sign in sign up
<<
Home , Cryptographic primitive, Threshold cryptosystem

NISTIR 8214

Threshold Schemes for Cryptographic Primitives Challenges and Opportunities in Standardization and Validation of Threshold

Luís T. A. N. Brandão Nicky Mouha Apostol Vassilev

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 NISTIR 8214

Threshold Schemes for Cryptographic Primitives Challenges and Opportunities in Standardization and Validation of Threshold Cryptography

Luís T. A. N. Brandão Nicky Mouha Apostol Vassilev Division Information Technology Laboratory

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214

March 2019

U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary

National Institute of Standards and Technology Walter G. Copan, NIST Director and Under Secretary of Commerce for Standards and Technology National Institute of Standards and Technology Internal Report 8214 63 pages (March 2019)

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at https://csrc.nist.gov/publications.

Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: [email protected] All comments are subject to release under the Freedom of Information Act (FOIA). RIMITIVES P RYPTOGRAPHIC C of its components are compromised. There CHEMESFOR n S ii out of Abstract f HRESHOLD Reports on Computer Systems Technology threshold schemes; secure implementations; cryptographic primitives; threshold The document poses a number of questions, motivating aspects to take into account when This document considers challenges and opportunities related to standardization of This document overviews the possibility of implementing cryptographic primitives using NISTIR8214 T cryptography; secure multi-party computation;resistance intrusion to tolerance; side-channel attacks; distributed standards systems; and validation. testing and validation of implementationsthe are document also major intends concerns to toan support be engagement discussion addressed. from about Overall, stakeholders. standardization, This is including a motivating step towards enabling threshold cryptography Keywords: considering standardization. A particular challengehelp is guide the a development selection of of criteria threshold that cryptographic may schemes. An openfunctionalities) question and is which deciding flexibility at of parametrization they should allow. Suitability to threshold schemes for cryptographic primitives.tradeoffs It under includes variations examples of illustrating system security characterizing model features and of adversaries. threshold It schemes, enumeratescation including several interfaces the high-level (with types the of environment threshold, and the between communi- components), the executing platform attains the desired security goals even if is also an identified potentialexploit in inadvertent providing leakage resistance from against realsecrecy implementations. side-channel of attacks, Security cryptographic which goals keys, of as interest well include as the enhanced integrity and availability, among others. curity depends not only on the theoretical properties of the primitives butresult also on from the differences ability between to ideal and real implementations of cryptographic algorithms. threshold schemes, where multiple components contribute to the operation in a way that security-related information in federal information systems. interested in promoting the security of implementations of cryptographic primitives. This se- leadership for the Nation’s measurement andtest standards methods, infrastructure. reference data, ITL proof developsadvance tests, of the concept implementations, development and and technical productivebilities analyses use include to of the information development technology. ofstandards ITL’s management, and responsi- guidelines administrative, for technical, the and cost-effective physical security and privacy of other than national The Computer Security Division at the National Institute of Standards and Technology is Technology (NIST) promotes the U.S. economy and public welfare by providing technical The Information Technology Laboratory (ITL) at the National Institute of Standards and (e.g., single device vs. multiple devices) and the setup and maintenance requirements. within the US federal government and beyond. what level each standard should be defined (e.g., specific base techniques vs. conceptualized withstand attacks on their implementations. It is thus important to mitigate breakdowns that

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P RYPTOGRAPHIC C CHEMESFOR S iii HRESHOLD Acknowledgments The initial draft of this report was published online on July 26, 2018, for a period of NISTIR8214 T from SRI International; John Wallrabenstein from Analog. Leuven; Gokhan Kocak from Asena Inc.; Oliver Stengele from the Karlsruhe Institute of Universiteit Eindhoven; Yehuda Lindel from Bar-Ilan UniversityRanellucci and from Unbound Tech; Unbound Samuel Tech; Danfrom Bogdanov The from City Cybernetica College AS; of Rosario New Gennaro York; Thalia May Laing from HP Labs; Karim Eldefrawy document. This includes Lily Chen, René Peralta, Ray Perlner, and Andrew Regenscheid. public comments. We have since then received valuable feedback from externalreceived reviewers, (in chronological order) from the following persons: Svetla Nikova from KU Jason Resch and Chrysa Stathatkopoulou from IBM Research; Tanja Lange from Technische Technology; Aivo Kalu from Cybernetica AS; Christian Cachin, Hugo Krawczyk, Tal Rabin, The authors thank their NIST colleagues who reviewed recent or early versions of this which allowed us to improve the quality of the final document. We thank the comments

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P (out of a total number f RYPTOGRAPHIC C CHEMESFOR S iv HRESHOLD Threshold schemes can be used, with different security goals, in different applications. In threshold cryptography, the shares of the do not need to be recombined to compute is a fundamental technique in threshold cryptography. It enables a key (or This report is focused on threshold cryptographic schemes, i.e., threshold schemes used of) components in the system. The topic is related to traditional “threshold cryptography” Executive Summary NISTIR8214 T even if some (but not all) randomness contributors are biased or unavailable. signatures, and Advanced Standard (AES) enciphering and deciphering. For example: (i) implementever a holding digital the signature signing algorithm key; withoutcompromised (ii) component implement any attempts encryption single to and component corrupt decryption the correctly output; even if (iii) one generate unbiased randomness of the output, without revealingby the certain mathematical input properties, shares such tocomputation” as one protocols. homomorphisms, another. or Using the by This threshold cryptographic may property,can “secure the be then output facilitated be from reconstructed the share intoalgorithms, computation a such final as output. Rivest–Shamir–Adleman This (RSA) is and possible Digital to Signature achieve Algorithm for (DSA) NIST-approved depends on a key. Particularly, conventionalalgorithms implementations require of the key-based whole cryptographic key asthen input, the so shared if key would the have key to had be been reconstructed subject for to use secret by sharing thea algorithm. particular result. Instead, the parties independently or collaboratively calculate shares some other secret input) to be split into multiple sharesnumber distributed of across shares, multiple but parties. not fromprotecting fewer. the Thus, secrecy splitting of a athe key key into at key. shares rest, is However, since an this the approach does leakage for of not one solve or the few problem shares does of not how reveal to execute an algorithm that distributed systems. A major goaltations is of enhanced cryptographic protection algorithms. of More secreta generally, keys variety the used of goal by security includes implemen- properties, the such enhancement as of confidentiality, integrity and/or availability. the standardization and validation of security assertions about their implementations. for secure implementations of cryptographic primitives.property In is a threshold tolerant scheme, to some the security n compromise of up to a threshold number potentially disastrous breakdowns resulting frommentations differences of between cryptographic ideal algorithms. and real Theseexploit imple- differences vulnerabilities give rise in to order a to range compromise of diverse aspects attacks of that real-world implementations. subsets of components are compromised. However, they also new challenges for The “threshold” property translates into the ability to reconstruct the key from a threshold Threshold schemes have the potential to enable secure modes of operation even when certain (here adopted as an umbrella term), secure multi-party computation and intrusion-tolerant As cryptography becomes ubiquitous, it becomes increasingly relevant to address the

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P of components. In f RYPTOGRAPHIC C CHEMESFOR S v HRESHOLD , the increased attack surface may enable an attack more f To this end, this document proposes that a basis for discussion and comparison of An abstract security model is not enough to assess the effects of placing a threshold Separating the analysis of different security aspects can sometimes lead to pitfalls. To There are techniques designed to mitigate foreseen compromises in more complicated The security effect of a threshold design may also be different across different properties The computational paradigm in threshold cryptography brings several security advan- NISTIR8214 T include the types of threshold, theand communication the interfaces, setup the and target maintenance computing requirements. platforms, scheme in an adversarialaspects environment. whose variation One may affect also security.sibly needs Such across characterization to different helps application characterize distinguish, contexts, implementation pos- attacks. the resistance provided against certainthreshold classes schemes of should include the description of several characterizing features. These terize different types of attack that a system may be subject to. Specific attacks inthat the breach real specific security properties (e.g., confidentiality of a key) or sets thereof. the number of contemporaneous compromised shares surpasses the compromise threshold. avoid such problems it issame important time, to it use is appropriate relevant toinduces formal assess across models potential different of tradeoffs security security. that properties. At a A the threshold system cryptographic model scheme is also important to charac- scenarios. For example, verifiable secret-sharingshareholder, enables thereby detection enabling of operational misuse modes ofother that shares example, tolerate by proactive this a secret kind sharing of canperiodically corruption. be reducing As used to an- to zero periodically thecompromised reshare number shares a of are secret, compromised erased, thereby shares. the refreshing Assuming makes that it old more un- difficult to reach a state where the corruption of a single shareof (or the of output. a These computation observations dependentby highlight on each the it) threshold need may scheme affect to as the a lookbe integrity possible at a tradeoff the strengthening across of security properties. some benefits In security brought some properties settings while there for may others the assurance may be reduced. promisable via mutually exclusive attack vectors).may provide better On security the even other ife.g., hand, the in a components some threshold are settings/models scheme individually where easier they to are compromise, also easier to patch. of interest. For example, while the compromise of one share might not reveal the original key, threshold scheme depends on andifficult attack it model. may It be is tosome particularly compromise cases, relevant to for more consider example than how with theefficient low threshold and effective number than possible againstthe a nodes conventional in (non-threshold) the primitive, threshold even scheme if have independent modes of compromise (e.g., each com- tages but also some potentialthe weaknesses. attack For example, surface the to use encompass of all multiple shares shares. increases Thus, the security effect of implementing a Threshold schemes can be used to improve resistance against some of these specific attacks world exploit differences between conventional implementations and their idealized versions.

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P RYPTOGRAPHIC C CHEMESFOR S vi HRESHOLD There are important challenges and opportunities related to the standardization of thresh- The use of well-characterized threshold schemes to implement cryptographic primitives This document considers the benefits of standardizing threshold cryptographic schemes, The examples in the document illustrate how security properties can vary depending NISTIR8214 T these challenges with feedback andresearchers, collaboration industry from participants stakeholders, and including government academic representatives. old cryptographic schemes. Addressing thesements may to bring real about implementations important of securityof cryptographic improve- research primitives. work Fortunately, there done is inabout a the plethora broad possible area options, of caveats threshold cryptography, and providing tradeoffs. useful insights Further value can arise from addressing threshold-cryptographic-scheme standard allow? Should somedently base standardized primitives and/or be validated? indepen- Thisthese document questions. does not Instead, offer it definitive motivates answersthem. the to need It to also develop hints an atassessment, objective basis various efficiency and for representative applicability, questions addressing among to others. consider, namely about security automated validation tests with state-of-the-art techniques. offers potential security benefits. Butpool what of criteria candidate should threshold one schemes? use What to flexibility select of from features a and potential parameters should a possibly along with auxiliary threshold-cryptographyon primitives. threshold Naturally, there schemes is for interest NIST-approved cryptographictance primitives. is Also the of development major ofof impor- corresponding threshold approaches cryptographic for schemes. validation oftion This implementations process should and be evolving aligned structure with of the the current testing moderniza- methodology of the NIST cryptographic threshold directly means higher security.threshold On the schemes other can hand, be it used also intends to to implement convey cryptographic that primitives in a more secure on high-level features, onand assumed capabilities. attack On vectors one and hand, this on helps the prevent type a possible of misconception adversarial that goals a higher validation programs. Of particular relevance is the development of approaches to enable validation of actual implementations. way. Altogether, structured security assertions also promote a path for meaningful security

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P RYPTOGRAPHIC C CHEMESFOR S vii HRESHOLD 12 Representative attack types . Characterizing features . of threshold . schemes ...... 27 . . . . 20 12 Illustration of Blakley secret sharing Illustration of . share randomization . in Blakley . secret sharing ...... 8 ...... 7 7.1 Representative7.2 questions . Standardization7.3 at . what granularity . level? Standardization . opportunities ...... 41 ...... 39 . 41 6.1 The6.2 existing CMVP and FIPS Integration 140-2 of threshold . cryptographic schemes ...... 38 . . . 37 5.1 Threshold5.2 values . Communication5.3 interfaces . . . Target5.4 computing . platforms . . . . Setup . . and . maintenance ...... 29 . .30 .26 . . . 34 4.1 Security4.2 considerations . Types4.3 of . attack . System . . model ...... 15 ...... 20 . 22 3.1 Threshold3.2 signature examples Side-channel attacks . and countermeasures ...... 14 . . . 11 2.1 Terminology2.2 . . Secret .2.3 sharing . . . Secret .2.4 resharing . . . . . Threshold .2.5 . cryptography ...... Side-channel . and . . . fault . attacks ...... 4 ...... 9 . . .5 . .7 10 List of Tables List of Figures Table of Contents NISTIR8214 T 8 Conclusions References 42 44 7 Criteria for standardization 39 6 Validation of implementations 37 5 Characterizing features 26 4 Models 15 3 Examples 11 11 Introduction 2 Fundamentals4

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , NVD18a RIMITIVES , P 18 + ], where a fault 03 1 + ], letting an attacker KGG ], Benjamin Franklin 18 + ABF , Sau34 RYPTOGRAPHIC C BMW ], Spectre [ BDL97 of cryptography? NVD14 , CHEMESFOR 14 S + 1 ] and Foreshadow [ Achilles’ heel DLK HRESHOLD NVD18c ], which allows recovery of keys from the dynamic random , 09 18 + + HSH LSG ) of the shares does not reveal information about the original key. Using n ]. Later, in “Poor Richard’s Almanack — 1735” [ (out of ], Meltdown [ f Sha97 There is a potential benefit complementary to mitigating single-point-of-failure issues To counter the inherent security risks of handling secret keys in conventional imple- The localization of a key, for use by an algorithm, is susceptible to enabling leaking Some portions of writing were adapted from text appearing at a previous short magazine article [VMB18]. 1 Introduction NISTIR8214 T in hardware and software implementations. The threshold approach can also enable decen- computation to a correct resultalgorithm. as if The the threshold original secret approachsecret key can keys had in thus been cryptographic significantly processed implementations. by increase a the classic confidentiality of mentations of cryptographic algorithms, technicalsecret approaches have key emerged into that two split or the more shares across differentnumber components or parties. Forappropriate example, threshold techniques, the shares can then be separately processed, leading the consumes, or the electromagnetic emanationsegory it of produces. non-invasive Many attacks, of which these cancomponents fall be within into performed the the without device. cat- direct Attacks physicalcan that contact lead exploit with to leakage disastrous of scenarios key-dependentdevice in information firmware which becomes the compromised master]. [RSWO17 key used to encrypt and authenticate access memory (DRAM) of afrom computer, the even seconds device. to Some minutes attacksthe after inject supply it faults voltage. has into been An the example removed computation,induces is for an the example incorrect “Bellcore” by computation attack changing whose [ information output reveals through a a secret side key. channel, Other attacks such obtain as the execution time, the amount of energy it it out. For example, themised internal through state a of bug a such conventionalNVD18b implementation as might Heartbleed be [ compro- read private memory locations, including secretis keys the contained cold-boot therein. attack Another [ example maintaining the secrecy of cryptographicimplementations, keys. as However, this keys is are difficultrun usually in the stored conventional algorithm. in Devices, one muchsecrets. place like people, Does on are this a not mean device, completely that and dependable keys are guardians used the of there to observed that “Three may keepprimary a means secret, of if protecting two digital ofare information. them well are In known dead.” modern but Today, cryptography cryptography the the is keys algorithms a are secret. Thus, the effectiveness of encrypting data hinges on Protecting sensitive information from unauthorized disclosure has always been challenging. 1 (1597) [ when secret sharing is used on the key, the compromise of up to the confidentiality threshold “Two may keep counsel, putting one away,” William Shakespeare wrote in “Romeo and Juliet”

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , f , can 1 correct + k f RIMITIVES 2 P = can be thought k f or 1 + f = RYPTOGRAPHIC k C ), e.g., f and CHEMESFOR k S 2 HRESHOLD of components. In some cases, for example with low f aulty” (i.e., compromised) components that can be tolerated. f components in the system. As a mnemonic, the symbol n can be specific to some implicit type of compromise, e.g., possibly including f threshold property denotes that the presence or participation of n threshold scheme, some security property is tolerant to some kind of compromise out of n f -out-of- The basic security model for cryptographic algorithms assumes an ideal black box, in In fact, the security impact of a threshold design may be different across different The threshold concept can apply to security properties of interest beyond the secrecy of The threshold paradigm brings several security advantages but also some potential weak- In a dual perspective, a threshold can be defined with respect to an operational property. This report is focused on threshold schemes applied to cryptographic primitives. In an k -out-of- f NISTIR8214 T For example, such ideal constructsmodel have no contrasts side with channels the that reality could of leak conventional implementations, secret which keys. can This be subject to reveal the original key, but the corruptionit) of may a affect single the share integrity (or ofsecurity of the benefits a output. brought computation These by dependent observations on threshold highlight cryptography the as need a to possible look tradeoff at across the properties. challenges in ensuring the simultaneoussecrecy upholding of of key diverse material, security correctness properties, such of as outputs and continued availability. properties of interest. For example, in some schemes the compromise of one share might not keys. For example, it ismalfunctioning useful of to some enable of availability and itsachieve integrity components. such of Traditional resistance computations techniques when in of considering spite fault random of tolerance or often predictably modeled faults.arbitrary. However, Considering a wide scopeflavors, of depending security on goals, the threshold security schemes aspects can they exist address in and several the techniques used. There are attack model. It is particularlymore relevant than to the consider threshold how number difficultthe may increased be attack the surface compromise may of against enable a an conventional attack (non-threshold) more primitive. efficient and effective than possible nesses. For example, the useall of shares. multiple shares Thus, increases the the attack security surface effect to of encompass implementing a threshold scheme depends on an cases of crash, leakage, intrusion and accidental or malicious malfunctioning. components is required to ensurethresholds some (respectively correct represented operation. by The symbols relation between the different of up to of as counting the number of “ tralization of trust, when delegating the ability to perform somecryptographic cryptographic operation operation. should require agreement by multiple parties. vary depending on the scheme and on the type of compromise and security property. This threshold This can be useful for higher-level distributed applications, e.g., when the performing of a which the cryptographic computations are correct and the internal states are kept secret. we are specially interested in resistance against targeted attacks, which can be malicious and A

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P RYPTOGRAPHIC C CHEMESFOR S 3 HRESHOLD Altogether, the security assertions made with respect to an instantiated set of features For example, system models and attack types can differ substantially across different There are techniques designed to mitigate foreseen compromises in more complicated A separate analysis of different security properties may lead to some pitfalls. Some NISTIR8214 T provide a path for securityapproaches validation of that actual enable implementations. automated Ofuse validation particular of interest tests are well-characterized with threshold state-of-the-artprimitives cryptographic techniques. offers schemes potential The security to benefits. implementfor It cryptographic selecting is from thus a important potential to pool develop of objective criteria candidate threshold schemes. interfering. In a single deviceponents setting, within this a may single involve interaction chip between or different a com- single computer. Inor a across contrasting the setting, Internet. multiple nodes interfaces, the target computing platforms, and the setup and maintenance requirements. platforms and communication mediums. Itinter-communicate, should and thus how be they considered can how be the assumed components separate and independent vs. mutually by a shareholder, thereby enabling operational modes that tolerate thisthereby kind of periodically corruption. reducing toabstract zero security the model number is of notan enough compromised adversarial to shares. environment. assess One the However, also effects an needs of to placing characterize a implementation threshold aspects scheme whose in in understanding how threshold schemesspecific can attacks. be It used is to also improvescheme relevant resistance induces to against across assess these different potential security tradeoffs properties. that a threshold cryptographic scenarios. For example, verifiable secret-sharing enables detection of misuse of shares in an ideal world, then allowinga security system properties model to is be also derivedbe important therefrom. subject to Complementary, to. characterize different Specific types attacksimplementations of in and attack the their that real idealized a world versions. system exploitsecurity Some may differences properties of (e.g., between these confidentiality conventional may of target a breaching key) specific or sets thereof. There is a particular interest leakage) from a set of components, e.g., providing resistance against side-channel attacks. formal models of security arecommon useful to analysis to of avoid secure them.security multi-party The into computation a protocols, ideal-real definition combines simulation of the paradigm, an notion ideal of world. This abstraction captures an intended application attacks that exploit differences between the ideal and real worlds.components. Threshold They schemes may also hinder the exploitation of existing compromises (such as noisy variation may affect security. These include the types of threshold, the communication (e.g., servers) may be placed in different locations, communicating within a private network As another example, can be used to periodically reshare a secret, with some of those differences, by providing tolerance against the compromise of several

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 to be ” the (with n RIMITIVES P -out-of- f ” the threshold n compromised uncompromised -out-of- k RYPTOGRAPHIC C CHEMESFOR S 4 number of components that can be HRESHOLD : characterization of compromised nodes, or of an adversary, number of components that must remain maximum minimum This document is targeted, with varying goals, at a diverse audience. Internally ” denotes the f We borrow terminology from different research areas, with some overlap, using several It is useful to further clarify one intentional design aspect related to the references to re- The text is also directed to experts in cryptography from academia and industry. For The document is also written for people with managerial/policy responsibilities in devel- Active/byzantine/malicious when being able to arbitrarily deviate or induce deviations from a protocol specification. ” denotes the k 2 Fundamentals • NISTIR8214 T terms that share similar connotations,informal sometimes correspondences (but follow: not always) interchangeable. Some 2.1 Terminology threshold “ respect to some implicit security property ofsecurity the property components), while for retaining the some (implicit) global system. Correspondingly, inpossible to “ ensure some security property of the global system. preferring instead to exemplify precursoryan threshold exhaustive techniques. analysis Therefore, and we do dopaper not not or try make a to technical include survey. the Weapproaches depth hope can and that be nuances a subsequently typical thorough performed of assessment with a of an state-of-the-art research inclusive threshold participation of stakeholders. lated work. This document intendsthreshold to schemes initiate for a cryptographic discussion primitives. thata may For balanced that lead way NIST purpose, that to we standardize there soughtpreferences. are to convey feasible In in threshold fact, approaches, we but specifically without opted showing to particular avoid an assessment of the most recent works, them, the document is anthe invitation to open engage questions with related NIST toprimitives in the and a standardization the collaborative of corresponding effort guidelines threshold to for schemes resolve implementation for validation. cryptographic opment and/or adoption of cryptographicdocument services highlights and critical modules. aspects For of suchcantly the an affected security audience, by of the nuances implementations in that theeral can system simple be model examples signifi- and are the provided, employed including threshold some techniques. based on Sev- classic secret sharing schemes. for NIST, the goal is toitives. initiate This a motivated discussion the about inclusion threshold of schemes representative for questions cryptographic relevant to prim- standardization. Audience. This document makes use of two dual perspectives of a threshold. In “ “

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , ” ] n K 3 . K f TJ11 -out-of- RIMITIVES f P with respect to 3 from the same key . = 2 k K K and RYPTOGRAPHIC 1 : state of a node, whereby it C K ; when the context is clear, some f scheme with 3 : an agent with a special role in aiding be the one-time pad encryption of : characterization of compromised com- K : transitioning of a node or nodes from a ⊕ CHEMESFOR 2 S -out-of- K k 5 ⊕ 1 : a constituent part of an implemented threshold K : a process by which a node transitions from an parties, has a threshold property: it is a “ = 3 3 HRESHOLD : ideal state of a node, not yet compromised by an K = n , we randomly select shares 3 K , and 2 K with respect to the leakage of any two shares alone not giving away , 1 2 K = : an agent, not in the threshold set of components, who is a stakeholder of the f , and let the third share is the exclusive OR operation if the keys are bit-strings. No two shares provide any K ⊕ , except if explicitly stated as such (e.g., the case of a primary node). The described scheme, with The above notes simply intend to convey intuition helpful for reading the document. We Recovery/refresh/rejuvenation/replacement reset of internal states, as well as effective replacement of physical components. Good/healthy/honest/recovered Honest-but-curious/Leaky/Passive/Semi-honest ponents, or of an adversary, whenbut the without internal altering state the of computations the and former message-exchanges is specified exfiltrated by by the the latter, protocol. Compromise/corruption/intrusion ideally healthy state to a compromised state and/or by which it remains therein. adversary, but susceptible to attacks. Aggregator/broker/combiner/dealer/proxy/relay departs from an ideally healthy state, and startsClient/user being counted towards the threshold result of a cryptographic computation, typically the requester for that computation. parts whose compromise counts towardsterms the can threshold designate parts outside of the threshold composition. the setup, execution and/or maintenancen of a threshold protocol; usually not accounted in Bad/compromised/corrupted/controlled/faulty/intruded scheme, affecting the prosecution ofcontext) a to functional be goal achieved (a by cryptographic a operation, collective in of our parts; most often used to denote one of the Agent/component/node/party/share (possibly) bad state back to a good state; nuances include update, reversion, change and • • • • • • • • NISTIR8214 T scheme with information of the original secret key; it is a into three shares space as information about the secret key — all shares are required to recover Secret sharing is based on splitting the key into multiple shares. For example, to split key do not undertake here the goalin of the unifying text terminology provide from necessary different areas. context.and the Cited The references NIST encyclopedia of glossary cryptography of and security security terms [ [Kis13] provide additional suggestions. 2.2 Secret sharing where

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , n g } A and + g 1 n + − k x x and each -out-of- A 1 of parties. k RIMITIVES h ) − -coordinate n P 0 k -coordinate. x ( = h for some con- 1 f x y g + . For example, parties together : = 1 -coordinates) are + ) k ... x 0 y − c , hx + x k ( 1 = x { . The prime modulus 1 y Q h such hyperplanes, one can RYPTOGRAPHIC = and define the polynomial , and therefore compute the of parties. ) C and the secret and any other y k 1 x n ( ) − f ≥ k Q c notation is used hereafter for the n satisfying , and the lines themselves are finite -dimensional space, provided that k ) k parties together can recover a secret Q as the intersection of their lines (see for some line y ,..., mod , k 1 P A ) x c g ( x . Note that the lines cannot be parallel to , is a positive integer distinct for each party ( 0 P f i CHEMESFOR c in the and recover the secret as its must be larger than the number , S secret-sharing scheme. To build a and ) x P different parties. Then any y Q ( 3 A 6 , n h 1 − k , where x in the two-dimensional plane (see Fig. 1(a)). A non- -axis. Choosing ]. There, any )) being also integers modulo 1 ) . Since each party must receive a distinct point, and i -out-of- x y ( y Q , 2 f ,..., HRESHOLD parties can reconstruct x 1 , ( i x k Bla79 ( ( and and larger than the number P , one considers hyperplanes . Typically, the secret is the coefficient 1 parties together do not know anything about the secret. P s , the modulus 2 1 x secret-sharing schemes can be defined, for any integers x − )) − n k > 0 k x With the help of Fig.1, we describe an example of Blakley’s ( Shamir secret sharing is based on the observation that any set , with some simplifications for illustration purposes. The secret is k parties cannot. All coefficients are based on finite field arithmetic 1 f 3 − 1 , k 0 = c − ( . Such secret-sharing schemes were independently developed in 1979 , this does not give Alice any advantage in discovering its n -out-of- k + 1 P k ) of the point s ... ] and Blakley [ ≥ x and k + parties, but 2 x ). Then, any set of n ≥ . If Alice obtains coefficients 1 n = , individually they cannot determine g c n Sha79 P k , whereas + ) ,..., 0 0 and 2 ( c receives as share the point , f h 1 i distinct points determines completely a polynomial of degree -coordinate ( Similarly, if Bob and Charlie obtain coefficients of other lines that pass through the More generally, x ) = k (see Fig. ).1(b) This is because the definition of the line does not provide any special x satisfying ( s f NISTIR8214 T that point must not be party secret defined in terms of a prime number can compute efficiently the intersection point of consider a set of positive integer coefficients must be larger than the secret Fig. 1(c)). We have thus describedBlakley a scheme for some that intersect in a singleno point hyper-place is orthogonaldistribute to the the corresponding coefficients to Shamir secret sharing. same point each other and to Alice’s line.Charlie, or However, any Bob two with together Charlie — — Alice can with easily Bob, compute or Alice with containing the point x information about any point inequally the likely. line, In i.e. practice, all lines pointscoefficients are in being selected the integers only line modulo from (and some a all primecollections finite number of space points, of e.g., lines, with e.g., with all scheme for the stants k by Shamir [ shared across Blakley secret sharing. all three shares being requiredconcrete to case recover of the secret-sharing key. The schemes. vertical line in the plane is defined as a set of points The points on the curve are thus defined as (e.g.,

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ]. x P Bob times Alice ], thus n Kra94 RIMITIVES P OY91 s P x ) points on the curve. Charlie example of Blakley’s k 3 y shared among three parties. (c) Lines (shares) intersect at RYPTOGRAPHIC s C x -out-of- s 2 x x along the vertical line that defines P Alice ? ) shares are compromised [ P k CHEMESFOR Secret? S < . This ensures that no information from the 7 1 of Blakley secret sharing times smaller than the size of the secret — this s 2 x − k Q HRESHOLD We continue here the y (b) Single line does not reveal 1 shares there is indeed no information about the secret. − x k Figure 1. Illustration requires re-randomizing the point ], e.g., at regular intervals in time and not as a direct response to a s x -coordinate x s P is P’s x HJKY95 s x some elements of secret-sharing are standardized by the International Organization for While information-theoretic security may be an advantage, the property requires that each The schemes of Shamir and Blakley are information-theoretically secure, which means y The humanoid cliparts are from ,clker.com/clipart-*.html where * is 2478, 2482 and 2479. (a) Secret NISTIR8214 T Each resharing of detected compromise. Resharing in Blakley’s scheme. scheme, where two parties are required to reconstruct a secret practice. It may happen thatcreating over a time need some to ( computeproactive new [ shares and discard the old ones. Resharing can even be is especially useful if secret sharing is toNote: be used to share largeStandardization amounts (ISO) of / data. International Electrotechnical Commission (IEC) [ISO16, ISO17]. 2.3 Secret resharing share is of the same size asthe the size secret, of thus meaning the that secret. thesize, overall In at size contrast, the of cost all there shares of are is guaranteeing secret-sharing only schemes computational with (i.e., reduced cryptographic) optimal security [ coefficient are integers between 0secret and can be recovered from incomplete sets of (i.e., with fewer than that in a standalone set of 2 The need to compute new random shares for the same original secret key often arises in There, the size of each share can be up to

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . j 1 is x + r 6= r y , i C . This is fixed s Bob ω s x x and new and Charlie RIMITIVES ) } P 1 1 1 C + , r + + we attribute to r r y B , in the interval , , , r , as its new share. B A -coordinate s ω A y ) x ω ω i correspond to new ( . At each random- r 1 f ∈ { = ( Q + for a new polynomial j r 1 , (secret) r P i , + Alice s 1 r 1 x would require randomizing P mod − + RYPTOGRAPHIC k r a random for ) P c C P 0 r 2 receives ( / f π ,..., . The new shares are then points r ,... , 0 3 = 6= 1 c , c is the equation that defines the line. r , 2 j Q y , g 1 ) = ω + 0 where the three lines intersect is chosen 1 ( = CHEMESFOR 6= r + r mod i f hx S r r P , (b) New random values at each resharing; -coordinate where the line intersects with the 0 i y x c 8 = ω . Then, the new share (a line) for each party is r x y , ) , for i r A y ω , r s , x Alice and the C the point satisfying HRESHOLD Share re-randomization can also be done with Shamir is as before: the new point r ω axis. Thus, for each resharing iteration , , where r i 1 = ( ) 2 , one computes a new point x − w h r 1 k , P > x g Charlie r + k r , ( , are random 1 r B r − , i k ω c ω + (secret) ... s in the plane can be parametrized in terms of its angle , one chooses random coefficients r + x . Concretely, each party and are different from one another. With this construction, a single party r P x r P r r f , P 1 Bob c , with respect to the a new random angle and each angle ) Figure 2. Illustration of share randomization in Blakley secret sharing i r + 2 y / 0 c π , (a) y 2 / ) = 1 coordinates, and the resharing would proceed as in the initial sharing. For each new iteration For visual intuition, we illustrate in Fig.2 a parametrization based on angles. A line x π r ( − y r -axis. In practice the used parametrization is based on polynomial coefficients, so the share − f NISTIR8214 T evaluated with k Resharing in Shamir’s scheme. secret sharing. There,ization iteration the fixed secret is random lines for each party.random angles, These as lines, illustrated passing inthe through Fig. lines2(b). point of The different party parties selectingare do new non-vertical. not shares overlap, Concretely, must i.e., this ensure that means that they that do not have the same angles, and through a point each party x is because at each newrandomly in resharing the vertical line that passes through the secret. the secret. In other words,sampled, for defining each a randomization new iteration point also randomized, subject to thethe constraints new that point all new lines are non-vertical, intersect at The generalization to the case (a line) is instead revealed as (Alice, Bob, or Charlie) still cannot gain any useful insight into the reshared secret (

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , Yao86 RIMITIVES P ] and in secure set Yao82 RYPTOGRAPHIC C ] and/or zero-knowledge proofs Fel87 , CHEMESFOR S 9 AMGC85 HRESHOLD ]. While we focus on secure implementations of cryp- ]. It allows mutually distrustful parties to compute functions GRJK00 ]. Usually, the setting is such that the shares are used to compute ]. In threshold schemes for cryptographic primitives, the nodes within CCD88 , ], allowing checking whether shares are used consistently. Specifically, a FNP04 DSDFY94 , BGW88 BFM88 , , DF90 Threshold schemes can also be based on elements from the “distributed systems” re- Threshold schemes also do not encompass all that exists in the realm of SMPC. In usual One main area of related research is “secure multi-party computation” (SMPC) [ GMR85 NISTIR8214 T a multi-party threshold version of a full-fledged cryptographic platform. Such a platform provider (of cryptographic services) to a set of external users/clients. search area, where fault andinterest intrusion in distributed tolerance systems are are mainexecution/requests) liveness topics. and (making safety progress Common (ensuring even properties in consistency of the of face state of across concurrent multiple parties). Why SMPC descriptions, the parties themselvesand are correctness stakeholders of the of output, theintersection e.g., secrecy [ in of the their millionaires’ input problemthe [ threshold system can have a neutral interest for the outcome, and in fact just be a service interaction between parties.graphic Provided primitive can suitable be definitions implemented andis in assumptions, based a any on threshold crypto- a manner framework based ofthose on definitions functionalities. SMPC. of Nonetheless, Often ideal some this functionalities, systemssecret-sharing, and may protocols replication) implement that not threshold emulate modeled techniques within (e.g., an SMPC framework. GMW87 sponding inputs to one another.of This different can be parties useful are for not threshold shares schemes of even if some the key inputs and/or if the actual computation requires threshold scheme can be madeor robust against in adversarially related induced computations, inconsistencies outputting inof correct shares results compromised in parties spite [ oftographic up primitives, to the a actual threshold threshold number techniquestechniques, may e.g., also simple include replication non-cryptographic and majority voting. something useful, but without beingsecrecy revealed across of parties. cryptographic keys, Often, but a aand main variety availability, security of may goal other is also security be properties,based such on a as a motivating integrity variety drive. ofbased techniques. Achieving on For these verifiable example, properties secret integrity sharing is may schemes[ in possible [ some settings be enhanced of cryptographic primitives, we adoptnote the our umbrella area term of “threshold interest. cryptography”used The to to expression de- refer “threshold to cryptography” has schemesputs been where [ traditionally some computation is performed over secret shares of in- 2.4 Threshold cryptography (and randomized functionalities) of their combined inputs, without revealing the corre- would this be relevant for threshold cryptography? As an example, consider implementing with a strong relation to threshold schemes. Since we are focused on the implementation We take broad input from several research areas with traditionally distinctive names, but

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ]. probing DDF14 RIMITIVES P RYPTOGRAPHIC C (of cryptographic operations) is ] or by “lazy engineering” to just NRR06 CHEMESFOR S ] where these three properties (consistency, availability 10 ]), or the attacker may be limited by the number Bre12 14]. + HRESHOLD CJRR99 model [ secret-sharing increases exponentially with the number of shares. n ]. To inject the fault, the attacker may, for example, apply a strong external ]). The noisy leakage model and probing model have been unified [ (of state, e.g., credentials, across different parties) be simultaneously satisfied noisy leakage (i.e., even if some parties in the threshold scheme cannot inter-communicate), can -out-of- BDL97 n ISW03 Besides the aforementioned side-channel attacks, an attacker may also obtain key- As such, side channel attacks on secret-shared implementations become infeasible if the We will assume that, regardless of whether the computation is in hardware or software, NISTIR8214 T of the computation. This would provide resistance against a wide range of fault attacks. outputs [ electromagnetic field. Note that the injectionof of the faults may computation, also thereby introduce violating errorsis the in the endowed integrity outputs with of the the ability outputs.does to If not detect the require which threshold all shares scheme shares have to errors, be and present, if it the can threshold resist scheme temporary and permanent faults in parts the model take transient behaviorbe (“glitches”) handled by of Threshold the Implementations transistorsincrease (TI) into the [ account, number of which shares can [BGG dependent information by injecting a fault into the computation, and then observing the channel information, the complexity of a side-channel attack of a suitable implementation number of shares is sufficientlybefore high, and the is attacker further can thwarted collect when enough the side-channel shares are information. refreshed Further refinements of logical gates and memory cells.noisy Then, (the the attacker’s view ofof the wires circuit elements of may the be model circuit [ that itIn can both observe models, under within some a reasonable assumptions certain on period the of statistical distributions time of (the side- during computations. This is possible even without direct physical contactradiation with emanated components by a device can be measured without penetrating the device enclosure. the device that performs the computation consists of some circuit with wires connecting to availability and partition tolerance) cannot be guaranteed to be achieved simultaneously. 2.5 Side-channel and fault attacks a critical property, and wherepartition the system is supposed toconsistency operate even in cases ofunder network concurrent executions? This isthreshold a schemes. kind of There “distributed are systems” settings problem [ relevant for on requests by users whosetime. credentials and Now we authorization could profiles may ask: be in updated a across setting where The secrecy of keys can be compromised by the leakage of key-dependent information with an within the device. For example, the time taken, the power consumed, and the electromagnetic would perform a variety of cryptographic operations, some using secret keys, and based

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ]. )? ]). = , it n 2 d s < , . 1 . Here, k d Sho00 DF90 ) N ], which threshold . Anyone m into three N RIMITIVES ( N n d P = φ 1 mod s . Moreover, fre- m , which does not mod RSA78 d d d = -out-of- 1 mod ). It is nonetheless m k ed = = m s ed = e RYPTOGRAPHIC s C signature scheme (with . Note that this is indeed a valid group order is Euler’s totient function. Then, 3 n s . Now, without reconstructing φ 2 ) s , such that 1 (the N d s ( ) φ . This simple threshold RSA signature = N -out-of- ( N s k φ CHEMESFOR S mod ) would reduce the window of opportunity for to a mod d 3 11 n , wishes to delegate to other parties the ability to d d = d m 3 d = shares are available. , and + 3 2 d k 2 -out-of- HRESHOLD d d + n , 2 1 d + d and the private key as + 1 1 d ) d e m , N = ( 3 s threshold scheme 2 s 1 , such that n s 3 ; and then compute the signature d 3 and the secret signing key d is a product of two large secret primes and ) ]. We first consider the role of a dealer — someone that, knowing the secret m N N , and ( -out-of- = 2 φ d k 3 s , BH98 1 , d , and But how to generalize from the Now let us proceed to describe a simple threshold variant of this signature scheme 2 d Fra90 3 Examples NISTIR8214 T groups with publicly known group order (e.g., as in the case of ElGamal decryption [ namely because the share-holders dopossible not to know slightly adjust the computationcombination of becomes key possible shares even and without signature knowledge shares of so the that secret the information final the [ development of diverse threshold schemes, with some schemes taking advantage of using scheme could be used when at least ponent), and correspondingly the combination into a final signature becomes more complex, attacks and thereby further reduce the risk. Refreshing can even occur after every3.1.2A signature. In the above example, all shares must be present. This might be impractical in situations RSA signature, as scheme mitigates the risk of exposing theappear potentially in high-value any private key of theing three any shares one that of are the shares, usedquent and in updates even the two to actual of the them, computations. key poses Thus, shares no compromis- threat ( of exposing parameter jointly produce signatures in a thresholdshares manner. The dealer splits the privateis key possible to first process the message independently using each of the shares: the modulus the RSA signature for apossessing (possibly the hashed) public message key m can is verify defined the as signature by checking [ 3.1 Threshold signature examples 3.1.1 Basic threshold computation on secret shares First, we recall thedefines the RSA public (Rivest-Shamir-Adleman) key as signature scheme [ m The secret vs. public knowledge of the order of the underlying group can indeed be relevant in The needed secret-sharing is no longer a simple additive decomposition into shares (in the ex- where one or more of the shares become unavailable. For such cases, a

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ]. vdGP88 RIMITIVES P , knows the secret dealer RYPTOGRAPHIC , along with a secret sharing C N ]). In particular, this can facilitate ]. Different RSA-based threshold secret-sharing scheme, and a corre- 3 BF97 Ber06 CHEMESFOR S -out-of- 2 12 remains intact, available, and not breached. This means HRESHOLD d required the dealer to also know the secret prime factoriza- N and to properties of the prime factorization. n and k is indeed a valid product of two primes, by using zero-knowledge proofs [ would also require a threshold generation of the public N d The same possibilities exist for resharing. In suitable threshold schemes, the share- Schemes based on particular assumptions can enable a more straightforward selection In contrast, when a conventional implementation is breached, the corresponding pub- So for RSA signatures one can use, e.g., a and performs each secret-sharing operation. Particularly, the threshold RSA examples NISTIR8214 T holders can perform resharing without a dealer, i.e., interacting to create new shares for the be accepted for global parametersa of respective a threshold group mechanism, (e.g., so [ example, that one a can secret then key define never a exists dealer-absent locally threshold at version any of entity. adiscrete For public logarithm) key [Ped91, generation GJKR99]. assumptions of intractability of computingorder. discrete If logarithms the in group certain parameters groupsone of can requires known be having verified any as secret correctmade knowledge in about in a a the standalone way group. procedure, that Furthermore, then avoidsbe if no the trusted the possibility by selection of anyone. is a The trapdoor intractability being assumption known, can then the then, parameters for can fixed security parameters, can in general be doneschemes based can on take SMPC advantage protocols of [ parameters specialized solutions, with tradeoffs related to the threshold and verification of the validity of public elements. For example, this is possible based on tion. If needed, the dealerthat could, without revealing the secret,Nonetheless, prove in to a each dealerless share-holder settingkey a threshold computation of sharesof of its the factorization. secret This signing does not lend itself to a straightforward efficient computation, but In the above descriptions, and implicit trusted party, often calledbased the on a common modulus more resilient to future sharethat losses at if most it one continuously isthree refreshes compromised separate the conventional at key RSA any shares, implementations given provided withrequire time. updating independent the keys, Note refreshing public/private that key would in pairs, along a with scheme all composed entailing of inconveniences. 3.1.3 Avoiding the dealer that one can continue to use the same public key to verify thelic/private correctness key of pair the would signature. haverequires to an be external revoked certification and ofit the a public new to key pair all by issued. a relying certificate Typically parties. authority this and also In propagating addition, a 2-out-of-3 threshold signature scheme becomes sponding threshold variant of RSA. Then,breached, in the the private signature case key of one share being irrecoverably lost or (the result of an exponentiation), such that each party knows one share of the secret key (a

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 3 RIMITIVES P ] enable multiple parties, to define which subsets of RYPTOGRAPHIC C MOR01 , ]. Such schemes can be based on flexibility ], where a member of a group signs a message, IN83 And02 CHEMESFOR S CvH91 13 HRESHOLD ]. To some extent, this property has some conceptual similarity to the BM99 Several of the exemplified threshold schemes take advantage of group homomorphic In summary, we showed by examples that “threshold signature schemes” can be based To complement the resilience in the face of compromise, signatures can also be im- A multi-signature scheme can be used as a threshold signature scheme where the These should not be confused with “group signatures” [ while proving group membership but remaining anonymous with respect to its identity within the group. NISTIR8214 T dealer, with or without robustness, and possibly with forward security. properties. While suchthreshold properties computation can are still not in general applicable be in obtained via every secure cryptographic multi-party computation. primitive, past keys [ refreshing we previously described infor the threshold RSA signatures example. [AMN01], This including property the can case be of achieved multi-signatures also ]. [SA09 on secret-shared computation of regular signatures or on multi-signatures, with or without a these schemes can be easily based on Schnorr signatures [Sch90, BN06]. plemented with a “forwardan security” property evolving [ private key,leakage while will the not public allow the key adversary remains to fixed, forge so past that messages, assuming even the a signer future erases key application layer, and possiblysignatories the determine user, a has valid added signature,threshold i.e., number. beyond structures For example, defined a bysignature multi-signature a from may pre-determined each be of defined three as groups valid if of it individuals in contains different one roles in an organization. The not wanting to use asetting private-key share it associated is with possible a to commonsignature. devise public short Concretely, key. “multi-signature” threshold Even schemes signatures, in [ with this size equal to a non-threshold thereby being inherently efficient inparameter). size (i.e., Such not schemes incurring also an havesecret increase the to with property the the that external threshold the users identitiessome interested of in settings the verifying signatories may the remain favor correctnesscredibility the of feature. a identifiability signature. Each of signatory However, signatories, might also e.g., prefer as retaining an an individual accountability public credential, and a threshold scheme enables a generation of a signature identical to the non-threshold manner. same secret, without ever reconstructing thefor secret. new threshold The structures final (e.g., shares different can threshold even and be number obtained of parties) [DJ97]. 3.1.4 Other constructions 3 verification procedure then depends on the set of independent public keys. For example, The above examples focused on threshold schemes where the secret-key is shared, and then with independent secret-public key pairs, to jointly produce a common short signature. A feature of those schemes is that the final signature is identical to a non-threshold one,

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P different keys, n . n RYPTOGRAPHIC C threshold block by Brickell et ], and have been shown to be easy to n party. In that case, it may happen that the CHEMESFOR Koc96 S -out-of- 14 ], or when the same binary is executed on a every n ], may not be sufficient. Indeed, an implementation that HRESHOLD KPVV16 Ber05 -fold composition (or cascade) of a with n (bounded) information about ] uses the some BCF00 Nevertheless, there exist sound countermeasures against side-channel attacks where the However, when all these parties reside on a single chip, we must assume that an attacker To protect against side-channel attacks, the framework of threshold cryptography can The execution time of the program, however, is just one example of a side channel. A possible countermeasure against timing attacks is to ensure that the implementation is NISTIR8214 T secret variables are split into shares,combine such the that secret, but a fewer threshold shares number revealfoundation of no of information shares these at can all. approaches be and used We described their to the re- resistance theoretical against side-channel attacks in Sec.2. threshold only complicates aon side-channel the attack number by of a parties. smallal. factor, For [ depending example, the such that no singleoperation, party then holds the the leakagesuccessful entire attack of secret on information required the original from to secret. perform only the one cryptographic “party” would notcan gain enable a countermeasures (such as “constant-time” implementations,netic dual-rail logic, shielding) or is electromag- that they usually do not get rid of allprovide the a promising leakage, starting but point. If may the still implementation is be split into a number of “parties,” different processor [Por18]. Implementations in hardware and softwareas may power also consumption leak or through electromagnetic other radiation. side channels, The such limitation of the currently-known reason is that having “constant-time” sourcebranches code, that or is, memory source accesses code [ withoutis key-dependent free of timing attackshappen, on for one example, platform when may source be code vulnerable that on contains another multiplication platform. operations This is can compiled perform on a variety ofno cryptographic specialized algorithms. equipment An is advantage required. ofsystem, Because timing they they attacks may do is even be not that performed require remotely physical over access the to Internet the [BB03]. 3.2 Side-channel attacks and countermeasures vulnerable to higher-order or data-dependent leakages. This turns out to be surprisingly difficult for many commonly-used implementations. The Timing attacks were first presented by Kocher [ which may slow down power analysis attacks only by roughly a factor of with a different runtime library [ “constant time,” that is, that its execution time does not depend on the value of the secret key.

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P components n Perhaps security is how does a threshold -out-of- f RYPTOGRAPHIC C CHEMESFOR S 15 HRESHOLD This section considers how a range of applicable scenarios may differently affect a range The distinction of ideal versus real implementations can yield useful insights into For example, one can define the security strength, which can also be expressed as bit 4 Models NISTIR8214 T make it inherently more difficult toin exploit the existing compromises set (such of as “parties”. noisy leakage) While these intuitions are valuable, we want to enable a more In a first baseline comparison,in a real an implementation ideal allows black-box. vectorsimplementations, of Once in attack these the not are real possible identified, world,approach to one improve affect asks security. how security, Particularly, to compared augmentimproved to if conventional an a attacker non-threshold is approach? limited to not compromising more than section, which motivates the need to describe characterizing features of threshold schemes. 4.1 Security considerations side-channel leak could have on a conventional implementation? of tradeoffs between several security properties.and These capabilities, scenarios and depend various on properties adversarial goals security of strengthening the and system weakening model. may It co-exist. is The important discussion to also be preludes aware the that next the assessment of threshold schemesadvantages for and cryptographic disadvantages primitives. of Whatcompared are performing to the separate conventional security implementations computations that on usecryptography shares a mitigate single of the secret a key? potentially key, How disastrous can threshold consequences that a coding error or a size. When the algorithms areassumption implemented can in break real down hardware in andlead several software, ways. to the side For black-box effects example, that bugsand compromise in the electromagnetic the secret characteristics implementation key, of can as the withside-channel platforms Heartbleed. information on Also, to which the leak the material and algorithms allow run attackers can to cause recover the secret key. property of the algorithm canthe be best-known reduced attack to against the this problem model. of evaluating the complexity of strength, of different classesneeded of to cryptographic algorithms perform based a on brute-force the search amount of of work the key in a large space related to the key box, in which the cryptographickeys, computations are are kept correct secret. and all Thischannels, internal basic such states, model as including leaves timing aside and the power.in possibility This the of may model, leakage be or through due being side- toconstant-time assumed these computations). independent parameters of Under not the this being secrets assumption, included (e.g., the assuming problem instantaneous of or quantifying a security The basic security model for conventional cryptographic algorithms assumes an ideal black within a certain time interval. Also, as explained in Sec. 3.2, a threshold design may

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , 0 = A f RIMITIVES P and 2 ]. We can call = C for confidentiality, f 2 Rad97 [ = f for availability, i.e., three RYPTOGRAPHIC 3 C = k , since the described mechanism 0 availability = I and f CHEMESFOR S 16 reliability HRESHOLD compromised components back into a healthy state. ) are necessary to produce a signature, and 3 = n rejuvenating In summary, even for the considered simple example of “3-out-of-3” signature scheme Two general metrics of interest are NISTIR8214 T corruption is detected by a verification against the provided plaintext. If the detection of a different properties. For example,signing the key) compromise and thresholds availability for (tosimilar confidentiality produce to (of signatures) the the are underlying respectively secret-sharingcompromise scheme. threshold For integrity is of by produced defaultproduces signatures, also an the equal incorrect signature to ifalso one consider of an the analysis output that shares incorporates is the incorrect. context However, one of can a signature application where the promise the integrity of the final signature, depending onto whether verify or the not correctness the of mechanism the signature. i.e., any subset of onlyloses two visibility parties of cannot the learn anything originalcomputation about signing dependent the key, but on key.) retains There, the the each key. abilitythen If node to it a influence compromises compromised the the node availability output simply ofa of refrains the syntactically a from signing valid outputting, but operation. semantically If incorrect a output corrupted share, node then outputs it may or may not com- confidentiality vs. availability vs. integrity, possibly improving one while degrading others. Sec. 3.1.1, supported on a 3-out-of-3used secret here, sharing a of the 3-out-of-3 key.parties secret (Recall (out sharing that, of with of the the notation key means enhanced by 4.1.1 Diverse security properties then secrecy is lost withanything respect being to able the to plaintext revert associated it.goal with is Availability public — satisfied , proportion — without of can timee.g., be during the used proportion which to of a measure cryptographic security the outputon actual produced the as “availability” mission intended. of time a These of service metrics an also or application, depend property, so it is relevant to consider, for example, resilience them meta-metrics, since we are especially interested in considering themto to implementations measure under (even attack. Reliability — probability of notproperty failing represents a a security catastrophic goal failure. For example, if a secret decryption key is leaked, meaningful formulation and/or validationbased of on threshold security schemes. assertions about implementations To show the nuances, consider the 3-out-of-3 threshold RSA-signature scheme described in (implicit in the example) responsible for recombining the output shares is prescribed or not (based on a “3-out-of-3” secret sharing), there are different compromise thresholds for A threshold augmentation may have different effects across different security properties, e.g., when just qualitatively/comparatively) the upholding of concrete security properties related — is specially suited for cases of “all-or-nothing” security, where the break of a certain

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ; n k one − all n ) out of A f RIMITIVES P + 1 is easier to break (for the confiden- = 1 ( 1 P − k one ]. In particular, one may = C RYPTOGRAPHIC f ) for others. Properties with C 0 ). In some attack/compromise BB12 nodes being compromised, e.g., = 1 1 f for integrity. In a context where − + 0 n f having a compromise threshold value = = 1 does not imply that ) if compromising the integrity of I P C 2 f 0 f at certain levels (OS, vendor, etc.), and if P CHEMESFOR = S I f 17 ” signature scheme: n diversity HRESHOLD -out-of- k ) compromising the availability of 0 of another property can depend on the scheme, but ideally can be as high as 2 = A f ) and the problem be instead classified as an availability issue f n A f = exploiting side-channel leakage from a set of nodes; compromising I f passively ) nodes in the threshold version (when ) out of the three nodes in the threshold version is easier than compromising the I C ). More generally, for a “ f f . Thus, there may be scenarios justifying a threshold scheme with a high threshold for 0 2 + + P = Consider the mentioned case with threshold Based on the above, under certain types of attack the exemplified threshold scheme may, 1 1 lower than the threshold can depend on the scheme and on the application definition of integrity compromise. A 1 I f = = f f NISTIR8214 T standard non-threshold techniques. Also, assome already mentioned properties with with an a example low foran threshold integrity, adjusted in a way at threshold the schemeproperty application module (e.g., layer, may if integrity) be the in considered application the in such can threshold as handle scheme. confidentiality the (Still, of compromise the a of compromise key, a of may some often properties, be undetectable). an incorrect share). Particularly, a security property than some properties, even if with aassociated low threshold threshold 0 (including may possibly also be distinctively protected per node, e.g., based on integrity is as important aspriate? confidentiality, can Yes, the since above the mentioned difficulty scheme oftype compromising still of each be attack property appro- on may the varypossible implementation. with by For the example: conceived compromising confidentialityintegrity may may be require actively intruding a node to (maliciously) change an internal state (e.g., if not properly provisioned withsimilar rejuvenation type, mechanisms. such as If, several for hardware example, security nodes modules are (HSMs) of ora several constant virtual rate machines probability ofpossible compromise to is analyze plausible the for certain impact attack of vectors, reactive and then proactive it rejuvenation. is the conventional implementation is easier than compromising the confidentiality of models it may be possible todependent quantify on the an likelihood attack of intensityfind and that rejuvenation under pattern certain [ models the threshold property induces less reliability or availability this happens if: (when the three nodes in theconventional threshold non-threshold version version; is (when easier than compromising the availability ofintegrity a of a conventional non-threshold version; if compromising the confidentiality in tiality of the signing key); in comparison with the conventionalkey, scheme, while degrading improve the the availability confidentiality and/or of integrity the of original the intended output. Particularly, bad signature prevents an error propagationcan in be the disregarded application, ( then the integrity compromise (VMs) in different computers and have ( ( (

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 its value RIMITIVES P hides ] provides an abstraction properties — respectively RYPTOGRAPHIC C Can01 binding and CHEMESFOR S hiding ]: upon seeing a commitment from someone 18 DDN03 [ HRESHOLD non-malleability the agent to the value; then all agents reveal their bids in a verifiable way, and the binds The above mentioned considerations are also pertinent when changing from a conven- In contrast to the mentioned pitfall, there are formal methods for defining and proving NISTIR8214 T basing the analysis on a limited number of security properties. In that regard, we assume for the possibility of several components being controlled by the adversary. 4.1.3 Specific attacks tacks/compromises that affect security in a way that is not possible in thedefinition), non-threshold where an adversary hasmay some have access to to update an the “oracle” game (e.g., definition an (including encryption the oracle), definition of a success) to account replacing the threshold protocol by a corresponding ideal functionality. tional scheme to a thresholdan scheme. ideal The threshold functionality augmentation and/orthe may communication require adding adjusting between definitions components and of security the properties. threshold scheme may For be example, subject to at- that captures the intendedone application can then in deduce an diverseamong ideal properties, others such world. (e.g. as confidentiality, non-repudiation, Starting integrityis or and with plausible not availability, deniability). such present, modeling, then Ifand some the perhaps intended specified a property ideal different world idealuseful version is should properties, not be such capturing specified. as the composability, This allowing intended formal upper approach functionality, layer may protocols offer to be analyzed by the opening of the original commitment.simultaneously There malleable are [Ped92], hiding-and-binding which commitments would that be are ill-suited to the mentioned application. security. For example, the ideal-real simulation paradigm [ one with the highest bid wins.that the An commitment over-simplistic analysis would only of need themappable to application to ensure could confidentiality determine and integrityneeded properties. property However, this of would fail toelse, capture an a agent should notrelated be to able the originally to committed produce value, a and new which commitment the that agent commits is able to to a open value upon seeing separate security properties (e.g., privacy offail input to and capture correctness relevant of dependencies output) orcryptography may other research sometimes independent is properties. related to Afollows: commitment typical first, schemes, example each useful in agent for independently auction commitsbut applications to as a chosen bid, in a way that 4.1.2 A word of caution: pitfalls of decoupling security properties version (where the notion of communication between components is not even applicable). As just conveyed, there is a phase of security assessment that justifies care about pitfalls of As another example, a security property defined with the help of a “game” (a game-based A simplistic decoupling of security properties may lead to pitfalls. An enumeration of

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . ), k n and and f f denial of RIMITIVES P parties, and/or to f RYPTOGRAPHIC C constant. However, if nodes can be- k CHEMESFOR S 19 , while keeping n HRESHOLD ]. These proofs can serve as a guide to follow a logical Gro16 ) for handling faulty nodes may vary significantly based on the n of some cryptographic operation. The consequences can be catastrophic if the opera- We have been focusing on attacks against the confidentiality of a key, but attacks can NISTIR8214 T proving security in a standaloneother setting protocol vs. executions; establishing being security thorough under in composition modeling the with real world vs. omitting consid- compare security of a threshold scheme vs. the security ofto a adversary types corresponding (e.g., conventional seetical) Sec. and4.2 ), other security characteristics parameters of (e.g., aof computational system security model and/or properties (e.g., statis- vs. see proving Sec. that4.3); a proving an scheme enumeration (protocol) emulates an ideal functionality; Proofs of security aresupporting essential proposals of in cryptographic state-of-the-art schemesStandards is cryptography. and recognized Guidelines in Development the Process” “NIST document, Cryptographic Their published importance by the in Cryptographic path to assess the securityattack of models a threshold on scheme, which being to useful base to security identify assertions. assumptions and This can, for example, be helpful to ability vs. inability to detect and replace faulty nodes and may impose restrictions on 4.1.4 Proofs of Security service tion is part of aavailability. time-sensitive If critical nodes mission. can Threshold only schemes failincreasing also the by provide overall crash, number tradeoffs better of for availability nodes cancome typically malicious, then be availability obtained (of by correctfaulty operations, nodes. i.e., with The integrity) cost requires (in handling formal models of security, e.g., withinasking the how ideal/real and simulation which paradigm. threshold schemes Our may focus improve is security in in the real world. have other goals. An attack focused on breaking availability can try to accomplish a confidentiality of a key. Forother possible features relations (see between Sec.5), threshold and parameters theconsider (e.g., assumed how difficulty threshold to approaches perform can exploits (e.g., affect per (e.g., node), improve) we security propertiesextract of meaningful interest. information from leakage collectedthis from is a not threshold incompatible scheme. with threshold To be schemes clear, being themselves provably secure within some formal model. In otherimplementation words, was the not reference subject conventional system to wouldour compromise be perspective in secure about the if threshold real its schemes world.the in It real a is world. setting then that These that considers attacks, weand specific exploiting position their differences attack idealized between vectors versions, conventional in may implementations sometimes be focused on specific security properties, e.g., as baseline that a conventional implementationuisites already of implicitly an satisfies intended the context.algorithm, security then req- we For assume example, we if are talking we of discuss corresponding a algorithms already block-cipher suitable or under a signature Technology Group in 2016 [ This may include asking how difficult it is to compromise more than (non-threshold) scheme. Proofs are characterized by different attributes, e.g.: contextualized

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P RYPTOGRAPHIC C CHEMESFOR S Representative question 20 not modeled in the protocol specification? Is the attack based on information channels Representative attack types To which extent are the choices of the attacker HRESHOLD does it affect the physical structure of a device? Does an attack require physical access to and/or based on observations of the protocol execution? Does the attack affect the specified protocol flow? of) attempted attacks and/or successful intrusions? Is the system aware of (e.g., reacts to or logs evidence Is an attack on the threshold scheme a straightforward of a possible attack to the conventional implementation? generalization (e.g., parallel or sequential attack to nodes) Table 1. In static attacks, the attack pattern, e.g., the choice of which compo- A passive attacker (or a passively corrupted node) does not change Type active adaptive static vs. passive vs. invasive vs. undetectable non-invasive detectable vs. similar between vs. side-channels threshold-related vs. non-threshold and nodes communication interfaces NISTIR8214 T Static vs. adaptive. nents to try to compromise,adaptive does attacks, not the depend attacker on can observations adapt of the the adversarial protocol actions execution. based In on an observation of In active attacks, somedifferently components from the may protocol be specification; in subject the to later intrusion case, the and attacker behave may arbitrarily also interfere the flow of the prescribedof protocol some execution, but participants, may as gain well knowledge as of read the the internal content state transmitted via communication channels. Security goals are considered with respect to an adversary,a also sense known of as the range anto of “attacker”. crosscheck adversarial security scenarios assertions, that we it consider may several be attack able types, to as withstand.and enumerated As differentiate in1. a relevant Table cases baseline when considering threshold schemes. Passive vs. active. results from state-of-the-art research can provide useful insights on these choices. 4.2 Types of attack eration of possible real side-channels.research area, Proofs e.g., may single-device also setting vary (e.g., with threshold circuits) the vs. primitive general type SMPC. and Overall, This is not intended as a full characterization or rigorous taxonomy, but it helps us recall with the communication channels, by altering, dropping and/or reordering messages. When evaluating a proposal for threshold scheme implementation, we would like to have

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , as RIMITIVES P ]) and thereby side-channels AK96 RYPTOGRAPHIC C Some attacks can be perpetrated via regu- CHEMESFOR S 21 While threshold schemes may be designed to miti- HRESHOLD Attacks may be detectable (and detected or undetected) or Another attack characterization relates to the needed proximity in a phase of the protocol. ]. Invasive attacks require the attacker to be in the presence of (e.g., “touching”) leader ISO12 NISTIR8214 T that can be considered similarly with respect to each component of a threshold scheme. In gate the effectiveness of some attackstion on of conventional a applications, threshold the design actualan may implementa- be attack the may cause be ofintermediates able new several inherent to nodes, vulnerabilities. exploit where For some such example, aimplementation. vulnerability network in We would characterize the not an even communication exist attackherently network in allowed as that a by threshold-related conventional the if threshold the design. attack Complementary, vector there is are conventional in- attacks requires close proximity), to changeinducing an a internal change state of (e.g., behavior. a lock bit [ Conventional vs. threshold-related. and interaction between the attackerNon-invasive and attacks the do physical not boundaries requiretem of interaction [ the within attacked the system. physicalthe boundary physical of device or the be sys- some in coating its layers immediate of proximity. a This device, includes to the reach case an of area stripping of out a circuit that can then be directly probed. From a different angle: adetectable stealth attack attack may may lead lead to to an a undetected detectable compromise/intrusion. compromise/intrusion; a Invasive vs. non-invasive. attack-detection mechanisms. They maysystem also is result nonetheless from unprepared blatant forattack detection. attacks, or When if having a the been system attacked compromised, doesgation. it not is It detect unable may being to nonetheless under initiate havetime, proactive reactive e.g., measures measures replacing in of components place, attack that triggered miti- might at or regular might intervals not of meanwhile have been compromised. explicitly designated communication interface of the system. Detectable vs. undetectable. undetectable. The latter may happen due to adversaries that are able to bypass possible lar communication channels, though possibly usinga specially corrupted crafted client messages. may For send example, to an exploit invalid a message buffer-overflow vulnerability. to Other amentioned attacks node in can of Sec. be a3.2, based threshold on taking scheme advantage in of order an information flow outside the scope of the the protocol flow. For example, aa node role may of be targeted for intrusion upon being elected to Communication interfaces vs. side-channels. This may also include beaming ultra-violet light into particular zones of a circuit (which The prospect of attack detectability may also act as a deterrent against malicious behavior.

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES nodes, usu- P n RYPTOGRAPHIC C nodes accounted for the threshold may be CHEMESFOR S n 22 HRESHOLD , can conceivably be outside of the threshold compromise model (i.e., ). Particularly, it may be justifiably assumed that a broker does not fail n nodes and users/clients, there may also exist special auxiliary components n brokers A broker can be used to modularize some concerns, e.g., replacing or substantiating Besides the Tolerance to compromise can be useful even in scenarios of non-intentional adversaries. NISTIR8214 T communication model, the broker can,all for components. example, At broadcast the messages inter-node from level, the clients broker to can be a router at the center of a star by the threshold components. Conversely, the instantiated in a platform more susceptible to certain attacks. usual assumptions, such as the existence of authenticated channels. Depending on the not accounted in be a simple stateless web-redirector, independent of the cryptographic computation needed on the environment. For example:a corrupted denial clients of may service behave for maliciouslyable other to to clients; try induce an to a adversary induce state controllingcan of part be inconsistency of said across the to different network be nodes, mightthreshold compromised. even be if entity We no and are node the interested in complementary in particular environment. security properties involving both the system and its environment. Aally threshold interacts system, with e.g., its a clients/operators, modulemay through composed also a of include medium other of communication. interfacesinformation through The and/or which system actively a interact (possibly with stealthy)are components adversary not of may limited the obtain just system. to Thus, actual attack intrusion/compromise vectors of nodes, but also to adversarial effects features of system model for threshold schemes are further discussed in Sec.5. 4.3.1 Interactions For a security assessment, it is relevant to consider the interaction between the threshold encourage a reflection of different consequences they may induce. Several characterizing For example, some systems may be constrained to satisfythreshold auditability scheme requirements with tolerance that to compromise, then the audit of components can be done 4.3 System model the latter case, it is still relevant to consider, for example, if an attacker is able to choose The goal of this subsection is to convey possible nuances of system models, in order to with the task of relaying,we proxying may and/or call aggregating messages. Such components, which within the attack model considered for the other components. For example, a broker may warrant taking down components for audit.without If affecting a the overall service availability. is supported on a multi-party whether to attack the nodes/platform in parallel or sequentially.

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P RYPTOGRAPHIC knowing a secret can define C dealer CHEMESFOR S 23 HRESHOLD A threshold scheme may also be implemented in a setting where the nodes have identities In an easy scenario, no new nodes join after the onset of a threshold scheme, and their The security of a cryptographic service also depends on the communication model. Con- NISTIR8214 T authentication and communication (e.g., withorigin) confidentiality between and any integrity pair of of content nodes. and (This assurance assumes that the attacker may control the setup configuration, deploying nodes,inter-node establishing communication their channels. identities and The possiblydelegates dealer even the then the threshold distributes execution shares of of some the cryptographic secret primitive. and tied to public keys within a public-key infrastructure (PKI). The PKI can then support secure each party verifiable by other parties? Is the set of parties constant, does itidentities change remain in valid a throughout their lifetimes. A It is easy to leavethreshold implicit scheme, certain but assumptions different about settings the lead identities to of different nodes results. involved in Who a decides and enforces capabilities of the system.be For sufficient example, to the counteract existence certainchannels. of difficulties It trusted is imposed clocks specifically by may pertinent asynchronousprotected sometimes to with communication justify some when mechanism, the such communicationsecurity as medium (IPSec) transport should or layer be others. security (TLS), Internet protocol 4.3.2 Identity trust fail-safe (messages always delivered) and authenticatedthe channels channel may conditions become change. insecure Thus, if essential the to characterization contextualize of security the claims communicationparameters about model include a is the threshold existence scheme. orthe Main lack presence characterizing of of synchrony, authentication certain and trusted components encryption. (or Also, trusted setups) may significantly affect the client. For example, the clientthe may participation receive a of multi-signature a enabling number non-repudiation of of nodes in the production of a response. ceivably, an attacker may be ablein to a eavesdrop, number delay, drop, of corrupt communication and/or channels. forge messages A protocol secure in the case of synchronous, of the client’s messages and thenit only can send check these consistency, shares and to possiblya the perform threshold nodes; error number in correction, the of and reverse nodes, direction, on aggregate to replies the then from protocol, just the send threshold acase, nature consolidated the can reply be threshold to hidden nature the or of client. not the Depending from scheme the may, as client. a Even feature, in be the intentionally broker revealed to the configuration, substantiating an inter-node (logical) cliquea model. mediator between The each broker client canfrom and also the the act client set as the of threshold nodes scheme of layer. the For threshold example, scheme, the broker possibly can hiding produce secret shares who the participants (nodes) of a multi-partywell-defined threshold manner, scheme or is are? it arbitrarily Is open to the new identity membership? of

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 n / f RIMITIVES P variable (perhaps while n ] a single entity can forge RYPTOGRAPHIC C and f Dou02 CHEMESFOR S 24 HRESHOLD ]. The joint computation may yield to every node a share Ped92 ratio). What if there is no verifiability criterion for the legitimacy n / f ) of compromisable components. Some mitigation measures may involve enforcing a In more controlled settings, there may be a requirement that new parties be able to Some systems may need or benefit from being dynamic with respect to the number In a different setting, the initial state of parties might be defined by a joint protocol, e.g., 1 < NISTIR8214 T send it through a trusted proxynode; that or creates (ii) and it sends may afor communicate corresponding each directly plaintext node a share but share to send to each themby each through a node; a nuanced system single or model, primary (iii) e.g., node. it respectively (i) Each may the example encrypt existence may shares of be a supported special trusted component; secret keys. But when thethe threshold request system of is a then client, usedto is to, ensure there say, confidentiality a encrypt of concern or the about signscheme plaintext confidentiality messages and may of at system dictate the model. restrictions plaintext? If on Ansend the the the intention plaintext plaintext type is in of clear to threshold to remain one secret, or then several of the the client nodes. cannot Alternatively, simply it may for example: (i) rate of reactive refreshing it may temporarily have no additional nodes to join. 4.3.3 Trust between clients and threshold scheme prove belonging to an allowedan group. authority. Some This scenarios may can bethreshold justify scheme based having for a on cryptographic dynamic a primitives. number PKIan of This certificate implementation parties may signed with happen, in a for an by system example, actual of inof intrusion the nodes. detection case There and of may proactive be and times reactive refreshing when the system must refresh some nodes, and due to a high of a new intended guestmultiple participant? entities perceived In as valid, a thereby Sybil easily attack breaking [ any fixed thresholdcost ratio of participation per party, e.g., performing some cryptographic puzzle]. [JB99 dealer of shared secrets, although the nodes may still have been deployed byof the participants same in entity. a protocol.enter the This protocol, may thereby involve making allowingmaintaining the different a threshold parties fixed parameters to dynamically a distributed [ of a new secret, possiblyused along by with a authentication certification credentials. authorityit (CA) This available to can (for generate leakage) conceivably a in be new any signing localized key, without point. ever In having such case, there is no use for a trusted the delivery of messages between nodescertification but authority.) cannot With PKI-based prevent nodes signatures, from aenable accessing threshold external the users scheme root to can verify be that designed results to were indeed obtained upon a threshold interaction. (iii) a PKI (or shared symmetric keys) enabling encrypted communication with each node. (ii) a communication model where each client can directly communicate with each node; ( We have emphasized the use of threshold schemes as a way to enhance the protection of

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , ]. ], even ], with LSP82 Vas15 , RIMITIVES P Lyn89 FLP85 PSL80 parties agree on a value n RYPTOGRAPHIC C parties are compromised. For n . Provided the appropriate timing 1 + ]. In another extreme, consensus is f -out-of- f 3 CHEMESFOR ≥ S Lam06 n [ 25 1 + f ] or synchronous communication [ 2 HRESHOLD ≥ ], or in some other setups (e.g., reliable broadcast and n Rab83 , , or equivalently within this setting include many impossibilities [ 3 PSL80 f / ) Ben83 1 and + n n 2 ( ≥ , or equivalently k is to ensure that all good parties within a group of 1 + f ]. In those settings the number of good components must be larger than two-thirds of ≥ k The discussion above motivates reflecting also on the property of brittleness [ For example, the problem is solvable even with Byzantine faults if the processes have Results relating Another matter related to the relation between users and threshold system is authenti- We can also consider the assurances that a client would like to receive from a threshold consensus NISTIR8214 T exfiltration of a key) of a particular algorithm due to errors in the configuration and/or enable transferable .cryptographic This signatures is [ thesecret case channels when in a a precomputation PKI phase setup [PW92]). enables access to randomness [ DDS87 the total, i.e., assumptions, if nodes only faili.e., by crash then a non-crashedsolvable simple-majority even is with sufficient, a single good party if a suitable trusted setup can be instantiated to problem is unsolvable deterministically in a completely asynchronous setting [ by crashing). Yet, realistic subtle nuances of the system model circumvent the impossibility. example, this may be necessaryoperations for to letting perform a in multi-party which system order,maliciously when decide delivered, the which from system cryptographic multiple receives concurrent users. requests, possibly myriad nuances depending on communication and failure models. In one extreme, the ment/consensus problem — fundamental inhow the varying area models of distributed can systems leadfor — to threshold to a schemes, illustrate wide namely variability forof of certain results. multi-party implementation This settings. isproposed The a by goal relevant one problem of the good parties, even if up to operations. Access control can itself be implemented using a threshold approach. 4.3.4 Distributed agreement/consensus ple, with the support of publicly verifiable secret sharing (PVSS) schemes, [Sta96 Sch99]. cation and authorization of users.control Cryptographic mechanism modules to often determine have from to which users support to an accept access which requests for cryptographic scheme operation. We already referredsignatures to the (or possibility multi-signatures) of from a the client nodes. receiving Going independent further, we can also think of clients This expresses a degree of susceptibility to a breakdown of the security properties (e.g., To explain the importance of defining a system model, we use the distributed agree- with (non-transferable) authentication and a single crash-stop process (which can only fail wanting to obtain assurance of correct behavior by the nodes. This can be achieved, for exam-

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 and bad RIMITIVES P and number of com- good refers to availability bad k and RYPTOGRAPHIC C good ), meaning that desired security 2 f ]. The thresholds can also depend < . The meanings of 1 1 f − of components, which in turn may impose k CHEMESFOR n S FHHW03 26 secret sharing scheme the of components; in other cases, design constraints n f (i.e., non-compromised) components; or a maximum HRESHOLD -out-of- k good of components, a “threshold” can be expressed in two ways: a of — enables us to pinpoint each perspective, which can be useful. (i.e., compromised) components. Correspondingly, the dual n k k vs. bad f of good components, depending on the protocol and adversarial model. of k f for confidentiality of the secret (maximum number of components that together f As already discussed in Sec. 4.1.1, these thresholds (of 5 Characterizing features NISTIR8214 T cannot recover the secret) isthe in corresponding that thresholds case can equal vary to across different security properties. The threshold ponents) make sense when contextualizedFor (sometimes example, implicitly) when to referring some to security a property. threshold threshold notation — For example: in somecompromise cases, of a up to design a goalsuch threshold is as number directly cost may set directly asa limit the threshold the ability number total to number withstand the From within a total number minimum required number allowed number cryptographic schemes.2 Table shows examples ofof possible characterizing representations features and — attributes it does not intend to be exhaustive. 5.1 Threshold values 5.1.1 A threshold schemes, to facilitate the discussion towards criteria for evaluation of concreteon diverse proposals. adversarial models. Put differently,high-level we features find is that important the for upfront discussing clarification the of standardization certain and validation of threshold trophic while the second thresholdon is the not type met of [ attackers, and different nodes can be subject to different types of compromise. catastrophically under reasonable variations ofinstead the some environment. kind One of would graceful typicallyhow degradation. prefer protocols Also behave differently related under and different pertinentacterized types is of by the attack. two consideration (or Some of more) protocolsproperties can ordered be hold thresholds char- while (e.g, the first threshold is not surpassed, but the security failure is not catas- input parameters. Inrespect other to words, changes one in the isproperties system concerned under model with a or well-defined expected the model, setup. fragility it Even of may if be a a unsuitable system system for has real with all deployment desired if it fails (minimum number of components necessary to recover a secret), whereas the compromise We now provide a high-level structured review ofWe intend characterizing to motivate features a of characterization that threshold helps clarify security tradeoffs when reflecting

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 vs. and I f f vs. 1 vs. RIMITIVES C − n f ) P n 1 , , 2, ) n 1, 1 / n ( ) , + 1 1 f ( − ,..., ) 1, n = ( 2 ) + / 3, f ) / 1 ) 1 − RYPTOGRAPHIC Integrity , ... 2 − n k ( n C n , , Examples star; clique ( 2 = dealer; SMPC / k ) 1 0, ... ). Secrecy n − k = unbounded vs. limited set ( n f = or min global ; proxy; combiner; (( A random number generator (RNG) common; independent; sequential k max CHEMESFOR offline pre-computation vs. on-the-fly; broadcast; primary node; secret-sharing in single device; threshold circuit design S multiple interacting computers; multi-chip reactive vs. proactive; parallel vs. sequential TLS; IPSec; dedicated physical connections; vendor; processor architecture; randomization operating system; CA; access control; location; 27 VMs as components; HSM; crypto accelerators; crypto libraries; trusted computing environments 0, i.e., trusted paths]; [NIS01 application-level encryption = A f HRESHOLD ) and at the same time a pessimal threshold for integrity secret-sharing scheme has an optimal threshold for con- 1 ) nodes k n = C k Characterizing features of threshold schemes k crypto module and -out-of- n ↔ , i.e., f single device 1 ) and good ( Diversity levels Representation f Table 2. Bootstrap support − Channel protection vs. Multiple parties vs. Inter-node structure ) and availability ( Diversity generation Rejuvenation modes Threshold numbers of Auxiliary components n Software vs. hardware n Variation with security can be indexed by the corresponding security property (e.g., n Client property and attack vector Compromise across nodes bad ( f = = I C f k and k and 0, i.e., type Setup cation Target Feature For another example, consider a threshold randomness-generator, intended to output As one example, a = platforms executing interfaces Threshold Communi- , respectively for confidentiality, integrity and availability), but we omit indices when the I maintenance . Furthermore, it is important to understand how these thresholds can have an extreme A f f NISTIR8214 T generators of randomness (the components of the threshold scheme). The output is then fidentiality ( uniformly random bit-strings, periodically orthe upon output randomness request. can In be defined a as particular the specification, XOR of bit-string contributions from several be sufficiently characterized to enable determiningk allowed relations between context is clear. 5.1.2 Relating symbols variation across security properties. ( When analyzing proposals for concrete threshold schemes, we intend that the system model

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 , ) 0 ) in , 1 n − n ), but dif- ) = ( RIMITIVES 0 A = P f I = , f A A f k ( RYPTOGRAPHIC C nodes from the remaining subsets. It is f CHEMESFOR ). One could then argue that the application S 0 28 = ) in the first example and optimal f 0 = is a number that defines a simple partition of subsets, I f f HRESHOLD , with respect to guaranteeing the uniformly random property ) 1 − n , 1 ) in the first example, whereas it is not even applicable in the second example. ) = ( I 1 f , − I k n ( = A f In the simplest form, a threshold The determination of relevant threshold values can also depend on the primitives used In comparison, the two examples have the same availability thresholds ( NISTIR8214 T example, this can be basedof on correct verifiable secret use sharing of schemes, shares. which It allow can verification also be based on zero-knowledgedistinguishing proofs the of set correct of behavior. subsets with more than tolerate compromised components (i.e., if itself allows a different threshold for integrity.or Similar symmetric-key verifiability encryption, with may respect be tocertain decryption, more difficult/costlier, threshold though schemes not can impossible. bethat In prevents directly fact, integrity built violations with when a up property to a (often threshold called number robustness) of parties misbehave. For and the application context, e.g., howother the entities. actual In threshold some scheme applications, isupon a request used client to in can a connection check threshold with the signatureproper validity module. reaction, of If then signatures a a obtained detection threshold of signature an scheme incorrect can signature allows be a useful even if its integrity does not tolerance to compromise), when comparedsame to is a true passive for and/or system crash-onlynication model adversary. assumptions, The channels, such and as the asynchrony absenceinfrastructure. vs. vs. The synchrony distributed of existence consensus commu- of problem in a Sec. trusted 4.3.4 setupshows such how a as threshold a can public-key 5.1.3 Different thresholds for the same scheme thresholds for different security properties.a Going fixed further, qualitative the property thresholds (e.g., may confidentiality,active/malicious/byzantine vary or adversary even integrity, induces for or a availability). lower Typically, fault-tolerance an threshold (i.e., lower ferent integrity thresholds: pessimal ( the second example. Furthermore, confidentialityold is ( a relevant property with optimal thresh- old, i.e., of a produced output. However,ponents, if then an the output scheme generation also requiressince has the a the participation single worst of bad threshold all party for com- can availability, i.e., boycott the output. uniformly random if at leastis one (good) independent contribution of is the a otherimportant uniformly contributions. but random out bit-string Note of that that scope the for guarantees this for report. independence Thus, are this scheme has an optimal integrity thresh- vary widely depending on the setting. worth noticing that the concept can extend to more general partitions [ISN89, HM00]. We gave examples for how the same threshold scheme may be characterized by different

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 and/or f RIMITIVES P RYPTOGRAPHIC C of components? n CHEMESFOR S 29 nodes of the threshold scheme, we can call it a primary HRESHOLD n ), as a function of the total number k model (e.g., synchrony vs. asynchrony, passive vs. active adversaries)? minimum What envisioned application contexts justify athe high cost threshold of for a some low properties threshold at for otherHow properties do (or threshold of values other vary mitigation with measures)? respect to conceivable variations of the system For each desired security property, what are the threshold values (maximum 2. 3. 1. NISTIR8214 T per component. This canto be encrypt used or to sign. support At confidentiality the of very the least, input, this e.g., prevents components a from plaintext applying corruptions If the client is awareall of components. the threshold A scheme, possible advantage itsame is may request. ensuring be Correspondingly, that able the all to client correct replicatenumber may components a of) also receive request components receive the across replies and from onlymodel, all then the (or decide client a on can threshold a perform final secret-sharing result. on In the a input different and implementation then communicate one share nodes). But other threshold properties,scheme across e.g., all confidentiality nodes, sustained may on remain a independent secret of sharing the use or not of5.2.2 a primary. From client to all nodes node for communication. It relays to all otherintermediate nodes results the produced communication by from other theto components, client the to client. then send In a suchnot single a be consolidated setting able reply to the tolerate system the might, failure for of example the with primary respect node to (if availability, this role does not change across 5.2 Communication interfaces impacts the communication model. Conceivably, athan one client component can (hereafter now “node”), communicate andIn with the Sec. more nodes4.3.1 can communicatewe between already themselves. describedasynchrony, and several the nuances possible of existence system of model,of a including communication broker. synchrony structures vs. We related now to briefly clients describe and three nodes. nuances 5.2.1 Client to/from primary node 5.1.4 Representative questions about threshold values The client may communicate with the threshold scheme via a single contact component. The augmentation from a conventional cryptographic implementation to a threshold scheme (e.g., a plaintext), and inversely the result (e.g., a signature). For example, it aggregates When such component is one of the

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P RYPTOGRAPHIC C ] of the system affected by the existing CHEMESFOR S NIS18c 30 HRESHOLD How is the logical/physical “boundary” [ communication channels? How does the clientproduced obtain by a a set consolidated of reply nodes? based on a set of partial results 5. 1. Are clients aware of the threshold2. nature ofHow the is implementation? the initial request from3. a clientHow propagated can through the the inter-node set communication of be4. nodes? compromised? NISTIR8214 T rithms were implemented predominantly in hardware. Examples of such embodiments are Cryptography is implemented on amodern variety technological of computing revolution in platforms. computing In and the communications, early cryptographic days algo- of the properties of a threshold scheme.for Yet, security there assessment are and distinctive platform-related validation.device aspects We elaborate vs. relevant here multi-party; on software three vs. mainaffect hardware; other instances: and features single- auxiliary and components. are relevant These for aspects the can development of validation profiles. 5.3.1 Software vs. hardware 5.3 Target computing platforms inter-node network structure influences thestar efficiency configuration, and a security primary of node communication. intermediates all In communication. a In a clique configuration reasons, a star configuration may bebe used available for for most secondary communication communications. andknown a A as clique dynamic leader) configuration selection may of enable the overcoming primary cases node of (also it being compromised [CL02]. 5.2.4 Representative questions about communication interfaces In typical threshold schemes, theselves. components have to (An directly exception communicate is between when them- the client is the sole intermediary between nodes). The dependent on the plaintext value. In the reverse direction, the client can reconstruct (possibly 5.2.3 Inter-node communication To some extent, the implementation platform can be abstracted from some functional (i.e., a complete graph), all nodes are able to directly contact any other node. For efficiency with error-correction) an output from a set of replied shares.

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES FIPS 140-2 P , Section 4], which are RYPTOGRAPHIC C NIS01 CHEMESFOR S ], or the cryptographic extensions of standard ], which was initially developed for hardware ]. These modules can also be used as secure 31 ], and the TrustZone technology on Advanced Int18 NIS01 Mor11 [ ARM18 HRESHOLD FIPS 140-2 ] and are limited to a lower level of security assurances they can NIS01 . Also, some hardware platforms such as a Field-Programmable Gate Arrays The hybrid approach to cryptographic implementations aims to benefit from the flex- Given this historical context, the distinction of hardware vs. software in As the adoption of cryptography extended into e-commerce over the Internet, software It is natural to think of the physical boundary of a dedicated circuit board, a dedicated software NISTIR8214 T sub-components within a hybrid faultstricted model. mode of The compromise “secure” (e.g., components only have by a crash), thereby more enabling re- better thresholds for executing on a dedicated HSM attachedthe to Trusted Platform the Module same GPC. (TPM)Central Examples [ of Processing such Unit modules (CPU) are instruction sets, such asRISC the Machine Software (ARM) Guard processors Extensions [ between hardware and software, focusingon primarily different on types the of isolation computing properties, platforms. rather than ibility in software andthe the implementation isolation is in and/or software acceleration executing in on a hardware. GPC/OS platform Here and a another portion portion is of to the manner in which theactually computation contain is an performed. embedded Note, microcontroller forin that example, performs that an the HSM cryptographic might computation implementations. For the sake of readability, we will assume a more “traditional” separation spondingly, these software modules are subjectdescribed only in to Ref. [ a subsetclaim of to the deliver. security requirements comes from the difference in isolation that the approaches provide, and is not directly related purpose computer (GPC) are justcontrol like of any an other software operating component systemto that (OS). provide runs GPCs fewer within assurances are the with muchsecurity-sensitive respect more parameters to porous from the (see unauthorized isolation Sec.1) access ofsame and by cryptographic GPC/OS other tend keys platform, applications and or running other remotely on through the the network interfaces of the platform. Corre- the physical boundary of hardwareconcerned modules, with namely ensuring in the Ref. attacker [ cannot probe the circuitry and extract the keys. implementations of cryptography emerged andiment over for the cryptographic years primitives. became Software a cryptographic widely implementations used on embod- a general chip, a smart card, orblack USB box key. boundary introduced Thus, in onefact4 Sec. can isand relate the formulate that foundation a physical for setcryptographic boundary of implementations. to security This assertions. the standard ideal This contains in specific security requirements on the secure phone lines between federal offices in the 1970s.information, Hardware along implementations with pro- storage and management of keys and other sensitive parameters. vide a level of isolation of the sensitive cryptographic keys and their utilization in processing (SGX) instruction on Intel platforms [ (FPGAs) can be “reprogrammed,” a property that was historically reserved for software

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES computers P n ]. HSMs offer similar RYPTOGRAPHIC C AMD12 CHEMESFOR S 32 threshold setting can be composed of hardware security modules (HSMs) connected via a n HRESHOLD multi-party virtual machines (VMs) running within the same hardware machine. 13, ]. BDK17 n + ], which allows keys to be recovered in seconds or even minutes after it has 09 ] and Advanced Micro Devices (AMD) CPUs [ + HSH Gue09 In contrast to the alluded multi-party systems, we also consider “single device” settings. Another reason to delegate the execution of cryptographic primitives to dedicated The hybrid approach offers important security advantages for implementing crypto- In some cases, a specific is implemented partially in software NISTIR8214 T components is often expected and achieved. Threshold schemes are applicable to the single- Main distinctive aspects include, typically, aand somewhat a rigid well-defined configuration of physical components cases boundary. the If connections the between inner devicedevice. wires is However, there and a are gates hardware technologies are circuit,adapted that fixed across actually then throughout the allow in lifetime even the those most of life components the of to device, the e.g. be FPGA. Communication synchrony between testing, updating and patching. Inby a a multi-party computation, network, the possibly nodesscheme. asynchronous, may be inherently For separated outside testing of andrealistic the communication validation, control medium the of between tester/validator multiple the might parties. threshold not be able to simulate a components, it is intuitive todevices). think of For a example, set a ofcommunicating interacting over parties the (also Internet, known or asprivate network, nodes or or Intel [ acceleration benefits. 5.3.2 Single device vs. multi-party in the virtual memory of the operating system, and might therefore be moved into DRAM. hardware is for performance improvement. An example of this is the AES extension on graphic primitives and keyments. management in For isolation, example,tacks as a [ well hybrid as implementation performancebeen could removed improve- potentially from the mitigate device. cold-boot Cold-boot attacks at- typically assume that the keys are stored and partially in hardware. Forsuch example, a an way RSA that signature the algorithmof modulo may the exponentiation be data is implemented is executed in implemented incryptographic in hardware but software. primitives the is In required implemented other cases, inthrough an an application entire HSM programming suite interfaces and of (API). used fully by implemented a software component byzantine fault tolerance of acomponents distributed [VCB system composed also of larger and less secure The connectivity may be dynamic, with the components being possibly replaceable for An HSM could mitigate this attack by ensuring that keys never leave the HSM. When a threshold scheme is developed to enable tolerance to the compromise of several

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . To use n RIMITIVES P RYPTOGRAPHIC C CHEMESFOR S 33 components. These may include, for example, HRESHOLD wires in the threshold circuit contains information about auxiliary f Which parts of the logicalphysical boundary boundary, of as the verified threshold by system the do system not developer correspond or to deployer? a If a proposed threshold scheme is devised for a “single-device” setting, what can go wrong if its components are instead separated and communicate over the Internet? There is flexibility in distinguishing, and identifying similarities, between multi-party 1. 2. NISTIR8214 T the auxiliary components mayinterfaces. affect the The inter-node auxiliary and componentstesting the may and have client-node validation their is communication also own needed compromiseforeseeable when model, that testing a and and validating great their a deal thresholdaway of system. from analysis threshold-related Yet, about it arguments. the is auxiliary components can be modularized 5.3.4 Representative questions about computing platforms that acknowledges these components enablesFor a example: better system a model trusted for (assumedsystem security trustworthy) model, assessment. clock which may in be turn what can enables influence synchrony the in threshold a anddesign the of protocol; a the circuit interaction based on secret-sharing; we have also already given examples of how a distinctive term, we calla them trusted global clock,combiner a of proxy, information a from common components. random Having (or a pseudo-random) threshold-scheme characterization bit generator, a isolate, replace and test corruptionproperties of of a an singular implementation. component, In forcomplete some the single-device separation purpose cases, of of it components validating may to be test infeasible their to individual achieve correctness. 5.3.3 Auxiliary components a device with a thresholdindeed design not to have be any multiple redundancy “parties”. ofapplied Conversely, hardware a by components, single-device means and may of yet repeated aplatforms executions threshold of is scheme an in be algorithm. facilitating The aization value categorization and/or of of validation distinguishing aspects profiles. the that For may example, justify in a different multi-party standard- setting it may be easier to that no isolated subset ofany up bit to that would beproviding flowing increased in resistance the against original certain circuit. side-channel attacks A [NRR06]. main application of this designand is single-device scenarios. For example, we could imagine the physical components within device setting by means ofthreshold an circuit inner become threshold encodings design. (e.g,the sets There, conventional of (non-threshold) the secret circuit. inputs shares) and For of confidentiality, the outputs the inputs of threshold and a property outputs may of be Threshold schemes may require essential components beyond those accounted in with a trusted random number generator may be necessary to take advantage of the threshold

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P ]. Some protocols BR07 RYPTOGRAPHIC C CHEMESFOR S nodes in a good threshold scheme is not easier 34 n HRESHOLD -out-of- f and if the process of compromising each node is independent? Not 0 > f Which auxiliary components support thedifferent threshold from scheme the but one have a applied failure to model the threshold nodes? Is the system simply developed attied the to software particular layer, or hardware are components? there software components In a setting with a dealer, it is relevant to consider the extent to which the protocol security 4. 3. NISTIR8214 T guaranteed if It is desirable that compromising than compromising 1-out-of-1 in a conventional scheme. But is such property inherently can be made secure againstenables an parties to untrusted verify dealer, correctness withsecurity of respect hinge the to on distributed parameters. an integrity, if assumption Othermay of the protocols exist a may protocol tradeoffs trusted have between dealer. efficiency Depending and on the the property functionality, of there supporting the malicious dealer. 5.4.2 Rejuvenation of nodes example, a setup phase canso-called also “Beaver-triplets” — consist triplets of of athe field trusted product elements party of (possibly the generating bits) first andexecution where of two. secret the certain sharing The third secure pre-processing is computation protocols of [Bea92]. these triplets enables a very-efficient In secret sharing, a “dealer”scheme, is that an knows entity, a possibly secret outsidea and the possible “deals” failure model shares scenario, of of a it the keykey holder to threshold to the in nodes a nodes of safe that the environmentof operate deals threshold a in shares scheme. dealer of a In is a threshold not long-term manner necessarily signature in limited to a applications less-secure related environment. to secret The keys. role As a practical setup of the communication networkduring and detection continued and/or maintenance recovery of of the compromised system, components. including 5.4.1 Dealer vs. dealer-free setup In some settings a thresholda scheme construction can with be a implemented single fromexisting point scratch of single-point-of-failure as failure. an entity, alternative In which to other issystem. cases intended the To to starting compare be point the is redesignedbootstrapped, effects exactly as including from an “who” a the deploys threshold change, the nodes, we and should their consider initial how states. the Also system relevant is is the 5.4 Setup and maintenance withstands or breaks in the presence of misbehavior by the dealer [

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ]. To ]. The RIMITIVES OY91 P KF95 ]. If the regular SNV07 RYPTOGRAPHIC ratio and a sufficiently high C n / f CHEMESFOR S 35 ]. One may also consider adversarial scenarios KK07 HRESHOLD If a threshold scheme is based on electing a primary node, what happens when the In some protocols a rejuvenation may have to take place in parallel, e.g., such as the The rejuvenation feature brings along a whole new set of considerations, possibly affect- If a compromise is detected, then the corresponding node should be reactively replaced If nodes of a threshold system can only transition from an uncompromised to a com- NISTIR8214 T asynchrony in recovery proceduresthreshold may scheme requires hide only subtle a problems simple honest [ majority, but the corresponding rejuvenation primary node is the onerejuvenations, in need can of an replacement? attacker Ifproactive a rejuvenations? take scheme What advantage allows happens of reactive if and thean knowing proactive regular asynchronous the threshold environment, scheme but schedule/ordering the performs of recovery correctly procedure in the requires synchrony? Not handling simultaneously. In other cases, rejuvenationseach may occur node sequentially, at replacing/recovering aconsiderations time, pertinent to especially the if initialrejuvenation the setup context. of process For a involves example, threshold is a systemof there are long a a also “dealer” downtime. rejuvenated applicable responsible node to for or Many the setting should of up the the state the full be state updated by the set of online nodes? diversify some component, to prevent re-exploitationdiversification operation of may the have same its vulnerability own [ requirements, possibly requiring pre-computation already discussed example of updating key shares, with all online parties being rejuvenated brings the whole system back to a pristine state, with all nodes healthy. ing security in non-trivial ways.application), If then the newly nodes inserted need nodes to needification be to as stateful be a (i.e., consistently sub-protocol. updated, hold The which state rejuvenation requires about of spec- the a previously compromised node may need to by a healthy version, lestIf the system the eventually compromises converges to are allrecovery not nodes should detectable being take but compromised. place. are Inthe nonetheless the secret conceivable, threshold key signature then constitutes scheme a a from proactive and parallel Sec.3, the rejuvenation the of number resharing nodes. of of compromises If never there exceeds is the no allowed persistent threshold, intrusion, then the resharing counteract these transitions, itrecovery/replacement/rejuvenation is of possible, nodes that and can in bringcompromised) many nodes state. settings back There to essential, is a to a “healthy”proactive, plethora implement parallel (un- of vs. possible sequential, rejuvenation instantaneous modes, vs. e.g., delayed, reactive stateless vs. vs. stateful, etc. promised state, then the systembe may due be less to secure an under increasedmission certain attack attack time. surface, vectors. a This This sufficiently may triple-modular-redundancy is low design a [ well-known resultthat in induce fault a tolerance, probability rate as of may a happen node under in attack a becoming basic compromised [ necessarily, even if the compromise of a node requires an independent exploitation effort vs. being generated on-the-fly by some sampling procedure. (e.g., time, computation) per node.

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ] SZ05 (among of nodes. RIMITIVES f P diversity RYPTOGRAPHIC C CHEMESFOR S 36 ]. In practice, common vulnerabilities may occur at HRESHOLD Yet, a standalone characterization of threshold values does CA78 ]. Implementation-wise, multiple levels of 4 LS04 The use of diversity is a longstanding practice of traditional fault-tolerance, but its use for Consider an example where all nodes are symmetric with respect to the threshold pro- 1. Can a threshold scheme be bootstrapped2. in bothWhat dealer levels and of dealer-free diversity manners? are envisioned to deter common-mode failures? We also bear in mind the possible mapping of threshold properties into side-channel resistance properties. NISTIR8214 T other properties) may be required toand reduce to the possibility substantiate of an commoncompromising assumption vulnerabilities fewer [ that nodes. compromising A more fundamentalattack difficulty nodes vector is is may that more be the unpredictable difficult level of until than effort the used attack by takes an place. 5.4.4 Representative questions about setup and maintenance changing some randomness used whenmay compiling be a a software small version. set Atimpossible of some to variants levels, replace. (e.g., there operating systems), whereas others (e.g., passwords) are security is more intricate [ space (i.e., across the componentsand within executions a across threshold time). protocol) In andreplacing the time multi-party a (i.e., case, replacements physical rejuvenation node canmight happen by by be a actually limited new to one. refreshingfixed. randomness, In In a while certain software the single-device setting, actual settings, rejuvenation hardware may rejuvenation structure correspond remains to replacing a virtual machine, or tocol, i.e., all implementimplemented the in same the functionality. same manner, One say, the can same then software, imagine possibly containing all a nodes common being multiple levels where the settocol, of hardware nodes design, is physical homogeneous, location, e.g., password. operating Diversity system, may network be pro- implemented across Consider the case of acommon common operating vulnerability, i.e., system). common Once across theable all vulnerability to nodes is exploit (e.g., it discovered, a with an bugthen negligible adversary in be cost might a “as to be easy” compromise as all compromising nodes. a In conventional this scheme example, with this the would same vulnerability. Intuitively, a main motivation for thresholdthe schemes compromise is of to some improve nodes. securitynot by say withstanding anything about the difficulty of compromising the threshold number mechanism requires a 2/3 honest majority, then the threshold properties are also affected. 5.4.3 Levels of diversity 4 vulnerability. Conversely, each node canvia also different be software programmed versions for [ the same functionality

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P ] in 1995 to validate RYPTOGRAPHIC NIS18c C ]. They must also use only validated CHEMESFOR tC96 S 37 ]. The CMVP leverages independent third-party NIS01 HRESHOLD [ ] follows a contrasting approach, where one is allowed 140-2 Com17 Does the sub-protocol for handling rejuvenations interfere with the system availability? The Common Criteria [ FIPS 140-2 is a standard defined as a system of conformance security assertions. The As we have pointed out, the correct and bug-free implementation of a cryptographic 3. What dependency of compromise exists across4. nodes, for envisioned attack vectors? 6 Validation of implementations NISTIR8214 T to define a unique settarget of of security evaluation assertions (TOE). for The a goalthe target of correctness component, the of often Common the referred Criteria specific to certificationtypically security then as much assertions is less a claimed to structured evaluate by thanand the the requires validation TOE. substantially process The higher in evaluation expertise FIPS is from 140-2, the takes evaluators longer and time validators. security assertions that the module mustfunctional meet capabilities. for a In chosen turn, security thein level cryptographic and FIPS primitives module-specific approved 140-2 by through NISTsets Annex and of A adopted conformance for security use assertions.constrained in This and allows cryptographic well-defined the modules set CMVP of are to security work also assertions with specified that a as can reasonably be validated. security assertions in the standardmented cover into a various wide types range ofsecurity of assertions cryptographic physical are primitives embodiments grouped imple- called into sets, cryptographicsecurity one levels modules. for for each cryptographic The security modules. level.a Depending FIPS particular on 140-2 module, the defines e.g. type four of software technology or used hardware, for the standard defines a subset of applicable cryptographic modules against the securityStandard requirements (FIPS) in Publication Federal Information Processing testing laboratories to testindustry commercial-off-the-shelf vendors. cryptographic modules supplied by cryptographic implementations, typically referred to as modules. algorithm and the environment inassess which security it aspects executes are related also tolished very real the important hardware Cryptographic for and Module security. software Validation To implementations, Program NIST (CMVP) estab- [ 6.1 The existing CMVP and FIPS 140-2 Governments recognize cryptography’s important role infrom protecting unauthorized sensitive information disclosure orestablished modification, theoretical security and properties. tendcies to For must example, select US use algorithms and NIST-defined with Canadianin cryptographic computer well- federal algorithm and agen- standards telecommunications to systems protect [ sensitive data

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P key components n components provides no 1 RYPTOGRAPHIC − C n This can for example be satisfied ]. The current project includes an “if knowledge of NIS18b CHEMESFOR S 38 HRESHOLD It is encouraging to note that automated methods for validating protocol implementa- One additional challenge is to enable ways to validate those assertions in an automated As technology progresses and cryptography becomes ubiquitous in the federal informa- The above-mentioned provision in FIPS 140-2 refers only to secret-sharing and by itself FIPS 140-2 already has security requirements for secret sharing applied to cryptographic NISTIR8214 T reduce the time and costFederal required for government consumers. testing while As providing thethe a NIST adoption high of cryptographic level of new validation cryptographic assurance programs technologyand for evolve, into mechanisms them for should testing target andIndustry/NIST the reporting collaboration future results structure website [ for automated validation of cryptographic algorithms help develop a structured processthreshold of cryptographic formulating implementations. and validating security assertions about fashion. NIST is working withand the improve industry the to efficiency rebuild and its effectiveness cryptographic of validation cryptographic programs module testing in order to conventional cryptography, the security of thealso threshold be cryptographic impacted implementation by may defectsby introduced as the a tools result used ofensure to human that errors compile the or or algorithms unsafe synthesize supporting optimization to threshold the cryptography verify implementation. are that theoretically they Thus, secure, have it and been is implemented important correctly. to The definition of guidelines would tion infrastructure, the number andmakes complexity it of modules increasingly to difficult be tocompromise validated detect security. increases. at This This validation is stage one allraphy more possible in reason defects avoiding to that single consider might points the of potential failure of in threshold real cryptog- implementations. However, similarly to a main subject of thresholdinsufficient schemes to for accommodate cryptographic the primitives. plethoraout That of threshold provision in considerations is this that thus report. haveschemes been Generally may pointed speaking, involve reconsidering the the process adequacynecessary towards of devise the standardization new or validation of requirements complementary threshold and requirements. where is required to reconstruct the originalinformation key, about then the knowledge original of key, otherby than implementations of the the length.” Shamir and Blakley secret sharing schemes mentioned in Sec. does2.2 . not ensure that keys are never recombined when needed by an algorithm, which is tographic primitives, we intend to pursuesimilar the to approach the of approach conformance taken security for assertions, the cryptographic primitives and modules. keys. Section 4.7.4procedures of for security the levels 3 standard and defines 4, stipulating security that requirements for split-knowledge 6.2 Integration of threshold cryptographic schemes (ACVP) and cryptographic modules [NIS18a, NIS18b]. When we consider standardizing threshold cryptographic schemes for approved NIST cryp-

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ? ? ? RIMITIVES P on different interfering ]). This experience may 17 RYPTOGRAPHIC + C setup and maintenance DLFK , cryptographic primitives? for client-side functions? CHEMESFOR feasibility and interoperability S BBK17 , new implementation bugs or misconfiguration 39 are required (e.g., dealer, special components)? 17 mechanisms (e.g., resharing or replacement)? of the threshold scheme fully described? + can the scheme be implemented? NIST-approved common APIs CHH HRESHOLD are the operations as a function of threshold parameters? applicable to known and relevant application contexts? (e.g., oblivious transfer) require independent standardization? rejuvenation of nodes related to known attack vectors? executing platforms characterizing features diversity system model trusted setup / assumptions efficient/performant base primitives Should the standard take intoplatforms, account e.g., hardware or operating systems? What degree of automated protocolstandards? validation should be targeted for proposed What threshold aspects can lead to What How Do (c) (a) (a) (a) How is (c) (c) What are the node- (e) How are nearby components assumed separate/independent vs. (c) (a) Are the (b) (b) Should the standard define (d) Is the (d) What are the operational costs and properties of (b) Is the scheme applicable to (b) On what 2. Applicability of scheme 3. Implementations 4. Implementation vs. security 1. Characterizing features 7 Criteria for standardization NISTIR8214 T of threshold cryptographic schemes. Herediscussion we about list this: representative questions likely to induce a security properties, potentially depending on the application contextthe and security system of model. cryptographic implementations.and But select what from criteria a should potential one pool use of to candidate ask threshold for cryptographic schemes? 7.1 Representative questions threshold cryptographic schemes. Usually there are tradeoffs of threshold values for different tions have emerged recently (e.g.,be [ useful to leverage for the protocols involved in threshold cryptographic schemes. Active research over the last few decades has resulted in a substantial body of literature on We intend this document to promote the development of criteria for evaluation of proposals With appropriate caution, threshold cryptography offers a great potential for strengthening

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 and how? RIMITIVES P conditions? licensing RYPTOGRAPHIC C side-channel attacks mechanism? exist against conceivable failures? (e.g., signing, decryption, etc.) feasible? CHEMESFOR across attack types and configurations? S implications and the 40 available? match / fit into the FIPS 140-2 framework? HRESHOLD compare against that of a conventional implementation? security tradeoffs automated validation between two or more different implementations demonstrated? graceful degradation use-cases/applications reliability is the scheme (can security assertions be tested and validated)? intellectual property is the scheme (likely to break under small environmental variations)? security assertions testable brittle working implementations interoperability Is How What threshold properties relate to resistance against How does the Does the security proof ensure composability useful for conceived deployments? (f) Can real attacks thwart the trusted setup assumed in the proof of security? (a) Are (c) Are high-level (a) Do the (e) What faults can be detected and reversed, while identifying the culprit(a) node(s)? (c) (e) (c) Is there a proposed (a) What are the Depending on the adopted approachsubmissions to developing of the candidate new threshold standards, schemes thereadopted for may then evaluation. be potential If criteria such for quality an submissions approach might is include the following: (b) (g) To which degree has/have the proof(s) of security been formally verified? (b) Are there identified (d) What features of (b) How (d) In addition, there may exist pertinent questions about what and how to standardize. We need to develop an objective criteria set to support a call for and a selection of 6. Validation 5. Security 7. Licensing 8. New standards development NISTIR8214 T device vs. multi-party platform,elaborate a side-channel bit attack further vs. on two intrusion additional per aspects. node? Next, we criteria would benefit from collaborative publiccommunity, as feedback well from as the from cryptography stakeholders research in the government and industry. standardization profiles to separately focus on distinct attribute instantiations, e.g., single- schemes for standardization. An actualof criteria the guideline above would questions, elaborate or further variations on thereof, each and possibly others. The development of such What flexibility of parametrization should a standard allow? Should there be distinct

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P ] recommend active Ver18 RYPTOGRAPHIC C of shares is needed to reconstruct the key. CHEMESFOR 1 S + 41 f HRESHOLD What then should be standardized, within the realm of threshold cryptography? Another consideration on what and how to standardize pertains to the potentially large set While it may be useful to standardize modular components, such development is not NISTIR8214 T availability. of the recombined key. Secretother sharing purposes, alone such might as also not preventingtions a enable corruption can threshold of be properties the addressed for intended withthreshold output. threshold schemes cryptography The for (in above a limita- the secure broadthe implementation sense computation of of may cryptographic encompassing be primitives). performed Forthe on example, original shares key, of and the enabling key, threshold without security the for need other to properties, ever including recombine integrity and required, ensuring that a thresholdHowever, number this by itself does not enable cryptographic primitives to use the key shares instead ization process, both of whichhelpful are for likely navigating to the pool improve of overhoc possibilities time? and and Some making generic objective benchmarking solutions. comparisons may between It be is ad- is conducted important in that a this way process that for invites characterizing and such encourages solutions participation from all stakeholders. 7.3 Standardization opportunities of available solutions. On the onemon hand, building SMPC blocks provides to general enable techniques thresholdizing thatthere any can cryptographic are use primitive. also com- On specialized the (ad-hoc) otherand solutions hand, their with techniques applications. tailored How to should specific we primitives handle the two types of solutions in the standard- on its own sufficient toprimitives. achieve There good are standards difficulties associated forinto with threshold a secure schemes protocol composition for (e.g., of into cryptographic securein a components the threshold development scheme). of Composability secure ishow multi-party indeed one computation a should protocols. recurring or It subject should is not thus create an standards open for question combining modular components. component. Thus, when considering thethere standardization may of be a value particular in threshold validatingfor scheme, implementations the with individual nodes. diverse platforms/implementations This example suggests a question about the standardization criteria: patching of vulnerable components. Ifis in found a validated to multi-party have thresholdnot a scheme be a serious a node vulnerability, problem the ifif the node it scheme may tolerates can need the replace to fullsystem it compromise be continues with of patched. to another at operate least type smoothly This one of during would node, the (validated) and/or patching component. and revalidation In of that the case, vulnerable the overall Current industry guidelines for best practices in cybersecurity [ 7.2 Standardization at what granularity level? At a basic level, secret-sharing schemes can be used to split a secret key while its use is not what levels of granularity/modularity should be considered for standardization?

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 ] projects RIMITIVES P NIS17 RYPTOGRAPHIC C tolerance to compromise, where n -out-of- CHEMESFOR f S secret-sharing has a complexity that increases 42 n HRESHOLD -out-of- n ] and post- (PQC) [ nodes does not break some security property. For example, when f MBTM17 parties possess no information about a secret, security against a wide range of side- f The discussion in the preceding sections highlighted nuanced security assertions that can Threshold schemes can be efficient. For example, we described how a simple threshold Threshold schemes have wide applicability, in the sense that there are general techniques 8 Conclusions NISTIR8214 T nodes. In such case, thehomomorphism) simplicity of of the the underlying method structurefor is of based the other on original cryptographic a scheme. primitives, mathematical Incomputational such property contrast, overhead as (a schemes compared some to their blockcases conventional , counterparts. the may Still, threshold require even schemes in significant maysecurity those be assurances practical and the and application justifiable, context. depending on the intended exploitation of noisy side-channel information. RSA signature scheme based ononly a linearly with the number of shares, and whose computation is parallelized across several the compromise of up to up to channel attacks can be achievedof under side-channel some information. reasonable assumptions Furthermore, about aagainst the threshold side-channel distributions scheme attacks may that even provide collectthe resistance information threshold). correlated This across is all because, nodes (beyond in some models, a threshold design may complicate the key is stored in oneavailability of location, a or cryptographic when operation.threshold a schemes localized These for failure fault a modes breaks secure canschemes implementation integrity be related of of mitigated to cryptographic by the secure primitives. using multi-party output This computationUsually, or includes and a intrusion-tolerant threshold distributed property systems. is expressed as an Conventional cryptographic implementations have a single point of failure when the secret from the lightweight [ at NIST be usefulprojects for also threshold be cryptography? looked at Couldis in needed. the the perspective That schemes of is considered possible why bybut threshold we simply variants? those do to More not raise research intend the herearise point to from show for a any consideration. constructive preference interaction We about believe with concrete that the cases, a research community better and clarification other may stakeholders. a threshold version? On oneof hand, NIST-approved cryptographic there primitives. is On a thedardization clear other of interest hand, in threshold the enabling schemes consideration threshold is ofstandards. versions stan- in In itself this an line, we opportunityalso also to benefit wonder review other how suitability ongoing the for NIST standardization new efforts of of threshold standardization. schemes might For example, could elements to convert a conventional implementationask: into for a which threshold conventional version cryptographic thereof. schemes should One one can consider thus standardization of

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 RIMITIVES P RYPTOGRAPHIC C CHEMESFOR S 43 HRESHOLD Once criteria are in place, the selection and standardization of concrete schemes should We intend this report to initiate a discussion on the standardization of threshold cryp- We have looked at numerous factors that influence the type of security assessment An understanding of a variety of instantiations of characterizing features is necessary NISTIR8214 T synergies may result fromcommunity engaging and with other and stakeholders. incorporating feedback from the research not put forth such criteria, but motivated the need for one and developedinclude some an basis integration for with it. validation methodologies.tions How that then may to fit express withinand security FIPS implementation asser- 140-2 profiles should or be fit devised? well When as tackling a these complement challenges, thereof? positive What security an opportunity to consider the caseresearch for results, standardizing new and primitives. the There research are community long-standing is still active in the area. tographic schemes. We can envisionseems some to of be the the challenges development ahead. of The criteria most for and immediate selection of proposals. This document did that can be made abouthas threshold cryptographic potential schemes. to Clearly, improve threshold theprovided cryptography security it of is the carefully implementation used.already standardized of There cryptographic cryptographic primitives. is primitives, The a standardization clear effort may interest also in constitute enabling threshold schemes for for the development of objective criteriapurpose for of selecting standardization candidates and for validation, standardization. theattack combination models For of the should characterizing be features translated and into security assertions. The way these can fit into FIPS features and their possible effects. Forthe example: shares there of are potential the benefits secretdevice of key; platforms; rerandomizing some properties security can properties beplatform are different with different between depending the multi-device on environment vs. and the between communication single- components. be obtained about threshold cryptographicseen schemes. through The the security prism of of suchof a schemes implementation. security has model For to example, and be there possibly may considering be several system differences between models active or passive attacks. To help navigate the landscape of possible schemes, this report enumerated characterizing 140-2 and/or require complementary standardization is a matter for discussion.

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . In . In . Proc. . In Proc. RIMITIVES P Fault Attacks . In 2017 IEEE . Technical report, . In Proc. 26th Annual Verifiable secret sharing Sharing Block Ciphers RYPTOGRAPHIC Forward-Secure Threshold C On the reliability and avail- Verified Models and Reference . https://www.amd.com/Documents/ . https://www.arm.com/products/ CHEMESFOR S 44 Tamper Resistance: A Cautionary Note Remote Timing Attacks Are Practical TrustZone HRESHOLD AMD has you covered . In D. Naccache (ed.), Topics in Cryptology — CT-RSA Two remarks on public key cryptology . Journal of the Brazilian Computer Society, 18(1):61–80, 2012. intrusions DOI:10.1007/s13173-012-0062-x. K. Bhargavan, B. Blanchet, and N. Kobeissi. Symposium on Security and Privacy. (SP),DOI:10.1109/SP.2017.26 pages 483–502. IEEE, may 2017. E. F. Brickell, G. D.Information Crescenzo, Security and and Y. Frankel. Privacy – ACISP 2000, vol. 1841 of LNCS, pages R. Anderson. University of Cambridge, Computer Laboratory, 2002. ARM Corporation. security-on-arm/trustzone, 2018. D. Brumley and D. Boneh. USENIX Association, 2003. L. T. A.ability N. of Brandão replicated and and A. rejuvenating N. systems Bessani. under stealth attacks and Security_021.pdf, 2012. B. Awerbuch, S. Micali, S. Goldwasser,and and achieving B. simultaneity Chor. in theSymposium presence on Foundations of of faults ComputerIEEE Science, Computer SFCS Society, ’85, 1985. pages DOI:10.1109/SFCS.1985.64. 383–395. M. Abdalla, S. Miner, and C.2001, Namprempre. pages 441–456. Springer Berlin Heidelberg, 2001.10.1007/3-540- DOI: C. Aumüller, P. Bier, W. Fischer, P.on Hofreiter, and RSA J.-P. Seifert. with CRT:B. Concrete S. Results Kaliski, Ç. andEmbedded K. Practical Koç, Systems Countermeasures and — C. CHESSpringer Paar Berlin 2002, (eds.), Heidelberg, Cryptographic vol. 2003. Hardware10.1007/3-540-36400-5_20 . DOI: 2523 and ofR. LNCS, Anderson pages and 260–275. M. Kuhn. 2nd USENIX Workshop on Electronic Commerce (WOEC’96), 2:1–11,AMD 1996. Corporation. Implementations for the TLS 1.3 Standard Candidate Signature Schemes 457–470. Springer Berlin Heidelberg, 2000. DOI:10.1007/10718964_37. 45353-9_32. 12th Conference on USENIX Security Symposium — SSYM’03, pages 1–13. 03] + [BB03] [BB12] [AK96] [And02] [BCF00] [BBK17] [ARM18] [AMN01] [AMD12] [ABF References [AMGC85] NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . In B. S. RIMITIVES P On the Cost . In M. Yung, . In Smart Card . In Proceedings of RYPTOGRAPHIC Completeness Theorems for . In Proc. 2nd Annual ACM C . https://cr.yp.to/antiforgery/ On the Importance of Checking Hybrids on Steroids: SGX-Based . In W. Fumy (ed.), Advances in Non-interactive Zero-knowledge and Its CHEMESFOR S 45 Generating a product of three primes with an Efficient generation of shared RSA keys . In Proc. 12th European Conference on Computer . In J. P. Buhler (ed.), Algorithmic Number Theory, HRESHOLD Cache-timing attacks on AES : New Diffie-Hellman Speed Records Another Advantage of Free Choice (Extended Abstract): Efficient Multiparty Protocols Using Circuit Randomiza- . In Proc. 20th Annual ACM Symposium on Theory of Computing, . In J. Feigenbaum (ed.), Advances in Cryptology — CRYPTO ’91, of Lazy Engineering for MaskedResearch Software and Implementations Advanced Applications —64–81. CARDIS, Springer vol. Berlin 8968 Heidelberg, of 2014. LNCS,. DOI:10.1007/978-3-319-16763-3_5 pages M. Ben-Or, S. Goldwasser, and A. Wigderson. the Twentieth Annual ACM Symposium onpages Theory 1–10, of New Computing, York, NY, STOC USA, ’88, 1988. ACM. DOI:10.1145/62212.62213. D. Boneh and J.unknown Horwitz. factorization 2006, vol. 3958 of LNCS,DOI:10.1007/11745853_14. pages 207–228. Springer Berlin Heidelberg, 2006. D. Boneh and M. Franklin. Kaliski (ed.), Advances in Cryptologypages — CRYPTO 425–439. ’97, Springer vol. Berlin 1294 Heidelberg, of 1997. LNCS, . DOI:10.1007/BFb0052253 M. Blum, P. Feldman, and S. Micali. STOC ’88, pages 103–112. ACM, 1988.. DOI:10.1145/62212.62222 J. Balasch, B. Gierlichs, V. Grosso, O. Reparaz, and F. Standaert. . DOI:10.1007/3-540-46766-1_34 M. Ben-Or. Symposium on Principles of Distributed Computing, PODC ’83, pages 27–30. D. J. Bernstein. cachetiming-20050414.pdf, 2005. D. J. Bernstein. J. Behl, T. Distler, and R.Systems, EuroSys Kapitza. ’17, pages. DOI:10.1145/3064176.3064213 222–237, New York, NY, USA, 2017. ACM. D. Boneh, R. A. DeMillo, and R. J. Lipton. Cryptology — EUROCRYPT ’97, vol. 1233Berlin of Heidelberg, LNCS, 1997. pages. DOI:10.1007/3-540-69053-0_4 37–51. Springer D. Beaver. tion vol. 576 of LNCS, pages 420–432. Springer Berlin Heidelberg, 1992. Non-cryptographic Fault-tolerant Distributed Computation Completely Asynchronous Agreement Protocols Cryptographic Protocols for Faults ACM, 1983.. DOI:10.1145/800221.806707 High Performance BFT Y. Dodis, A. Kiayias, and T. Malkin (eds.), Public Key Cryptography — PKC Applications 14] + [BF97] [BH98] [Ber05] [Ber06] [Bea92] [Ben83] [BDL97] [BDK17] [BFM88] [BGW88] [BGG NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . . A RIMITIVES P Foreshadow: . In Proc. International RYPTOGRAPHIC . In Proceedings of the 14th . In Proceedings of the C . Digest FTCS-8: 8th Annual Multiparty Unconditionally Secure CHEMESFOR S Robust Computational Secret Sharing and a A Forward-Secure Scheme . In Proc. 13th ACM Conference on Computer 46 N-Version Programming: A Fault-Tolerance Multi-signatures in the Plain public-Key Model . In Proc. 42nd IEEE Symposium on Foundations HRESHOLD Safeguarding cryptographic keys Universally Composable Security: A New Paradigm for CAP Twelve Years Later: How the "Rules" Have Changed . In 27th USENIX Security Symposium (USENIX Security 18), . In Proceedings of the Twentieth Annual ACM Symposium on of Computer Science, FOCS ’01,2001. pages DOI:10.1109/SFCS.2001.959888. 136–145. IEEE Computer Society, D. Chaum, C. Crépeau, and I. Damgard. C. Cremers, M. Horvat, J. Hoyland, S.2017 Scott, ACM and T. SIGSAC van der Conference Merwe. on Computer and Communications E. Brewer. Computer, 45:23–29, 01 2012.10.1109/MC.2012.37. DOI: L. Chen and A. Avizienis. International Conference on Fault Tolerant Computing, pages 3–9,R. June 1978. Canetti. M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx. page 991–1008, Baltimore, MD, 2018. USENIX Association. M. Bellare and G. Neven. and a General Forking Lemma and Communications Security,DOI:10.1145/1180405.1180453. CCS ’06, pagesM. 390–399. Bellare and ACM, P. 2006. Rogaway. LNCS, pages 237–251, Berlin, Heidelberg,. DOI:10.1007/BFb0054866 1998. Springer Berlin Heidelberg. G. R. Blakley. pages 313–317, 1979.. DOI:10.1109/AFIPS.1979.98 M. Bellare and S.In K. M. Miner. Wiener (ed.), AdvancesLNCS, in Cryptology pages — 431–448. CRYPTO’ Springer 99,. 540-48405-1_28 Berlin vol. 1666 Heidelberg, of 1999. DOI:10.1007/3- J. v. Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens, Protocols Theory of Computing, STOC ’88, pages 11–19, New York, NY, USA, 1988. Extracting the Keys to theExecution Intel SGX Kingdom with Transient Out-of-Order Comprehensive Symbolic Analysis of TLS 1.3 Cryptographic Protocols ACM. DOI:10.1145/62212.62214. Unified Account of Classical Secret-sharingACM Goals Conference on Computer and Communications Security, CCS ’07, pages Workshop on Managing Requirements Knowledge, vol. 48 of AFIPS 1979, Approach to Reliability of Software Operation 172–184, New York, NY, USA, 2007. ACM.. DOI:10.1145/1315245.1315268 17] 18] + + [BR07] [CA78] [BN06] [Bla79] [Bre12] [BM99] [Can01] [CCD88] [CHH [BMW NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . SIAM RIMITIVES P The Matter of . In 2017 IEEE . In G. Brassard (ed.), . In D. W. Davies (ed.), RYPTOGRAPHIC Towards Sound Approaches C On the Minimal Synchronism . In M. Wiener (ed.), Advances in Unifying Leakage Models: From Prob- Nonmalleable Cryptography . J. ACM, 34(1):77–97, January 1987. CHEMESFOR S Group Signatures . Technical Report ISSE-TR-97-01, George Redistributing Secret Shares to New Access 47 . In Advances in Cryptology — EUROCRYPT Threshold Practical Byzantine Fault Tolerance and Proactive HRESHOLD Common Criteria for Information Technology Security . In Proc. 2014 Conference on Internet Measurement Con- , April 2017. . https://www.commoncriteriaportal.org/ . ACM Trans. Comput. Syst., 20(4):398–461, November 2002. Implementing and proving the TLS 1.3 record layer Mason University, July 1997. A. Delignat-Lavaud, C. Fournet,N. M. Swamy, S. Kohlweiss, Zanella-Béguelin, J. K.houé. Protzenko, Bhargavan, A. J. Rastogi, Pan, andSymposium J. on K. Security Zinzindo- and Privacy. (SP),DOI:10.1109/SP.2017.58 pages 463–482. IEEE, May 2017. Z. Durumeric, F. Li, J. Kasten,D. J. Adrian, Amann, J. V. Beekman, Paxson, M. Payer, M. N. Weaver, Bailey, and J. A. Halderman. Review, 45(4):727–784, 2003. DOI:10.1137/S0036144503429856. D. Dolev, C. Dwork, and L. Stockmeyer. DOI:10.1145/7531.7533. Y. Desmedt and Y. Frankel. pages 307–315. Springer New York, 1990. DOI:10.1007/0-387-34805-0_28. Y. Desmedt and S. Jajodia. D. Chaum and E. van Heyst. 257–265. Springer Berlin Heidelberg, 1991. DOI:10.1007/3-540-46416-6_22. A. Duc, S. Dziembowski, and S.ing Faust. Attacks to Noisy Leakage 2014, vol. 8441 of LNCS,. DOI:10.1007/978-3-642-55220-5_24 pages 423–440. Springer Berlin Heidelberg, 2014. D. Dolev, C. Dwork, and M. Naor. Security, CCS ’17, pages. DOI:10.1145/3133956.3134063 1773–1788, New York, NY, USA,S. 2017. Chari, ACM. C. S. Jutla,to J. R. Counteract Rao, Power-Analysis and Attacks P.Cryptology Rohatgi. — CRYPTO’ 99, vol. 1666Berlin of Heidelberg, LNCS, 1999. pages. DOI:10.1007/3-540-48405-1_26 398–412. Springer M. Castro and B. Liskov. . DOI:10.1145/571637.571640 Common Criteria. Structures and Its Applications Evaluation Recovery Needed for Distributed Consensus Heartbleed Advances in Cryptology — CRYPTO’ 89 Proceedings, vol. 435 of LNCS, Advances in Cryptology — EUROCRYPT ’91, vol. 547 of LNCS, pages 14] 17] + + [DJ97] [DF90] [CL02] [CvH91] [Com17] [DDS87] [DDF14] [DDN03] [CJRR99] [DLK NISTIR8214 T [DLFK

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . . In Proc. RIMITIVES P Secure Distributed . In J. Stern (ed.), How to Share a Function Two-Threshold Broadcast RYPTOGRAPHIC Impossibility of Distributed C The Knowledge Complexity Efficient private matching and How to Play ANY Mental Game . In E. Biham (ed.), Advances in . J. ACM, 32(2):374–382, April 1985. CHEMESFOR S . In P. Druschel, F. Kaashoek, and A. Rowstron 48 . In Proc. 17th Annual ACM Symposium HRESHOLD . In International conference on the theory and applications A Practical Scheme for Non-interactive Verifiable Secret The Sybil Attack A Practical Protocol for Large Group Oriented Networks . In Proc. 26th Annual ACM Symposium on Theory of Computing, . In Proc. 28th Annual Symposium on Foundations of Computer A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. pages 295–310, Berlin,DOI:10.1007/3-540-48910-X_21. Heidelberg, 1999. SpringerS. Goldwasser, Berlin S. Heidelberg. of Micali, Interactive and Proof-systems C.on Rackoff. TheoryDOI:10.1145/22145.22178. of Computing, STOCO. Goldreich, ’85, S. Micali, and pagesor A. Wigderson. A 291–304. Completeness Theorem ACM, for Protocols 1985. with Honest Majority M. J. Freedman, K. Nissim,set and intersection B. Pinkas. of cryptographic techniques, pages 1–19. Springer, 2004. Y. Frankel. In J.-J. Quisquater andEUROCRYPT ’89, LNCS, J. pages Vandewalle 56–61, (eds.), Berlin,Berlin Heidelberg, Heidelberg. Advances 1990. DOI:10.1007/3-540-46885-4_8. Springer in Cryptology — R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Science, SFCSDOI:10.1109/SFCS.1987.4. ’87, pages 427–438.M. Fitzi, M. IEEE Hirt, T. Holenstein, Computer andand J. Detectable Wullschleger. Society, Multi-party Computation 1987. Cryptology — EUROCRYPT 2003, vol. 2656Heidelberg, of 2003. LNCS, Springer pages Berlin Heidelberg. 51–67,. DOI:10.1007/3-540-39200-9_4 Berlin, M. J. Fischer, N. A. Lynch, and M. S. Paterson. DOI:10.1145/3149.214121. ference, IMC ’14,. DOI:10.1145/2663716.2663755 pages 475–488, NewJ. York, R. Douceur. NY, USA, 2014. ACM. 2002.. DOI:10.1007/3-540-45748-8_24 STOC ’94, pages 522–533. ACM, 1994. DOI:10.1145/195058.195405 . P. Feldman. Securely Sharing Key Generation for Discrete-Log Based Cryptosystems Consensus with One Faulty Process (eds.), Peer-to-Peer Systems, pages 251–260. Springer Berlin Heidelberg, Advances in Cryptology — EUROCRYPT ’99, vol. 1592 of LNCS, 19th Annual ACM Symposium on Theory of Computing, STOC ’87, pages [Fel87] [Fra90] [Dou02] [FLP85] [FNP04] [GMR85] [GJKR99] [GMW87] [FHHW03] NISTIR8214 T [DSDFY94]

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . . Lest We RIMITIVES P . https: Robust and Efficient . Commun. ACM, Proactive Secret Sharing RYPTOGRAPHIC C . In D. Coppersmith (ed.), Advances . Journal of Cryptology, 13(1):31–60, Jan CHEMESFOR Secret sharing scheme realizing general ac- . , https://www.iso.org/standard/65422.html S A public-key cryptosystem suitable for digital 49 Software Guard Extention (SGX) . Journal of Cryptology, 13(2):273–300, Mar 2000. Player Simulation and General Adversary Structures HRESHOLD . In NEC J. Res. Dev. 71, pages 1–8, Oct. 1983. NIST Cryptographic Standards and Guidelines Development . Electronics and Communications in Japan (Part III: Fundamen- Intel’s New AES Instructions for Enhanced Performance and ISO/IEC 19790:2012, Information technology – Security ISO/IEC 19592-2:2017, Information technology – Security . In O. Dunkelman (ed.), Fast Software Encryption, 16th International . NISTIR 7977, March 2016.. DOI:10.6028/NIST.IR.7977 ISO/IEC 19592-1:2016, Information technology – Security techniques ISO. techniques –,https://www.iso.org/standard/52906.html August 2012. SecurityISO. requirements for2016. cryptographic modules ISO. techniques –,https://www.iso.org/standard/65425.html 2017. Secret sharing – Part 2: Fundamental mechanisms 52(5):91–98, May 2009.. DOI:10.1145/1506409.1506429 K. Itakura and K. Nakamura. multisignatures Intel Corporation. M. Ito, A. Saito, andcess T. Nishizeki. structure tal Electronic Science), 72(9):56–64, 1989.. DOI:10.1002/ecjc.4430720906 A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. in Cryptology — CRYPT0’ 95, pages 339–352. Springer Berlin Heidelberg, M. Hirt and U. Maurer. in Perfect Multiparty Computation 2000.. DOI:10.1007/s001459910003 J. A. Halderman, S.Calandrino, D. Schoen, A. N. J. Heninger, Feldman, W. Clarkson, J. W. Appelbaum, Paul, J. and A. E. W. Felten. R. Gennaro, T. Rabin, S. Jarecki, and H.. DOI:10.1007/s001459910011 Krawczyk. C. T. Group. S. Gueron. . DOI:10.1007/978-3-642-03317-9_4 218–229. ACM, 1987.. DOI:10.1145/28395.28420 Sharing of RSA Functions Security //software.intel.com/en-us/sgx, 2018. Remember: Cold-boot Attacks on Encryption Keys Process Or: How to Cope With Perpetual Leakage Workshop, FSE 2009, vol. 5665 of LNCS, pages 51–66. Springer, 2009. 1995.. DOI:10.1007/3-540-44750-4_27 – Secret sharing – Part 1: General 09] + [IN83] [Int18] [Gro16] [ISN89] [ISO16] [ISO17] [ISO12] [HM00] [Gue09] [GRJK00] [HJKY95] [HSH NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . RIMITIVES P . Distributed . NISTIR 7298 When Constant-Time . , arXiv:1801.01207 . Morgan Kaufmann RYPTOGRAPHIC C Spectre Attacks: Exploiting Meltdown . In D. R. Stinson (ed.), Advances Private Circuits: Securing Hardware In Network and distributed system secu- Redundancy and Diversity in Security CHEMESFOR S Fault-Tolerant Systems 50 Software Rejuvenation: Analysis, Module and Ap- Client puzzles: A Cryptographic countermeasure . In Advances in Cryptology — CRYPTO 2003, HRESHOLD . ,arXiv:1801.01203 January 2018. . In N. Koblitz (ed.), Advances in Cryptology — CRYPTO . In Cryptology and Network Security — CANS 2016, Lower bounds for asynchronous consensus Secret Sharing Made Short Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, Glossary of Key Terms . In Proc. 25th International Symposium on Fault-Tolerant Comput- L. Lamport. Computing, 19(2):104–125, Oct 2006.. DOI:10.1007/s00446-006-0155-x B. Littlewood andIn L. P. Strigini. Samarati,Security P. – Ryan, ESORICS 2004, D. pagesDOI:10.1007/978-3-540-30108-0_26. 423–438. Gollmann, Springer Berlin and Heidelberg, 2004. R. MolvaM. (eds.), Lipp, M. Computer Schwarz, D.D. Gruss, T. Genkin, Prescher, W. Y. Haas, Yarom, S. Mangard, and P. Kocher, M. Hamburg. DOI:10.1007/3-540-68697-5_9. T. Kaufmann, H. Pelletier, S. Vaudenay, and K. Villegas. with MSVC 2015 . DOI:10.1007/978-3-319-48965-0_36 H. Krawczyk. in Cryptology — CRYPTO ’93, vol.Berlin 573 Heidelberg, of 1994. LNCS, DOI:10.1007/3-540-48329-2_12. pages 136–146. Springer P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, S. Mangard, R. Kissel. Revision 2, May 2013.. DOI:10.6028/NIST.IR.7298r2 I. Koren and C.Publishers M. Inc., Krishna. 1st edition, 2007. P. C. Kocher. and Other Systems Y. Ishai, A. Sahai, and D.against A. Probing Wagner. Attacks . DOI:10.1007/978-3-540-45146-4_27 A. Juels and J. Brainard. against connection depletion attacks. rity symposium — NDSS’99, vol. 99, pages 151–168.N. Kolettis Internet and Society, N. 1999. D. Fulton. plications ing, FTCS ’95, pages 381–390. IEEE, 1995.. DOI:10.1109/FTCS.1995.466961 Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built vol. 10052 of LNCS, pages 573–582. Springer Berlin Heidelberg, 2016. Speculative Execution vol. 2729 of LNCS, pages 463–481. Springer Berlin Heidelberg, 2003. T. Prescher, M. Schwarz, and Y. Yarom. ’96, vol. 1109 of LNCS, pages 104–113. Springer Berlin Heidelberg, 1996. 18] 18] + + [JB99] [LS04] [KF95] [Kis13] [KK07] [Kra94] [Koc96] [Lam06] [ISW03] [LSG [KPVV16] [KGG NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . . . . . In RIMITIVES P . https: . https: NISTIR 8114 — . https://csrc.nist.gov/ RYPTOGRAPHIC Threshold Implementations C . In P. Ning, S. Qing, and . https://csrc.nist.gov/projects/ The Byzantine Generals Problem Accountable-subgroup Multisigna- , 2017.. DOI:10.6028/NIST.IR.8114 . In H. C. A. van Tilborg and S. Jajodia CHEMESFOR , 2001.. DOI:10.6028/NIST.FIPS.140-2 S 51 . In Proc. 8th ACM Conference on Computer HRESHOLD National Vulnerability DatabaseNational — Vulnerability CVE-2014-0160 DatabaseNational — Vulnerability CVE-2017-5715 Database — CVE-2017-5753 Automated Cryptographic Validation Testing Automated Cryptographic Validation Protocol A Hundred Impossibility Proofs for Distributed Computing Trusted Platform Module Cryptographic Module Validation Program Post-quantum Cryptography Project Security Requirements for Cryptographic Modules, Federal Information N. Li (eds.), Information and CommunicationsDOI:10.1007/11935308_38. Security — ICICS 2006, NVD. https://nvd.nist.gov/vuln/detail/CVE-2014-0160, 2014. NVD. https://nvd.nist.gov/vuln/detail/CVE-2017-5715, 2018. NVD. NIST. post-quantum-cryptography, 2017. NIST. NIST. NIST. projects/cryptographic-module-validation-program, 2018. S. Nikova, C. Rechberger, and V. Rijmen. S. Micali, K.tures: Ohta, Extended and Abstract L.and Reyzin. Communications Security,DOI:10.1145/501983.502017. CCS ’01, pagesT. Morris. 245–254. ACM, 2001. Springer, 2011.. DOI:10.1007/978-1-4419-5906-5_796 NIST. L. Lamport, R. Shostak, and M. Pease. N. Lynch. Proc. 8th Annual ACM Symposium onPODC Principles ’89, of pages Distributed 1–28. Computing, ACM, 1989.. DOI:10.1145/72981.72982 K. A. McKay, L. Bassham, M. S. Turan, and N. Mouha. July 1982.. DOI:10.1145/357172.357176 January 2018. vol. 4307 of LNCS, pages 529–545. Springer Berlin Heidelberg, 2006. ,//github.com/usnistgov/ACVP 2018. ,//csrc.nist.gov/projects/acvt/ 2018. Processing Standard (FIPS) 140-2 Report on Lightweight Cryptography (eds.), Encyclopedia of Cryptography and Security, 2nd Ed., pages 1332–1335. ACM Transactions on Programming Languages and Systems, 4(3):382–401, Against Side-Channel Attacks and Glitches [Lyn89] [NIS17] [NIS01] [Mor11] [LSP82] [NIS18c] [NIS18a] [NRR06] [NIS18b] [NVD14] [MOR01] [NVD18a] [NVD18b] [MBTM17] NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . . . . In RIMITIVES P IoT Goes Nuclear: . In Proc. 24th Annual RYPTOGRAPHIC C A method for obtaining digital . , https://bearssl.org/ctmul.html . Communications of the ACM, Forward-Secure Multi-signatures Reaching Agreement in the Presence CHEMESFOR . IEEE Symposium on Security and Privacy, How to Withstand Mobile Virus Attacks S Unconditional Byzantine agreement for any 52 . In A. Finkel and M. Jantzen (eds.), STACS 92, HRESHOLD . In Proc. 10th Annual ACM Symposium on Prin- A without a Trusted Party Randomized Byzantine Generals Non-Interactive and Information-Theoretic Secure Verifiable . In J. Feigenbaum (ed.), Advances in Cryptology — CRYPTO National Vulnerability Database — CVE-2017-5754 BearSSL — Constant-Time Mul The IEEE Standard Dictionary of Electrical and Electronics Terms . J. ACM, 27(2):228–234, April 1980. DOI:10.1145/322186.322188. R. L. Rivest, A.signatures Shamir, and and L. public-key Adleman. cryptosystems 21(2):120–126, 1978. DOI:10.1145/359340.359342. E. Ronen., A. Shamir, A.-O. Weingarten, and C. O’Flynn. pages 195–212, 2017.. DOI:10.1109/SP.2017.14 N. R. SunithaIn and M. B. ParasharInternet B. and Amberker. Technology, S. K. pages Aggarwal 89–99. (eds.), Springer Distributed Computing Berlin and Heidelberg, 2009. B. Pfitzmann and M. Waidner. number of faulty processors pages 337–350. Springer Berlin Heidelberg,3_195. 1992. DOI:10.1007/3-540-55210- M. O. Rabin. Symposium on Foundations of ComputerIEEE Science, Computer SFCS Society, ’83, 1983. pages DOI:10.1109/SFCS.1983.48. 403–409. J. Radatz. IEEE Standards Office, 6th edition, 1997. . DOI:10.1007/3-540-46416-6_47 T. P. Pedersen. DOI:10.1007/3-540-46766-1_9. T. Pornin. 2018. M. Pease, R. Shostak, andof L. Faults Lamport. NVD. https://nvd.nist.gov/vuln/detail/CVE-2017-5754, 2018. R. Ostrovsky and M. Yung. ciples of Distributed. DOI:10.1145/112600.112605 Computing, PODC ’91, pagesT. 51–59. P. ACM, Pedersen. 1991. D. W. Davies (ed.), Advances in Cryptology — EUROCRYPT ’91, https://nvd.nist.gov/vuln/detail/CVE-2017-5753, 2018. Secret Sharing vol. 547 of LNCS, pages 522–526. Springer Berlin Heidelberg, 1991. Creating a ZigBee Chain Reaction (Extended Abstract) ’91, vol. 576 of LNCS, pages 129–140. Springer Berlin Heidelberg, 1992. [SA09] [Por18] [OY91] [PW92] [Ped92] [Ped91] [Rab83] [Rad97] [PSL80] [RSA78] [NVD18c] [RSWO17] NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 . . Printed RIMITIVES P , 1996. https: RYPTOGRAPHIC C . Benjamin Franklin, 1734. . In U. Maurer (ed.), Advances . In B. Preneel (ed.), Advances Hidden Problems of Asynchronous . In M. Wiener (ed.), Advances in . Communications of the ACM, Encyclopedia of Cryptography and Information Technology Management CHEMESFOR S Implementing Trustworthy Services Using 53 . IEEE Security and Privacy, 3(5):34–43, September HRESHOLD A Simple Publicly Verifiable Secret Sharing Scheme . Proc. 3rd Workshop on on Hot Topics in System Efficient Identification and Signatures for Smart Cards An excellent conceited Tragedie of Romeo and Juliet Cryptographic Validation Challenges With Brittle Algo- How to Share a Secret Poor Richard’s Almanack — 1735 Publicly Verifiable Secret Sharing Practical Threshold Signatures . Springer Publishing Company, Incorporated, 2nd edition, 2011. . https://csrc.nist.gov/groups/ST/lwc-workshop2015/presentations/ H. C. A. Tilborg andDOI:10.1007/978-1-4419-5906-5. S. Jajodia. A. Vassilev. rithms ,session5-vassilev.pdf July 2015. G. S. Veronese, M. Correia, A. N. Bessani, L. C. Lung, and P. Veríssimo. Dependability, 2007. M. Stadler. in Cryptology — EUROCRYPTSpringer ’96, Berlin vol. Heidelberg, 1070 1996. DOI:10.1007/3-540-68339-9_17. of LNCS, pagesF. B. 190–199. Schneider and L. Zhou. 2005.. DOI:10.1109/MSP.2005.125 U. S. 104th Congress. W. Shakespeare. by John Danter, London, 1597. A. Shamir. 22(11):612–613, Nov 1979.. DOI:10.1145/359168.359176 V. Shoup. in Cryptology — EUROCRYPT 2000,Springer vol. Berlin 1807 Heidelberg, of 2000. LNCS, DOI:10.1007/3-540-45539-6_15. pages 207–220. P. Sousa, N. F. Neves, and P. Verissimo. C. P. Schnorr. In G. Brassardings, (ed.), Advances vol. in. DOI:10.1007/0-387-34805-0_22 435 Cryptology — of CRYPTO’89 LNCS, Proceed- B. pages Schoenmakers. 239–252. Springerand Its New Application to York,Cryptology Electronic — Voting 1990. CRYPTO ’99, vol. 1666Berlin of Heidelberg, LNCS, 1999. pages DOI:10.1007/3-540-48405-1_10. 148–164. Springer . DOI:10.1007/978-3-540-89737-8_9 Security . //www.dol.gov/ocfo/media/regs/ITMRA.pdf Proactive Recovery Replicated State Machines Reform Act. Public Law 104–106, Section 5131 13] + [tC96] [TJ11] [SZ05] [Sta96] [Vas15] [Sha79] [Sch99] [Sha97] [Sch90] [Sau34] R. Saunders. [Sho00] [SNV07] [VCB NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214 IEEE RIMITIVES P . https: . In Proc. 27th Annual RYPTOGRAPHIC C . In 23rd Annual Symposium Psst, Can You Keep a Secret? . IEEE Transactions on Computers, CHEMESFOR S A Simple and Secure Way to Show the Validity 54 HRESHOLD . In C. Pomerance (ed.), Advances in Cryptology — 2018 Data Breach Investigations Report How to Generate and Exchange Secrets Protocols for secure computations A. C. Yao. on Foundations of Computer Science,DOI:10.1109/SFCS.1982.88. SFCS ’82, pages 160–164, 11A. 1982. C. Yao. Symposium on Foundations of ComputerIEEE Science, Computer SFCS Society, ’86, 1986. pages DOI:10.1109/SFCS.1986.25. 162–167. 62(1):16–30, 01 2013.. 10.1109/TC.2011.221 DOI: J. van de Graaf andof R. Peralta. Your Public Key CRYPTO ’87, vol. 293 of LNCS, pages 128–134. Springer Berlin Heidelberg, Verizon. A. Vassilev, N. Mouha, and L.Computer, Brandão. 51(1):94–97, January 2018. DOI:10.1109/MC.2018.1151029. ,//www.verizonenterprise.com/verizon-insights-lab/dbir/ 2018. Efficient Byzantine Fault-Tolerance 1988.. DOI:10.1007/3-540-48184-2_9 [Ver18] [Yao86] [Yao82] [VMB18] [vdGP88] NISTIR8214 T

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8214