofinformation security with core emphasis on network and dis-tributed system security and applied cryptography. His Ph.D.dissertation entitled Decentralized Security Services’’ has beennominated for the ACM Dissertation Award for the year 2006.

Gene Tsudik is a Professor of ComputerScience at the University of California,Irvine. He has been conducting researchactive in internetworking, network secu-rity and applied cryptography since1987. He obtained a Ph.D. in ComputerScience from USC in 1991; his disserta-tion focused on access control in inter-networks. Before coming to UC Irvine in2000, he was a Project Leader at IBMResearch, Zurich Laboratory (1991–

1996) and USC Information Science Institute (1996–2000). Overthe years, his research interests included: routing, firewalls,authentication, mobile/wireless network security, secure e-com-merce, anonymity, secure group communication, digital signa-tures, key management, ad hoc network routing, and, morerecently, database privacy and secure storage. Some of ProfessorTsudiki s notable research contributions include: Inter-DomainPolicy Routing (IDPR), IBM Network Security Program(KryptoKnight), IBM Internet Keyed Payment (iKP) protocols,Peer Group Key Management (CLIQUES) and MediatedCryptographic Services (SUCSES). He has over 100 refereedpublications and 7 patents. Since 2002 he has been serving asAssociate Dean of Research and Graduate Studies in the DonaldBren School of Information and Computer Sciences at UCI. Heis a member of the IEEE.

Jeong Hyun Yi is a principal researcherat Samsung Advanced Institute ofTechnology (SAIT). He received hisPh.D. in Information and ComputerScience with his advisor, Dr. Gene Tsu-dik, from University of California, Irvinein 2005. He received his M.S. and B.S. inComputer Science at Soongsil Univer-sity, Korea in 1995 and 1993, respec-tively. He was a senior researcher atElectronics and Telecommunication

Research Institute (ETRI), Korea from 1995 to 2001 and a guestresearcher at National Institute of Standards and Technology(NIST), MD, USA From 2000 to 2001. His research interests arein network security, applied cryptography, ubiquitous comput-ing, RFID and wireless sensor networks.


Threshold cryptography in P2P and MANETsgts/paps/COMPNW3557.pdfOur work uses group membership certi...

Documents

Transcript of Threshold cryptography in P2P and MANETsgts/paps/COMPNW3557.pdfOur work uses group membership certi...