Proactive RSA with non-interactive signing

Abstract

We show the first proactive RSA scheme with a fully non-interactive signature protocol. The scheme is secure and robust with the optimal threshold of t ∈t among n trustees which implement a proactive RSA scheme, the trustees do not need to communicate between each other, and simply respond with a single "partial signature" message to the requester, who can reconstruct the standard RSA signature from the first t∈+∈1 responses he receives. The computation costs incurred by each party are comparable to standard RSA signature computation. Such non-interactive signature protocol was known for threshold RSA [1], but previous proactive RSA schemes [2,3] required all trustees to participate in the signature generation, which made these schemes impractical in many networking environments. On the other hand, proactivity, i.e. an ability to refresh the secret-sharing of the signature key between the trustees, not only makes threshold cryptosystems more secure, but it is actually a crucial component for any threshold scheme in practice, since it allows for secure replacement of a trustee in case of repairs, hardware upgrades, etc. The proactive RSA scheme we present shows that it is possible to have the best of both worlds: A highly practical non-interactive signature protocol and an ability to refresh the secret-sharing of the signature key. This brings attack-resilient implementations of root sources of trust in any cryptographic scheme closer to practice. © 2008 Springer-Verlag Berlin Heidelberg.