Proactive RSA

Abstract

Distributed threshold protocols that incorporate proactive maintenance can tolerate a very strong “mobile adversary.” This adversary may corrupt all participants throughout the lifetime of the system in a non-monotonic fashion (i.e., recoveries are possible) but the adversary is limited to the number of participants it can corrupt during any short time period. The proactive maintenance assures increased security and availability of the cryptographic primitive. We present a proactive RSA system in which a threshold of servers applies the RSA signature (or decryption) function in a distributed manner. Our protocol enables servers which hold the RSA key distributively to dynamically and cooperatively self-update; it is secure even when a linear number of the servers are corrupted during any time period; it efficiently maintains the security of the function; and it enables continuous function availability (correct efficient function application using the shared key is possible at any time). A major technical difficulty in "proactivizing" RSA was the fact that the servers have to update the “distributed representation” of an RSA key, while not learning the order of the group from which keys are drawn (in order not to compromise the RSA security). We give a distributed threshold RSA method which permits “proactivization”.