We show the first proactive RSA scheme with a fully non-interactive signature protocol. The scheme is secure and robust with the optimal threshold of t ∈t among n trustees which implement a proactive RSA scheme, the trustees do not need to communicate between each other, and simply respond with a single "partial signature" message to the requester, who can reconstruct the standard RSA signature from the first t∈+∈1 responses he receives. The computation costs incurred by each party are comparable to standard RSA signature computation. Such non-interactive signature protocol was known for threshold RSA [1], but previous proactive RSA schemes [2,3] required all trustees to participate in the signature generation, which made these schemes impractical in many networking environments. On the other hand, proactivity, i.e. an ability to refresh the secret-sharing of the signature key between the trustees, not only makes threshold cryptosystems more secure, but it is actually a crucial component for any threshold scheme in practice, since it allows for secure replacement of a trustee in case of repairs, hardware upgrades, etc. The proactive RSA scheme we present shows that it is possible to have the best of both worlds: A highly practical non-interactive signature protocol and an ability to refresh the secret-sharing of the signature key. This brings attack-resilient implementations of root sources of trust in any cryptographic scheme closer to practice. © 2008 Springer-Verlag Berlin Heidelberg.
CITATION STYLE
Jarecki, S., & Olsen, J. (2008). Proactive RSA with non-interactive signing. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 5143 LNCS, pp. 215–230). https://doi.org/10.1007/978-3-540-85230-8_20
Mendeley helps you to discover research relevant for your work.