Withdrawn Draft Warning Notice The attached draft document has been withdrawn, and is provided solely for historical purposes. It has been superseded by the document identified below. Withdrawal Date July 7, 2020 Original Release Date November 11, 2019 Superseding Document Status Final Series/Number NIST Interagency or Internal Report (NISTIR) 8214A Title NIST Roadmap Toward Criteria for Threshold Schemes for Cryptographic Primitives Publication Date July 2020 DOI https://doi.org/10.6028/NIST.IR.8214A CSRC URL https://csrc.nist.gov/publications/detail/nistir/8214a/final Additional Information Threshold Cryptography project https://csrc.nist.gov/projects/threshold-cryptography 1 Draft NISTIR 8214A 2 Towards NIST Standards for Threshold 3 Schemes for Cryptographic Primitives 4 A Preliminary Roadmap 5 Luís T. A. N. Brandão 6 Michael Davidson 7 Apostol Vassilev 8 This publication is available free of charge from: 9 https://doi.org/10.6028/NIST.IR.8214A-draft 10 11 Draft NISTIR 8214A 12 Towards NIST Standards for Threshold 13 Schemes for Cryptographic Primitives 14 A Preliminary Roadmap 15 Luís T. A. N. Brandão 16 Michael Davidson 17 Apostol Vassilev 18 Computer Security Division 19 Information Technology Laboratory 20 This publication is available free of charge from: 21 https://doi.org/10.6028/NIST.IR.8214A-draft 22 November 2019 23 24 U.S. Department of Commerce 25 Wilbur L. Ross, Jr., Secretary 26 National Institute of Standards and Technology 27 Walter G. Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 28 National Institute of Standards and Technology Internal Report 8214A 29 36 pages (November 2019) 30 This publication is available free of charge from: 31 https://doi.org/10.6028/NIST.IR.8214A-draft 32 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 33 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 34 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the 35 best available for the purpose. 36 There may be references in this publication to other publications currently under development by NIST 37 in accordance with its assigned statutory responsibilities. The information in this publication, including 38 concepts and methodologies, may be used by federal agencies even before the completion of such companion 39 publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, 40 where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely 41 follow the development of these new publications by NIST. 42 Organizations are encouraged to review all draft publications during public comment periods and provide 43 feedback to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 44 https://csrc.nist.gov/publications. 45 Public comment period: November 11, 2019, through February 10, 2020 46 National Institute of Standards and Technology 47 Attn: Computer Security Division, Information Technology Laboratory 48 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 49 Email: [email protected] 50 All comments are subject to release under the Freedom of Information Act (FOIA). NISTIR 8214A (DRAFT)TOWARDS NIST STANDARDS FOR THRESHOLD SCHEMES FOR CRYPTOGRAPHIC PRIMITIVES 51 Reports on Computer Systems Technology 52 The Information Technology Laboratory (ITL) at the National Institute of Standards and 53 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 54 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, 55 test methods, reference data, proof of concept implementations, and technical analyses to 56 advance the development and productive use of information technology. ITL’s responsi- 57 bilities include the development of management, administrative, technical, and physical 58 standards and guidelines for the cost-effective security and privacy of other than national 59 security-related information in federal information systems. 60 Abstract 61 This document proposes a preliminary roadmap for the standardization of threshold schemes 62 for cryptographic primitives by the National Institute of Standards and Technology (NIST). 63 To cover the large diversity of possible threshold schemes, as identified in the NIST Internal 64 Report (NISTIR) 8214, we tackle them in a structured way. We consider two main tracks 65 — single-device and multi-party — and within each of them we consider cryptographic 66 primitives in several possible threshold modes. The potential for real-world applications 67 is taken as an important motivating factor differentiating the pertinence of each possible 68 threshold scheme. Also, the standardization of threshold schemes needs to consider features 69 such as configurability of parameters, advanced security properties, testing and validation, 70 granularity (e.g., gadgets vs. composites) and specification detail. Overall, the organization 71 put forward enables us to solicit feedback useful to consider a variety of threshold schemes, 72 while at the same time considering differentiated standardization paths and timelines, namely 73 depending on different levels of technical and standardization challenges. This approach 74 paves the way for an effective engagement with the community of stakeholders and a 75 preparation for devising criteria for standardization and subsequent calls for contributions. 76 Keywords: threshold schemes; secure implementations; cryptographic primitives; threshold 77 cryptography; secure multi-party computation; intrusion tolerance; distributed systems; 78 resistance to side-channel attacks; standards and validation. 79 Acknowledgments 80 This document follows the NIST Internal Report 8214 and the NIST Threshold Cryptography 81 Workshop, which benefited from the participation and feedback from numerous individuals, 82 representing various organizations. The authors of this document would also like to thank 83 Nicky Mouha and Matthew Watson for participation in discussions at numerous threshold 84 cryptography meetings, and Lily Chen and Andrew Regenscheid for additional feedback on 85 this draft. We welcome public feedback until this document is finalized and published. ii NISTIR 8214A (DRAFT)TOWARDS NIST STANDARDS FOR THRESHOLD SCHEMES FOR CRYPTOGRAPHIC PRIMITIVES 86 Call for Patent Claims 87 This public review includes a call for information on essential patent claims (claims whose use would be 88 required for compliance with the guidance or requirements in this Information Technology Laboratory (ITL) 89 draft publication). Such guidance and/or requirements may be directly stated in this ITL Publication or by 90 reference to another publication. This call also includes disclosure, where known, of the existence of pending 91 U.S. or foreign patent applications relating to this ITL draft publication and of any relevant unexpired U.S. or 92 foreign patents. 93 ITL may require from the patent holder, or a party authorized to make assurances on its behalf, in written or 94 electronic form, either: 95 a) assurance in the form of a general disclaimer to the effect that such party does not hold and does not 96 currently intend holding any essential patent claim(s); or 97 b) assurance that a license to such essential patent claim(s) will be made available to applicants desiring 98 to utilize the license for the purpose of complying with the guidance or requirements in this ITL draft 99 publication either: 100 i) under reasonable terms and conditions that are demonstrably free of any unfair discrimination; or 101 ii) without compensation and under reasonable terms and conditions that are demonstrably free 102 of any unfair discrimination. 103 Such assurance shall indicate that the patent holder (or third party authorized to make assurances on its 104 behalf) will include in any documents transferring ownership of patents subject to the assurance, provisions 105 sufficient to ensure that the commitments in the assurance are binding on the transferee, and that the transferee 106 will similarly include appropriate provisions in the event of future transfers with the goal of binding each 107 successor-in-interest. 108 The assurance shall also indicate that it is intended to be binding on successors-in-interest regardless of whether 109 such provisions are included in the relevant transfer documents. 110 Such statements should be addressed to: [email protected] 111 This call for patent claims is defined in the “ITL Patent Policy — Inclusion of Patents in ITL Publications” 112 available at https://www.nist.gov/itl/publications-0/itl-patent-policy-inclusion-patents-itl-publications iii NISTIR 8214A (DRAFT)TOWARDS NIST STANDARDS FOR THRESHOLD SCHEMES FOR CRYPTOGRAPHIC PRIMITIVES 113 Executive Summary 114 The Computer Security Division (CSD) at the National Institute of Standards and Tech- 115 nology (NIST) promotes the security of implementations and operations of cryptographic 116 primitives, such as signatures and encryption. This security depends not only on the the- 117 oretical properties of the primitives, but also on the abilities to withstand attacks on their 118 implementations and to ensure authorized operations. To advance this capability, NIST 119 has initiated the Threshold Cryptography project. This project intends to drive an effort to 120 standardize