Threshold RSA for Dynamic and AdHoc Groups.pdfVIP

Threshold RSA for Dynamic and Ad-Hoc Groups Rosario Gennaro, Shai Halevi, Hugo Krawczyk, Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY USA Abstract. We consider the use of threshold signatures in ad-hoc and dynamic groups such as MANETs (“mobile ad-hoc networks”). While the known threshold RSA signature schemes have several properties that make them good candidates for deployment in these scenarios, none of these schemes seems prac- tical enough for realistic use in these highly-constrained environments. In particular, this is the case of the most efficient of these threshold RSA schemes, namely, the one due to Shoup. Our contribution is in presenting variants of Shoup’s protocol that overcome the limitations that make the original protocol unsuitable for dynamic groups. The resultant schemes provide the efficiency and flexibility needed in ad-hoc groups, and add the capability of incorporating new members (share-holders) to the group of potential signers without relying on central authorities. Namely, any threshold of existing members can cooperate to add a new member. The schemes are efficient, fully non-interactive and do not assume broadcast. 1 Introduction A distributed signature scheme is a protocol where the ability to sign is distributed among a group of entities, so that a sufficiently large subset can produce valid signatures while a “small” subset cannot generate such a signature. These schemes are often referred to as t-out-of-n threshold signatures where n is the total number of entities and t is the “threshold”. Namely, t +1 cooperating parties can produce a valid signature, but t or less cannot (even if they depart maliciously from t