Jun 15, 1992 - Research Center, by grants from GTE, IBM, Siemens, Inc. and by a National ..... the sense that a call to deliver is not made until all previous.
How to Securely
Replicate
Services*
Michael Reiter Kenneth Birman TR 92-1287 (replaces TR 92-1274) June 1992
Department of Computer Cornell University Ithaca, NY 14853-7501
Science
*This work was suported by the Defense Advanced Research Projects Agency (DoD) under DARPNNASA subcontract NAG 2-593 administered by the NASA Ames Research Center, by grants from GTE, IBM, Siemens, Inc. and by a National Science Foundation Graduate Fellowship. Any opinions, conclusions or recommendations expressed in this document are those of the authors and do not necessarily reflect the views, policies or decisions of the National Science Foundation or the Department of Defense.
How to Securely Michael
Replicate
Services*
Reiter
reiter©cs,
Kenneth
cornell,
edu
Birman
ken@cs,
Department
of Computer
Cornell Ithaca,
cornell,
edu
Science
University
New June
York
14853
15, 1992
Abstract A method integrity
is presented
despite
failing
benignly.
client
will are
among
client
and that
servers
the client
server's than
in the
this problem
in any
k + b servers system
run.
need not be able to identify only to possess
is illustrated their
a service
fewer
of causality
to counter
intended
through
replicated
clients
that
by n servers
if, for some are
corrupt.
The
A security
breach
resulting
sequence
of requests
is proposed
that
are correct,
where
An important or authenticate
two public of several of the
b is the novel
Isis system
"This work was supported by the Defense Advanced Research Projects contract NAG2-593 administered by the NASA Ames Research Center, by and by a National Science Foundation Graduate Fellowship. Any opinions, in this document are those of the authors and do not necessarily reflect the Science Foundation or the Department of Defense.
to others
a way that
a correct
k, at
than
service
total schemes
Instead,
The practicality implementation
ability
to
to be corrupt
maximum
server.
k
is illustrated.
k servers
of these
least causality
an intruder's
by the
feature
to their is also
from
and
in addition
of maintaining
assumed
a single
keys for the service. issues pertinent
fewer
availability
parameter
issue
processed
even
their
in such
prespecified
requires
and
retain
by an intruder,
response
at most
version
corrupted
is replicated
a discussion
role in a secure
being
services
k servers
is also addressed.
is live if at least
of corrupt
required
and
requests
a violation
and
precisely,
a correct
correct
An approach
servers
More
accept
servers
effect
several
for constructing
number is that
the client
of these
is
schemes
and use, and
described.
Agency (DoD) under DARPA/NASA subgrants from GTE, IBM, and Siemens, Inc., conclusions or recommendations expressed views, policies or decisions of the National
1
Introduction
Distributed
systems
commands,
which
service
however,
then
difficult,
response
service,
so that
client
authenticates
of servers, however,
then
This
source
that
In this The
k, a correct Moreover, to have
client
if fewer than been
possesses
exactly
one
the service
modularity
Even
in a system
guarantees,
correct
the correct
servers
clients
violation
of causality
described
the service are correct,
fewer
and
that
where
system run.
fewer than
to failure,
k servers
b is the assumed
that
approach and
the
servers
because
of this scheme
And, number
that
servers,
and
effects
the client
above
has caused
and
In this
exploits
public
is live if at least
a
to an attack
We also propose
additional
suffered
the
order.
similar
servers.)
of corruptions
can
of the service.
(While
this solution
and
application
if an intruder
one
the client
server)
enhances
an intruder
at most
are correct. is guaranteed
in an incorrect
corrupt
ap-
parameter
is that
We emphasize
by the service.
possess
machine
client
requests
it involves
the client
state
at a correct
k correct
the
of the servers.
k servers
the response
in which
processed
the
This
schemes,
is no trustworthy
at least
from the service
or to process
If the
comprise
for some prespecified
for clients.
responses
that
to, e.g., one for each
at least
client.
Such
information using
that
to authenticate
total
are correct.
problems
the
if any, sent by a majority
of authentication.
servers,
it to the
over time or if there
feature
server
[25] to replicating
sends
of servers
An important
be corrupt.
maximum
to others
accepted
of requests
requires
(in addition
provided
interface
by an intruder
by an intruder
the response,
(as opposed
more
to remain
in such a way that
purposes
it is often
be designed
any response
requests
is more severe
that
immune
thus
authenticate
We focus on an attack
in the sequence
this attack
the
In the simplest
corruption
and authentication
the service
improper
from
should
machine
to these
k corrupt
improper
this issue.
and
the service
than
may accept
in [22], this attack
way to avoid
for the
service
can change
service
of even a single
to process
we also discuss
server.
object
with
a set of
a command,
For instance,
servers
if a majority
solution
are corrupt,
simplifies
the identity
executing
is not sufficiently
the response
the identities
key for the
as a single
many
state
to identify
from
by a correct public
exports
the command.
problems.
and accepts
by n servers
a response
and significantly
not know
the
response
a combined
k servers
computed
A service
After
invoked
corrupted
computes
be able
is implemented accepts
being
employs
can obtain
we propose
service
servers
if the set of servers
the client
paper
A replicated
from each server
client
other
server.
correct
may be difficult
that
If this server
to protect
individually
the
the
to the client
resources,
several
server
services.
to the service.
introduces
way to do this
it obtains
from which
proach.
more
the response
require
service.
replication
despite
each
requests
and
be replicated.
only a single
One
of clients
by only one server.
must
requires
correct
benignly).
paper
an appropriate
it is to protect
failing
need
by issuing
environments,
and
in terms
invoke
the service
or at least
available
structured
is implemented
In hostile
treat
clients
may return
case, the service
than
are often
a
key for
k + b servers
by servers
in any
The above various
discussion
distributed
tication
computing
is possible
employ
may be evocative problems
(see, e.g.,
novel cryptographic
[19]).
contrast
to the body
signature
provides
version process
group
and reliable
fault-tolerant
version
tool to support of several
practical
The
using
issues
that
approach
our assumptions
services
provides
that
the
the importance
intruder's
attempts
different
results,
to
but authenemphasis:
we
and one contribution
Our approach
assumes
solutions
of
thus stands
only a conventional
in
digital
A state commands.
state.
machine. with
respect
that
is consistent
a different each request
client,
and
construction
will be provided
techniques
may
of this paper
of
in the service,
be a useful
to a discussion
and use of our protocols,
In section the
In section
as well as
of causality.
should
4 we present
requests
Section
6 discusses
work in section
of
In section
a method
several
3
of implementing
above.
and
overview
see [25]. In section
a method
outlined
client
related
2 we give a brief
reader
guarantees
among
We outline
state
the state
is implemented
in the order a state
in some Responses
variables
machine
commands.
of requests
the
key authentication
these
one section
detail,
integrity
causality
encode
with Lamport's
results
the request.
the sequence
of the
then
that
public
And,
as follows.
for more
of a set of state
command
be processed
here.
We devote
the system.
violations
variables
to other
and a secure
B.) The Isis system
facilitate
services
to use them
5, we
to counter
an
pertinent
to
in section
8.
issues
7 and conclude
replication
consists
A client Each
about
of maintaining
The state
that
Several
described
is structured
of our protocols.
machine
abstractions
[1, 2].
we intend
[22]. (See appendix
in such an implementation
availability
machine
in this paper,
in practice.
to exploit
the implementation
State
arise
toolkit
name service
to replication;
we enumerate
issued
typically
provides can occur
has a somewhat
described
multicast
programmers.
of this paper
machine
group
the techniques
our methods
remainder
the state
should
which
programming
a secure
for application
ways to optimize
that
failures
the aforementioned
the protocols
applications
of Isis, including
be implemented
2
Byzantine
that
value of these techniques.
described,
of the Isis distributed
high-performance,
discuss
just
we have not yet implemented
in a secure
could
of literature
where
of literature
our work
to achieve
of the practical
body
scheme.
While
secure
in models
Nevertheless,
techniques
our work is the demonstration
of the large
relation
they were issued, receiving
machine
and
be executed
both
should
which
3
to the
from
we assume
is returned
in an order
the same
client
another
from
could have caused the former
state
atomically
machine
is, two requests
determined
transform
is executed
process
are completely
it processes.
and
a request
by a state
and if one request
parameterized)
the commands
by issuing program
[18]. That
(i.e., output),
of a state
a command
should
a set of (possibly
machine,
by a deterministic
causality
response
exports
of the state
invokes
Commands
machine
and
first.
Execution
to the client
by its initial
state
of that and
State
machine
multaneously
replication
employing
If all servers
then
erly combining
3
The
system
Our
system
consists
employ.
Our failure
In order
omission, and
model
if it always
there
corrupt
n - t. That
and
versus
the
this partitioning
be classified
denote
failure
that
cannot
In a given
of corrupt
and
that
is, in any system
run
schemes
we
corruption and
is that
the
by
corrupt
any principal as fail-stop,
system
correct
that crash,
run, we let corrupt
servers,
b < t < n and at most
is
authentication."
be classified
as corrupt.
b such
signature
principals
have
are
A principal
a purposeful
honest
must
of which
may fail in an arbitrary
with message
into two sets:
failures
remainder topology.
of the cryptosystems
"accidental"
that
the
A principal
to "Byzantine
principals
and
of arbitrary
its specification.
properties
failures--i.e.,
font)
exist
via a network
satisfies
is thus most
Byzantine"
(in slanted
that
same
where
exclusively
the only property
or timing
assume
client
service
only by the (conjectured)
"truly
correct
most
communicate
Formally,
suffers
and coordinating
and if all correct
will give the
of a set of pi'incipals,
we partition
principals.
state,
of the fault-tolerant
to capture
an intruder,
a fault-tolerant
servers
of the servers,
in a run of the system limited
ever
servers
of implementing
model
All principals
manner,
method
machine
to the same
the responses
the response
correct
state
all correct
considered,
clients.
many
are initialized
of requests,
is a general
respectively.
in any
t servers
We
system
run,
fail, and of these
at
b are "malicious." Although
logically
principals
separate
module,
fail as a single unit,
modules.
a coordination
the network,
module
delivers
deliver(
{c, m}), which
to be read
a request
by the state that
the primitives
More
precisely,
an application
module.
is furthest,
is simply
a state
(c, m), from client
places
machine.
communication
The
by the
m) by which
module
each
server
coordination
this is presumably
all previous
module,
the state
calls to deliver
can send
two communication send(c,
used
m) by which
the
that
have
a response
to The
coordination
machine
strictly
module
primitives
in the implementation
4
2. The
state
are made
of
is closest
lies in between.
to be processed
the coordination
machine
module
in section
m, to that
as consisting
of a communication
module
as described
calls to deliver
until
consists
The communication
with contents
that
implements
first is a send primitive
to a client;
the
machine
c and
We assume
supplied
respond(c,
and
to view each principal
(c, rn) at the end of a list of requests
is not made
The communication
a message
1.)
a call to deliver
primitive
tion module.
and
module
of a server
module
respond
module,
the application
application
the sense
(See figure
it is convenient
by calling is available
sequentially, returned.
in
Using
also implements m to a client
a
c.
for use by the coordina-
coordination of respond(c,
module m) and
can send will not
Figure1: Structure
of principals (b) Client
(a) Server
Application
Module respond(c,
" "ae i 'er( ( m'l ...... Coordination
m)
......
Module
abcast(m)
Application
send(c,
mI)"" " ....... Communication
Module request(m)
m)
•
....
........
......
Communication
Module
Module
t Network
Network
be used further coordination
in this paper.
module
of a server
communication
module
receive(
which
( s, m)),
read by the
protocol
Receipt
Atomicity:
received Receipt
places
at any correct
be received
Receipt
servers Receipt
The
exist protocols
lit
is shown
in [13] that
Thus,
that
if honest
guarantees is defined
even
set of servers.
with
contents
messages
only from servers,
that
the
A server's
m, by calling
is available
according
to be
to an atomic
at all correct
servers
exactly
once
or honest
server
or is never
a message
message
to include
those
(s, m) before
of messages by a correct
broadcast
in a synchronous with servers
a correct
if a correct
receive
server
received
broadcasts
s only
a message,
if s
it will
system,
that
message
(s', m') iff all correct
of messages.
by an honest
server
is a prefix
of the
server. 1
that
respect
another
the same sequence
are discussed
in the literature
consistency
from
servers.
servers
sequence
atomic
already
and
receives
received
for implementing
server
by which
specification.
Moreover,
at all correct
of messages
s and
received
receives
message.
server
there
failures
is either
is, all correct
Consistency:
sequence Options
do. That
from
are received
the following
server that
Order:. A correct
(s, m) to the
abcast(m)
server.
A correct
eventually
primitive
a message
(s,m),
Messages
A message
broadcast
broadcast
(s, m) at the end of a list of received
satisfies
previously
is an atomic
a message
module.
7_ that
Validity:
second
s can broadcast
receives
coordination
broadcast
The
satisfy any
to faulty suffer
in section
6; here
this specification
atomic
broadcast
principals
omission
failures,
in various
protocol
requires the
we simply
that
a majority results
of this
note
models
is tolerant of correct paper
that
and for
of omission principals.
require
n > 2t.
various times
definitions
of honest.
or the execution
any, are those
module
by calling
request(m).
tocol
servers
requests
order
delivered Delivery
at any correct
Validity:
previously
Delivery
Delivery
sequence Assuming honest
4
The
of requests that
servers
module
Recall
from
prespecified Integrity:
request
from
That
e.g., by a correct
broadcast
via abcast
pro-
and determining is, we assume
that
properties.
servers
a correct
client
of requests
the same
accepts
exactly
once
or is never
or honest
client
c only if c
issues
a request,
it will eventually
before
another
request
the same sequence
delivered
by an honest
k, then
requirements
a correct
client
by replacing
with two new routines,
will accept
the respond(c, respond_(e,
a response
from
the service.
m) and accept(m)
m) and accept'(m),
routines that
of servers
will ensure
these
properties. have
Therefore,
replaced
of each
the respond
server,
Similarly,
the new structures routine
we assume
we assume
that
that
of principals
with respond respond
accept
_ at the interface
is stiU available
is still available
Figure
will be as pictured provided
for execution
"de_r(
6, "_) _ ......
of principals
m)
_ ...... Module
abcast(m)
mi) "
Application
request(m)
#....
........
Module
respond'
corresponding
produce
a partial
for m that
private
can be verified
Cryptanalytic
to acquire
partial
informally,
that
k partial
against
in that
results,
the
a (k, n)-threshold of only k-
facilitate
signing
message,
then
That
sign that
of k shares
possess
scheme and
a partial
differ some
pairs.
results
infeasible result
to (i)
for m without shares.
against
their
con-
and
For our
purposes,
we will say,
the following
for various
of such
message
knowledge
7
be necessary
of shares
is, if a possessor without
to
number
is secure if it satisfies of partial
n shares
into a signature
should
those
A
can be used
k other
from
scheme.
key and
be computationally
key without
schemes
may
a public
can be combined
knowledge
or the private
signature
m, each share
for m, (ii) compute
signature
1 or fewer shares
also
results
to message/signature
signature
new messages. it could
a share
cryptanalyst
in addition
partial
key it should
results
threshold
of generating
for any message
key. Moreover,
the private
or (iii) compute
attacks
counterparts
1. Possession
without
a (k, rt)-threshold
a method
any k of these
with the public that
share,
will employ
key in such a way that
for m without
the corresponding
servers
is, informally,
result from m, where
a signature
ventional
different
scheme
to sign m, in the sense create
Network
at the
signature
of the
Module
schemes
routines
(k, n)-threshold
......
Communication
Network
signature
Module
sead(c,m)
.......
Communication
The
of each client.
Module
Coordination
Threshold
module.
(b) CUent
respond'(c, "
we
module
coordination
module
(a) Server
Application
2. Although
to the application
by the
to the communication
2: New structure
in figure
information of any
be able
properties:
messages
does not
can
sign a new
shares
or partial
results
for any messages.
signature The
,
scheme
(but
message
attack).
schemes
thus
ventional
far proposed,
signature
scheme,
proposed
in [7]. The
function
with
in the
schemes
that
though
e from d. That
that
upon
is, ed -: 1 mod A(N),
are fixed a priori
The
1 above
upon
con-
attacks.
of an implementation private
in place
key d, where
totient
positive
integer
from
1 rood A(N), result
where
d in such a the integers
for a message
n} of size k, Am,T =--rn'l'IiET(am,i) of this scheme
have
N
of Euler's
{K_}l k). While this could
A, are a topic of ongoing
public
causality
it can
in which
2 of the
of partial
know O(n log n) bits of pubLic information
input
order
in
until it finds a T of size k
be small in the common
to be primarily
only the public
requires
the
is step
time for a valid signature
to know
or to deliver
(_) subsets
(if correct
in appendix
to the
is weaker,
at most only the first h = min{n,
such as using
factor
the Receipt
respectively,
broadcast
it receives
also be used to reduce
of this search
will be the response
may not reflect
from a correct
For such
provided
results
time should
the search
2), in addition
Preserving
correct client
could
"subset,"
of the protocol
and at most
heuristics,
"set" and
to a given
is for servers
by removing
can be used because
part
results
not be a limiting
each server
the p_.T'S; see footnote
One guarantee
systems,
should
and
is discussed
optimizations
In this scheme,
5
worked,
that in most
we view further
key. Each
Am,r,
to respond
in this protocol.
the partial
search
of the response
optimization
Since reliable
broadcast
expensive
partial
designated
obtained
with
broadcast.
h unique servers),
computing
one of which
by other costs
"prefix"
are small. 5 A minor optimization
previously
optimizations,
protocol,
is not important
are at least k correct
for the signature
A second
The server must examine
h is large and k _ h/2, the expected i.e., when
and
Reliable
sorts through
is a valid signature.
results
h partial
the server
dynamically.
of atomic
as efficiently.
in which
partial
requirement
results
The set of servers
broadcast
"sequence"
at least
In theory,
such that
set of servers.
by a reliable
replacing
Consistency
the partial
or determined
results
and
be implemented
routine,
only to that
partial
requirement
partial
In addition,
be fixed in advance
to communicate Order
request.
computed
cannot
further be implemented
of a correct
the service
ensuring
proper
from state
be trusted.
accepted
Access
at a
server,
to deliver responses
variables
that
control
is an
but rarely
more.
here. by three
to five servers,
In this sectionwe addressthe issueof ensuringthat requestsaredeliveredin a correctorder by correctservers.Becausewe assumean atomic broadcastprotocol2) to disseminateclient requests, we concernourselvesonly with the requirementthat correct serversdeliver requestsin an order consistent
with
requests
causality
is for each client
to the service Consider
and
the time
a corrupt
issues a request,
of interest
shares
of stock
collude
apparent
through
demand
for the
subsequent
this problem,
denoted
and
with the respond new
at correct
based
servers
and similarly
key of the should (This
service
verify
that
Causality:
issuing
< k, then
after
(c, m/.
according
replace
from
obtained
from
a client
issues
subsequently it is not clear
access
controls
and
request(m)
of attack
from a correct
we will use deliver
of the correct naturally
avoid
respectively
( c, ml).
Therefore,
be structured
described
client's
by allowing
routines,
deliver(
would
the
at any time.
delivery
and
4, principals
Thus,
the request
stock
could
may adjust
alone cannot
to purchase
the
to the service.
this request
before
server
stock
client.
that
to purchase
a corrupt
for the same client,
suppose
a request
purchase,
to the correct
the type
the correct
(c,m/.
Then,
prevents
independently
c), and (ii) delivered
delivered
[22]:
new request
of section
of requestl(m),
to satisfying
[25].
request
if
as in figure
above,
in the sense
(c, m) can be delivered
in our implementation
of deliver _,
request'.
than
In addition
we present
As before,
a request server
client
an example
to be delivered
can request
(c, m/.
this guarantee
If corrupt
offered
client
clients
client
and after receiving
However,
of the correct
any client
correct
and
before
k can be chosen
price
accept _ routines
only after
In the implementation
the
that
or correct
If the corrupt
the intended
Moreover,
on information
for request
that
m)),
honest
the two requests.
and that
may occur.
deliver'((c,
among
the time it issues
to the service,
to issue a request
before
raise
section,
protect
stocks
above
of the corrupt
is that
_ and
routines
any request
and
of this
request'(m)
3. These
stock
we borrow
discovering
as described
trading"
remainder
After
at some
causality
servers.
trades
this request
as the intent
In the
that
between
client.
between
be important,
request
a type of "insider
to a corrupt
by correct
this service.
deliver
is delivered
relationship
service
client
servers
the causally
that
is a trading
of preserving
client issues a request
a message
is a causal
method
any messages
the request
can be detected
with a corrupt
If the correct
from sending
sends
why this may
service
A common
in which a correct
then there
To illustrate
2).
at which
server
how this relationship
used
to refrain
the case, however,
the request,
client,
(see section
c is provided
in section
if some request at a correct
to the specification
c encrypts
the aforementioned
of that
Causality,
client
request' of atomic
then
following
problem,
a public
encryption
guarantee.
provided
that
The
reader
corrupt
after
that request
m is decrypted is delivered
and deliver _ must also ensure broadcast--i.e.,
that
anywhere
(other
at all correct
servers
that
Delivery
client
requests
Atomicity,
are
Delivery
6We do not consider traffic analysis attacks [26] or attacks that exploit the malleability of the cryptosystem 11
< k. 6
4.)
is (i) issued
server,
the
m under
[8].
Figure3: Newstructureof principals (a) Server
(b) CUent
Application Module
" ddi ; !,"(('c,'m)).. res.p.°7'(.c,m) Coordination ....
_..
.
Module
abcast(m)
Module request'(
send( c, m)
receive.,, -, -- ""1• ....... Communication
Application
....
" ' ccepOh .......
Module
m)
......
Communication
Module
t Network
Validity,
Delivery
deliver _ that tions;
and
we propose
to ensure
require
Order,
correct
that
a correct
Our
routines
corresponding
partial
at the
cryptosystem
each share
results
can be combined
m,
in the
sense
m without
corresponding
share,
from
The
half of Delivery
will eventually
that
a method
without
k partial
signature
against and
will employ
a partial
implementations Validity
of request _ and
with
no further
be delivered
at all correct
a (k, n)-threshold
cryptosystem.
some
number
purposes,
we will say, informally,
the
private
a public
the ciphertext knowledge
cryptanalytic
assump-
servers,
we
of shares,
in addition
a (k, n)-threshold
under
the
public
any
key,
k of these
be necessary
be computationally
infeasible
against in that
result
for m without
k other
threshold they
the
shares. cryptosystems
may
to plaintext/ciphertext cryptosystem
of the
should
key without
key cryptosystems
A (k, n)-
n shares
of m, where
a partial
attacks
and
of k shares
key it should
or the private
key
m encrypted
for m, (ii) compute
public
that
message
from
Moreover,
schemes,
results
for any
m.
a share
conventional
of generating
result
results
or (iii) compute
threshold those
servers
to decrypt
of partial
following
request
different
to produce
to (i) decrypt
differ
client's
key in such a way that
can be used
As with
still hold.
all but the second
is, informally,
private
to decrypt
Consistency
> k + b.
cryptosystems
threshold
Delivery
satisfy
Threshold deliver'
Network
is secure
involve
the
pairs.
For our
if it satisfies
use
the
properties:
1. Possession facilitate
of only k - 1 or fewer shares decrypting
new
ciphertexts.
and of partial That
results
is, if a possessor 12
for various
ciphertexts
of such information
does
not
can decrypt
a new ciphertext, or partial
results
threshold
cryptosystem
The
o
even
attacks.
though
corresponding This definition far
in the
that
Because
the
scheme directly
would
be encrypted
partial
result
4--i.e.,
am,i
implementations
public
mod N.
Then,
of threshold
m'
-- Am,T
cryptosystems
_
have
given
ciphertexts
to
cipher(but
ciphertezt
based
the
not
attack).
cryptosystems
upon
conventional
attacks. are operationally
of a (k, n)-threshold
scheme
described
N would
proposed,
identical
in
cryptosystem
in section
4. Messages
usual
manner,
and
be defined
precisely
as in section
in the
m • [IieT(a,n,i) been
is resistant
of threshold
a message
of the service
m -- (mr) e mod
is built
other
are
ciphertext
signature
it is built.
in a chosen
implementations
one implementation
key (e, N)
message
be possible
in [11], says that
to decrypt
to various
and decrypting
the (k, n)-threshold
the
[9] cryptosystems
the
p_,r for any
T of size
k.
based
both
RSA
upon
the
i-th
Other and
[6, 16].
protocol
Suppose initial
that
we are using
conditions
principal
request
T.
The
each correct
of) m until
the
been
fixed at some,
delivery This
case
with
against
our
and
or any
them)
is resistant.
is that
from
given
each client
broadcasting
servers,
and
the
that
we have
the
of K,,
any
(a priori)
Pi,T
sole possession
c encrypts
to force k servers
for m,
and
and all servers
its partial
(c, m) is fixed locally. results
above
know the
contents
to cooperate result
to decrypt
for (the
In this way, if corrupt
sequence
no requests
of requests
can be placed
it.
ciphertext < k, then
through before
m of its
(c,m)
has
(c, m) in the
servers. Causality that
proposed
as described
which neither
through
k partial
s_ is secretly
in an attempt
refrains
thus all, correct
preserves
protocol
server
collects
the assumption this
of our protocol
sequence
at correct
protocol
under
is that
server
sequence
idea
described
key (e, N) of the service,
key of the service,
delivery
a corrupt
Even
basic
cryptosystem
4; i.e., server
the public
or honest
once
RSA threshold
in section
obtain
with the public
Then,
the
assumed
can reliably
for all i and
upon
from
manage
of any shares
on which
cryptosystem
cannot
to chosen
and cryptosystem,
under
mg'
all proposed
a message
is formalized
of all implementations
to be vulnerable
for an encrypted -_
that
acts of signing
can be obtained
The
sense
threshold
as would
knowledge
cryptosystem
corresponding
of its choice,
without
which
cryptanalyst
with the security
are known
the RSA signature
is, the
the
it can see the plaintext
is in accordance
cryptosystems
E1Gamal
That
ciphertext
as the conventional
on which
to ciphertexts
proposed,
that
This property,
is as secure
cryptosystem
plaintezt
texts
it could also decrypt
for any ciphertexts.
conventional
known
thus
then
iff each server
this cryptosystem implementation above
is secure,
a corrupt
k partial however,
of a (k,n)-threshold
allows a corrupt
the RSA nor the E1Gamal In our setting,
requires
server
cryptosystem server 13
results
for m to decrypt
this unfortunately cryptosystem.
to mount
chosen
(nor any threshold
m.
is not the The
problem
ciphertext cryptosystem
can see at any time how any ciphertext
attacks, based m of
itschoosing is decrypted,by simply requestingthat a corrupt clientc issue (c,m) as an apparently legitimaterequest to the service.The corrupt servercan then collectk partialresultsform to see the plaintextto which m decrypts. Methods of using chosen ciphertextattacks againstthe RSA
and EIGamaJ
cryptosystems are
well-known. Here we illustrate one method, originallydue to Moore (see [5]),by which a corrupt servercan decrypt the RSA
ciphertextm - (m_)e rood N in a correctclient's request(c,m) without
waiting to receivek partialresultsfor m. I, The corrupt serverchooses an arbitraryx and computes y -=xe mod
N; i.e., x - yd mod N. 7
2. Via a corrupt client, the corrupt serverissuesa requestwith contentsyrn rood N to the service. 3. The corrupt servercollectsk partialresultsforyrn rood N and forms (yra)d mod N. 4. The corrupt servercomputes x -I _-v-d mod N, and then x-l(ym)d (NB:
If x does
gcd(x, Similar
Ideally,
we would that
given
a share
ciphertext
from a corrupt one.
in section
key for the
may when
obvious
server:
if each
request
on
issued client's
mod N.
server
can factor
N because
client
the keys and
described based
attacks.
use a separate
ciphertexts using
a request of correct
the shares
of this design,
must
key for that
as well as ways to improve
no such that
are
be prevented.
server
si would
from client ct. This prevents because
key
key for the service.
and each
clients,
of the
key cryptosystems
encryption
(et, Nl),
public
however,
such attacks
public
be a pair
mentioned,
public
Therefore,
to decrypt
on a conventional
As already
impractical.
c_ would
in [6, 16].
any request
client,
and
be
chosen received
not a correct
it in practice,
are discussed
6.
that
7The
l-th
cooperating
ramifications
m'
corrupt
and even conventional
each client
will be decrypted
The one remaining
determine
ciphertext
(e.g., [8]) are highly
against
The practical
results
of chosen
has been proposed,
client
the
cryptosystem
Ki,t for use when
attacks
then
like to find a threshold
is tolerant
public
N,
_
of N.)
way to do this is to have
is, the
mod
(rn,)ed
cryptosystems
of such attacks
That
__ m d _
with the threshold
cryptosystem
A simple
y-dydmd
an inverse
factor
are possible
cryptosystem
tolerant
have
N) is a prime
attacks
threshold
not
=
disrupt
of this
attack,
client
signs
correct
the request),
the
it has properly
form
behalf
problem
of the client then
whose
by issuing
in our protocol decryption
process.
decrypted in which
signature a request
y -
of its appears
containing
corrupt
Therefore,
a request. x -
the contents
is that
1 mod reqt_est
N,
could
before
m,
the corrupt
14
can provide
it must
To facilitate
on the decrypted
request.
servers
be possible
this, clients
easily
be made
encrypting
it and
contents server
only
incorrect
(and
for a server
are required
unproductive each not
expedites
partiai
correct
to
to send
for the corrupt server
necessarily the delivery
delivers
the client
that
of the correct
a
with eachrequesta message digest
of a given
two messages target
message
having
message but
message
digests
could
does
can be computed
the
digest.
identifies,
and
the
...... is injective,
implementations here.
Let Then,
Routine
request'(m)
Routine
m))
does
3. Wait
at server
Claim
3 This
Proof.
(Delivery
called exactly latter
of the former the request are received same
type.
satisfies
Atomicity)
set {a,_,j}jer,
and
that
digest
the joint
that
identify
that
use of
a cryptanalyst
of this assumption
We also note
uniquely
obviously
if the message
a meSsage, s Several
digest efficient
(e.g., [23]) but will not be discussed
execute
as follows.
message
digest
D = digest(m)
of m.
return
to the calling
routine.
am,,i = (m') K''_ mod NI. results
{am',j}jeT,
then execute
Delivery
IT[ = k + b, for m I have been
servers
If only fewer than be delivered servers.
Delivery
Atomicity
received
server,
By Receipt
IT[ = k + b, of partial
Order,
and Delivery client
at any correct
and so now consider
k + b partial
at any correct
= D. If such a T' exists
results server.
Order
results
So, suppose
server.
attempting
deliver r is either
Clearly
a request
that
Consistency.
request
for m _ are received
of 7_, all correct
when
and
Am,,T,)).
of D, for each
or never called
at any correct
digest(A,n,,T,)
deliver((cl,
Atomicity,
By Delivery
delivered
at all correct
message
si:
is a valid request,
will never
a prespecified
of m.
T _ C T of size k such that
once at all correct
type is never
digests.
to produce
having
information
validity
infeasible
servers).
for a subset
protocol
The
m' =- m e_ mod Nt and
where
k + b unique
Am',T'
reveal
the message
(m', D) ).
abcast(a,n,,i),
4. Search
one.
message,
that
ct:
until the first k + b partial
(from
not
message
the included
have been proposed
1. If m is not of the form (m J, D), then 2. Execute
that
in fact, uniquely
digest
RSA ciphertext
request(
deliver'((et,
functions
deliver I routines
at client
the
does,
any
of the encrypted
of message
digest
have the property
but it is computationally
assume
of either
the message
request I and
2. Execute
properties
digests
or to produce
cryptosystem
digest
denote
1. Create
contents
implementation
of message
the
the
a message .......
digest(m)
digest
we henceforth
threshold the
Message
efficiently,
message
not disclose,
on the chosen
function
same
Accordingly,
use to circumvent
depends
digest of the request.
a request
(c, m), m = (m _, D),
at correct
k + b partial
servers to decrypt
of the
employ
servers, results
then for m _
precisely
m _. Therefore,
the one
'One such implementation employs a deterministic public key cryptosystem: the digest for a message is computed by encrypting the message under an a priori, commonly known public key, for which the corresponding private key has been destroyed and is not known. 15
correct server request,
delivers
assuming
(Delivery calls.
And,
argument
some request
that
Order)
any
for Delivery
Atomicity
Consistency)
received
server (by Receipt use the
same
servers
do.
sequence
of requests
Claim issued
the
4 A correct that request.
(That
This
follows
honest,
then
deliver'((c,
Claim
5 If correct
servers. Proof.
(That If correct
are broadcast deliver'
D, implies
that
eventually
executed
at least
From the above Claim
6 This
correct
> k + b.
We now prove Claim Proof.
protocol
7 If the threshold Suppose
at which
request
that
the ciphertext
makes
correct
issues
we immediately satisfies
cryptosystem
satisfies is secure,
cryptosystem
m' in a request
the sequence
received
at a correct it will
as the
correct
will be a prefix
of the
servers.
of D, if c is correct
the
request
Validity
at correct servers,
servers,
if c previously
[]
at all correct
at least k + b partial
together
by a correct results
server,
client
results
each call to
with Delivery
Validity
c, deliver'((c,
used to decrypt
m' can be decrypted
or
holds.)
So, at a correct
This,
(c, m).
it will be delivered
half of Delivery
progress.
c only
and
of
ml)is
m' contain
delivered.
[]
the following.
the specification
protocol
the threshold
have
because
client
Validity
a request,
Since the k + b partial
and honest
ca_s at an honest
many messages,
server
only if c issued
(c, m}, m = (m', D), issued servers.
calls.
holds.)
by Delivery
at all correct
i.e., the service
that the above
client
the second
received
of deliver
each request
or honest
Validity
server
for each call to deliver'
at all correct
claims,
a correct
that,
at a correct
> k + b, then
from
fact
to decrypt
at an honest
half of Delivery the
sufficiently
from the
[]
from
if a correct
therefore,
results
server.
receives
results
delivered
a request
from
> k + b, then
for any
k partial
of requests
m)) is called
returns;
of deliver'
of messages
delivers
>_ k + b, then
eventually
the sequence
of deliver'
it follows
the same sequence
server is a prefix of the sequence
immediately
by and,
of'D,
again,
Moreover,
is, the first
is, if correct
deliver I is called
servers execute
Consistency
at a correct
the same
the same sequence
of deliver _ calls at a correct server.
sequence
server
before
ITI = k + b, of partial
delivered
Proof.
returns
of 7_), if the honest server
{arn'j}jET,
all correct servers deliver
a single request.
that all correct
at an honest
Thus,
servers do, and
of D, all correct servers execute
By Delivery
Consistency
set
Order
call to deliver'
server is a prefix of the sequence of messages
identifies
By Delivery
because
(Delivery
D uniquely
iff all correct
of atomic
broadcast
(for client
requests)
whenever
Causality. then
this protocol
is secure
and
satisfies
corrupt
< k. Then,
(c, m/, m = (m _, D 1, from a correct
16
Causality.
client
the
earliest
point
c can be decrypted
anywhereis sometimeafter somecorrector s be the first correct
or honest
Delivery
Consistency
of :P, all correct
sequence
of deliver'
before
deliver'((_,
plaintext
partial and
calls that
results
s executes.
In this case,
Therefore,
requests
will be delivered
execute
for m'.
(possibly servers
after m' was decrypted. is satisfied.
deliver'(
its partial
result
all correct
at all correct
the
broadcasts
its partial
eventually
Causality
not be delivered
for m'.
no more
servers
to) m', then
m' could
server
to broadcast
fit)) for any (_', fit) issued
corresponding
way in which
server
honest
an extension will execute
Order
and
of) the same deliver'(
servers
because
c is correct,
is if the correct servers
server,
Let
By Delivery
(c, m)) call at each correct
at any correct
for m'.
If all correct
Moreover,
servers
result
thus trivially
deliver
never
server
(c, m))
the only
receive
will never
satisfying
(the
k + b
return,
Causality.
[]
Discussion In a failure-free
run,
R. (i.e., abcast),
which
client
requests
the replacement
and
can be executed
the protocol
is 2n -t- 1 broadcasts structured chosen
for both
number
of servers
designated
As in the protocol a server corrupt that
do not
common from
a corrupt
client
requests
the cost of decrypting additional
each client possesses desiring O(nlog
that
that
service
Causality,
n) bits of public
for all instances Finally, violations relationship
we note
of causality, between
that
can be ignored.
it does security
(see appendix are verified
needed
this
a request.
In fact,
a ciphertext
and digest
corrupt
clients.
A bad
if (k+b) is small,
however, and
that
a
in the request
and
then
we do not expect
so while we are pursuing
A), we do not view this as essential.
at all clients public Each
with
it may require
a small
systems,
so the
encryption
server which
for computing
with
a single
key but
key for the service,
now possesses it cooperates the pi,T'S.
public
each client
one key share to sign responses
(The
same
that
per client and
the
pi,T'S can be used
and cryptosystem.) protocol
not necessarily and
in most
for k is
(k+b), and
We reiterate,
factor
value
> k + b, and
to decrypt
by sending
a small
complexity of responses,
same
because
of time
scheme
while
expensive,
to be able
of
to min {t + 1, n- (k + b) + 1}.
amount
to the key share
of the signature
be reduced
(k+b) subsets
has an additional
information
only if correct
in a reasonable
keys for the service.
in addition
the
from correct
responses
two public
if, e.g.,
requests
to be a limiting
Causality
results
message
4) plus the number
that
should
n executions
is used to disseminate
the total
cost of decrypting
to this process
desires
at most
client
requests
optimizations
Assuming
of partial
can be detected that
noting
we rely on heuristics,
the expected
from
see section
is potentially
to sort through
As before,
in an additional
when this protocol
can be guaranteed
4, step 4 of deliver'
can force each server "match."
only;
to each request
(k+b) subsets
case to reduce
subsequent
to respond
Thus,
It is worth
Availability
of section
to sort through client
phases.
then
results
4 is used to sign responses,
can be reliable
communication
protocols,
with deliver'
concurrently.
of section
(n of which
in four
of deliver
causality
prevents address
is a topic
17
a potentially
all such attacks. of ongoing
serious A further
research.
attack
arising
examination
from of the
6
Implementation
As mentioned of sections
in section 4 and
we comment
on three
keys or the
Instead,
that
issues;
bear
on the
several
important
have
purposely
in other
comments
in appendix
B, we intend programming
toolkit.
implementation problems, been
and
techniques
In this section
use of our
such as the periodic
omitted
cryptographic
here are restricted
to use the
systems
to issues
from and
that
protocols. changing
discussion
because
can be solved
using
of they
known
may not be pertinent
to most
protocols.
broadcast
As previously
described,
whose
can suffer
to consensus,
even a single
impossibility
crash
several
result
In the short
e.g.,
systems
only
benign
failures,
protocols
from an intruder.
operating
system
to protect
the integrity
mechanisms
protocols,
coordination
and
make
would
remain
In extremely corruption, tolerant
thus
definitions in which
of honest there
processes.
broadcast
failures have
such
to find
system
that
the usefulness
circumvented
then using
would
the Isis protocols of servers
need
secure
boot
platforms
this
by Isis are
to be taken
when
su_ciently
robust
security
with the
security
passwords
participat-
environments.
then run as application
their owners'
of the
physical
sites from
for most
of
the Isis
Isis as part
and
coupled
unauthorized
tolerant
to insulate
by running
procedures
measures,
for imple-
would be implemented
used
to prevent
could
(e.g., because
of servers
be achieved
These and
promising
the protocols
this could
intruders
environments,
are known
With
modules
Because
systems.
or replaced
the above
of Byzantine
to diminish
pro-
processes,
The so that
were guessed)
the Isis
intact.
hostile
and
and
modules
even if some were corrupted protocols
site
network
application
in an asynchronous
to be the most
precautions
systems
of site operating
should
appear
primitives.
additional
server
broadcast
that it is impossible
[15]) have successfully
the communication
In many
of [22] to defeat
ing in the
as these
multicast
of each
broadcast,
atomic
purposes.
such
however,
thus atomic
however,
[10]. While at first this may appear
The idea is that
the Isis atomic
of an underlying
(e.g., Isis [2] and Amoeba
for all practical
term,
the existence
3. It is well-known,
and
failure
systems
our protocols.
using,
assume
is given in section
solution
of our protocols,
menting
our protocols
specification
a deterministic
atomic
issues
encountered
further
of the Isis distributed
of key shares,
our
cryptographic
Atomic
version
all relevant
to problems
techniques.
discussed
practical
distribution
are similar
tocol,
1 and
5 in a secure
We do not discuss
other
issues
approach (with
already bounds
a protocol,
protocol
however,
for client
may
it may be impossible not suffice.
authentication)
on message only
(e.g.,
transmission
the subsystem
requests
In this case,
are required.
been implemented
atomic
Protocols
that
[4]) for synchronous times
of servers
can be implemented
18
to protect
sites from
broadcast
protocols
suffice
systems,
and execution must
all server
speeds
be synchronous,
using an atomic
for various i.e., systems of (correct) because
broadcast
an
protocol
for the servers where
alone,
the servers
are more
dispersed
of section
However,
in a recent
solution
to Byzantine
Public
encryption that
of section
correct
ciphertexts
that
require
the client
to the servers in which among
own
that
the shares
a public
to decrypt
is a substantial it may
service.
in chosen
the trading
service
example
same
public encryption
a firm authorized its share
a request
require
from that
encryption
key could
based
a method
little
systems.
to transform
any
broadcast.
to issue
broker.
Another
be relaxed
of corrupt we have
on messages
a different chosen
public
ciphertext
with
requests.
encryption attacks
the service
for each
before
using
of the service
While
key
against
parameters
it, so
can provide
this could limit the settings
this is not unreasonable
attacks
the
against
5. Assuming
in the same
if maintaining
requests to the
way in which is described
each
of cLients
causality
a broker
then
public
key given
addition
key pair
in a single
simplify
service
to that
or the secure
in the following
To illustrate
each
of this,
use the
could
cooperating
(i.e., broker)
each client
one
e.g., after
server
distribution
its
in chosen
firm could
firm when
of a new client
that
members
key management:
on its behalf,
the requirement
the
trust
will not cooperate
all brokers
clearly
cLient have
mutually
key for the service.
to the
In this way, the
that
one another,
that
firm,
This would
requirement
if a group
encryption
of a new pubLic key/private
to the servers.
that
brokers
key corresponding
key shares
One resource
of section
other
a new broker
the generation
Detection
has been
and asynchronous
and the administrator
For instance,
public
key for the service.
of the private
decrypt
There
cryptosystem
"registered"
to relax
ciphertext
to use the same
against
have
separate
this client's
be possible
choose
attacks
e.g., the
concern.
group might
ciphertext
having
we beLieve that
key for the
participate
client
from mounting
key for the service
cLient requests
to not
server
In general,
can be used,
in practice
each
cLient be individually
necessary
pubLic encryption
recall
cipals
or keys. each
that
a corrupt
our protocols
another that
5 requires
to prevent
can obtain
Nevertheless,
can be improved: >_.k.
described atomic
the clients means.
synchronous
to Byzantine
but where
by such predictable
it is live if correct
T. D. Chandra
in a situation
keys
in order
may
network,
with the servers
for partially
9 into a solution
be feasible
then our protocols
so that
protocols
might
and predictable
is synchronous,
communication,
consensus
for the service,
client
this approach
to communicate
be modified
broadcast
private
the protocol
cLients'
unable
of servers
atomic
3. Thus,
by a highly reliable
5 can easily
work on Byzantine
Recall
and
if the subsystem
protocol
in section
can communicate
widely
Moreover,
as outlined
need
use to not
of new private
have its own public
subsection.
principals not fully exploited received
from
those
in our protocols principals.
Such
is the
ability
techniques
to detect have
been
corrupt used,
9Due to [I0], any solution to Byzantine consensus in an asynchronous system must be randomized [3].
19
prine.g., in
numerousByzantineagreementprotocolsto isolate and
quarantine
to improve
corrupt
overM1 system
One example executes
not compute detect
where
5 would
digest((ym)
any
client
this threat
of detection
Our appendix
to exploit
any ciphertext
could
a server
from mounting
in section
several
of the corrupt
knowing
to be sufficient
to detect attacks
5: if a correct
from
to deter
and
server
client,
to detect
partial
research
because
that
attack
client
could
moreover,
the corresponding
chosen ciphertext
to our protocols
an incorrect
ciphertext
would
plaintext.
attacks,
If
then all clients
key for the service.
techniques
improvements
of ongoing
the chosen
(ym) a mod N. This technique,
public encryption
has provided
In particular,
for which it did not know
also benefit
them are topics
was given
be corrupt.
N) without
is believed
A we describe when
can be detected
lead to the detection
to use the same
protocols
methods
m = (m', D), but in step 4 of deliver I there is no set T' of size k
_ mod
issuing
could be allowed
client
= D, then c must
in section
In practice,
could be used to deter such principals
of how a corrupt
digest(A,n,,T,)
illustrated
principals.
performance.
deliver_((c,m)),
such that
detect
principals
faulty
and
corrupt
servers.
that would
result.
Other
result
detection
will not be discussed
For instance,
in
from the ability
techniques
further
to
and
ways
that
each
here.
Summary While
the
client
requirements
use a different
in many
real
that public
systems
an underlying encryption
these
to implementing
each client
have its own public
techniques
to detect
7
to achieve
Related
The
efficient,
than
such
can be used
to construct
Using thentication
corrupt
to reduce
principals, and
our
the
be available practicality
restrictions.
as well as methods
We believe
secure service
and of our
protocols,
We have described
for relaxing
protocols
that,
that
and
described
for some
The method
a service,
unlike
by [12], which presents
service
are corrupt.
to construct
the service,
protocol
key for the service.
fault-tolerant,
inspired
key provided
k servers
advantage
seem
substantial
broadcast,
encryption
broadcast
that,
several
the requirement
that
when
with
can be applied
combined
in many
types
of
implementations.
work
authentication
encryption
atomic
and isolate
This work was largely vice.
key may
will not constitute
approaches
systems
atomic
because
the state
machine
was first considered
discussed
approach
shared
two principals
value
k, at least
in the present
additional
public
described
not one for each server.
allows
prespecified
of the
an analogous the service
there
a replicated,
secrecy
to establish k servers
work cannot
need
service
immediately
only possess
has
and
our the
at most
shared fewer
be applied
However, that
ser-
a secret,
are correct
requirements.
key authentication
in [12], a client
key authentication
method
additional
two keys for
:: to construct
in [17]. Since then,
2O
services other
tolerant
authors
of arbitrary
have focused
failures
on secure
with
au-
replication
of data.
Secure
both data a client
integrity
replication
to be able
sal algorithm
quorum
methods
are important.
to compromise
to authenticate
is developed
decomposes
using
and secrecy
may also be able
expected
8
data
to facilitate
a file F into n pieces,
In these schemes,
the integrity
data
is considered
and
repositories.
in [14] for the case in which
however,
secrecy
an intruder
of all data.
Moreover,
In [20], a space-efficient
the provision
of data
each of size lFI/l,
integrity
such that
that
corrupts clients
information
and availability.
any l pieces suffice
are
disper-
The
scheme
to reconstruct
F.
Conclusion
We have
presented
a method
for securely
Using our technique,
a service
parameter
will accept
and
k, a client
correct
>_ k. We have
A security and
breach
this problem.
of learning
advances
Moreover,
requires
to their
that
and
argued
computed the
ability
and public
implementation
and
to violate
of our
the
state
in such a way that
by a correct
< k and
machine
approach.
for some
provided
causality
correct
prespecified
that
among
corrupt
client
was illustrated,
is that
they
cryptosystems
and threshold through
a safe
to counter
free the
This is achieved
< k
requests. and
>_ k + b, was presented
methods
of our techniques
server
causality
key of each server.
threshold
for the feasibility
using
issue of maintaining
feature
namely
services
as n servers
corrupt
novel
the identity
in cryptography,
we have
pertinent
a response
from an intruder's
An important
responsibility recent
which
can be replicated
also addressed
resulting
live approach,
replicating
client
of the
by employing signature
a discussion
two
schemes.
of several
issues
use.
Acknowledgements This work
benefited
Milwaukee).
Tushar
(Cornell benefited
University)
tremendously Chandra provided
from comments
from discussions
(CorneU helpful
by Li Gong
University)
comments (ORA
with
Yair
contributed
Frankel
(University
of Wisconsin
several
discussions,
and
and information.
Corporation)
and
Sam
at
Toueg
Presentational
aspects
of this paper
Cliff Krumvieda
(CorneU
University).
References [1]
BIRMAN,
K. P., AND JOSEPH, T. A. Reliable communication Transactions on Computing Systems 5, 1 (Feb. 1987), 47-76.
[2]
BIRMAN,
Research
of failures.
K. P., SCaIPER, A., AND STEPI-IENSON, P. Lightweight causal and ACM Transactions on Computing Systems 9, 3 (Aug. 1991), 272-314.
multicast. [3] CHOR,
in the presence
B.,
AND
DWORK,
5 (1989),
C. Randomization
in Byzantine
agreement.
Advances
atomic
ACM
group
in Computer
443-497.
[4] CRISTIAN, F., AGHILI, H., STRONG, R., message diffusion to Byzantine agreement.
AND DOLZV, D. Atomic broadcast: In Proceedings of the International 21
From simple Symposium on
Fault-Tolerant
Computing
Laboratory
Technical
(June
Report
1985), pp. 200-206.
RJ5244
(April
A revised
[5] DENYING, D. E. Digital signatures with RSA and other cations of the ACM 27, 4 (Apr. 1984), 388-392. [6]
DESMEDT,
Y.,
CRYPTO Verlag, [7]
AND
Y.
Lecture
Y.,
Advances
AND
public-key
Threshold cryptosystems. Notes in Computer Science
[8] DoLEv,
FRANKEL,
Y.
Shared
in Cryptoloyy--CRYPTO
J. Feigenbaum, D.,
'91 Proceedings,
Ed. Springer-Verlag, Dwolts,
Symposium
C.,
on
as IBM Research
cryptosystems.
Communi-
In Advances in Cryptology-435, G. Brassard, Ed. Springer-
of authenticators and Lecture Notes in Computer
FISCHER.,
M.
J.,
with one faulty
LYNCH,
process.
of Computing
i.
A.,
Journal
signatures.
Science
In
576,
1992, pp. 457-469.
AND NAOR., M.
Theory
generation
Non-malleable (May
AND
PATER.SON,
of the ACM
cryptography.
In Proceedings
of the
1991), pp. 542-552.
[9] ELGAMAL, T. A public key cryptosystem and a signature IEEE Transactions on Information Theory IT-31, 4 (July [10]
appears
1990, pp. 307-315.
DESMEDT,
ACM
FRANKEL,
'89 Proceedings,
version
1989).
M.
S.
32, 2 (Apr.
scheme based on discrete 1985), 469-472. Impossibility
of distributed
logarithms.
consensus
1985), 374-382.
[11] FR.ANKEL, Y., AND DESMEDT, Y. Distributed reliable threshold mu!tisignature. Tech. Rep. TR-92-04-02, Department of EE & CS, University of Wisconsin at Milwaukee, Apr. 1992. [12] GONG, L. Securely replicating authentication services. In Proceedings Conference on Distributed Computing Systems (1989), pp. 85-91.
of the IEEE
[13] GOPA5, A., AND TOUEG, S. Inconsistency and contamination. In Proceedings Symposium on Principles of Distributed Computing (Aug. 1991), pp. 257-272. [14] HERLIHY, M. P., Cryptology--CRYPTO Ed. Springer-Verlag,
International
of the ACM
AND TYGAR, J. D. How to make replicated data secure. In Advances in '87 Proceedings, Lecture Notes in Computer Science 293, C. Pomerance, 1988, pp. 379-391.
[15] KAASHOEK, F. M., AND TANENBAUM, A. S. Group communication in the Amoeba distributed operating system. In Proceedings of the [EEE International Conference on Distributed Computing Systems
(May
1991), pp. 222-230.
[16] LAIrI, C. S., AND HAR.N, L. Generalized threshold cryptosystems. In Advances in Cryptology-ASIACRYPT '91 Proceedings, Lecture Notes in Computer Science. Springer-Verlag, 1992. [17] LAMPOR.T, L. The implementation Networks 2 (1978), 95-114. [18] LAMPOR.T, L. Time, of the ACM [19]
LAMPORT,
actions
clocks, and the ordering
21, 7 (July L.,
of reliable
SttOSTAK,
on Programming
1978),
distributed
of events
multiprocess
in a distributed
systems.
system.
Computer
Communications
558-565.
R., AND Languages
M. The Byzantine generals problem. and Systems 4, 3 (July 1982), 382-401.
PEASE,
22
ACM
Trans-
[20] RABIN,M. O. Efficientdispersalofinformationfor security,loadbalancing,andfault tolerance. Journal
of the ACM
36, 2 (Apr.
1989), 335-348.
[21] RAI3Ir_, T., AND BEN-OR, M. Verifiable secret majority. In Proceedings of the ACM Symposium 85. [22] REITER,
M.
distributed (May
K.,
BIRMAN,
system.
1992),
K.
P.,
In Proceedings
ASD GONG, of the IEEE
Springer-Verlag,
[26] VOYDOCK,
V.
L.,
Computing
of verifiable
threshold
signature
the
threshold
servers
impact
knowledge
there
analogous
to verifiable
postulating
true time)
1983),
mechanisms
the
state
machine
in high-level
approach:
network
A
protocols.
135-171.
improvements
signature
to efficiently
of verifiable
schemes
schemes
practical
to our and
is one
detect
with
whether on our
threshold
protocols
that
cryptosystems.
properties
produced
protocols
only
which
result
that
its partial
from
have received
would
enable
correctly.
because
However,
the
a verifiable
result
in an appendix
of such schemes.
schemes,
would
For our purposes,
additional
a server
implementations
(conventional)
capture a predicate
correct
4, ok(m,
iff a,n,i -
'90 Eds.
to our
such schemes
substantial
are
attention
(see, e.g., [21]).
We abstractly
cryptosystem
services using 1990), 299-319.
Security
or cryptosystem
are no known,
in the literature
section
oriented
and Privacy
cryptography several
scheme
and honest
a,_,i is si's
i5, 2 (June
we identify
discovery
by
in a group
in Security
L. A method for obtaining digital signatures of the ACM 21, 2 (Feb. 1978), 120-126.
fault-tolerant 22, 4 (Dec. S. T.
threshold
appendix
We discuss
AND KEI_T, Surveys
Verifiable
correct
security
on Research
algorithm. In Advances in Cryptology--CRYPTO Science 537, A. J. Menezes and S. A. Vanstone,
AND ADLEMAN, Communications
[25] SCHNEIDER, F. B. Implementing tutorial. ACM Computing Surveys
In this
Integrating
1991, pp. 303-311.
[24] R.IVEST, R. L., SHAMIa, A., and public-key cryptosystems.
A
L.
Symposium
pp. 18-32.
[23] RIVEST, R. L. The MD4 message digest Proceedings, Lecture Notes in Computer
ACM
sharing and multiparty protocols with honest on Theory of Computing (May 1989), pp. 73-
partial
i, am,i)
the verification ok
such
result
would
aspect
that
ok(m,i,
for m.
be true
m h'',_ mod Nt.
We assume
evaluation
may require
additional
information
at all correct
the servers via existing
signature iff (with
in the
RSA
m from a client that
to be given protocol
servers.
additional
messages
23
when
a priori
or additional
probability) described
the
5, ok(m,
efficiently
cryptosystems
high
implementation
ct as in section
Depending
and
a very
Similarly,
ok can be evaluated
and honest
schemes
is true
iff a,n,i =- m K_ mod N.
a request
model
ar,,i)
For instance,
is used to decrypt
in our system
of verifiable
RSA
threshold
i, a,,_,i) would
(and
phases
be
in polynomial
on the implementation,
information
in
this
or to communicate of communication.
Of
course,we also require that this additional information doesnot compromisethe securityof the thresholdsignatureschemeor cryptosystem. Giventhe predicateok, our protocolscanthen bemodifiedasdescribedbelow. In the following descriptions,rbcast is a reliable broadcastprimitive providedby servers'communicationmodules that replacesthe strongerabcastprimitive. (If/¢ is usedto implementD as describedin section3, however,then abcastmuststill be availableto the servers.) RoutinerespondS(c, m) 1. Execute 2. Wait
at server
rbcast(am.i),
to receive
ok(ra, j, am.j) 3. Execute The routine Routine
2. Execute
m K' mod N.
ITI = k, of partial
results
for m such that
for each j E T,
(m, Am,T)).
remains at client
the
am,i -
is true.
acceptS(m)
1. Create
where
a set {am,j}j_T,
respond(c,
requestS(m)
si:
the same. cl:
RSA ciphertext
m' - me* rood
NI of m.
request(re').
Routine deliver'( (ct, m) ) at serversi: i. Execute rbcast(am,i), where am,i - raK''tmod Nl. 2. Wait to receivea set {areal}jeT, IT[= k, of partialresultsform such that foreach j E T, ok(m,j,
am,j)
is
true.
3. If Am,T is a valid request, It was already results
in the respond
is the elimination the exponential eliminated because
in section
_ routine.
of the (worst search
all correct
need
use k correct
partial
respectively
Claim
> k, then
servers.
(That
is, if correct
decryption digests
to decrypt
can be strengthened 8 If correct
broadcast
could
resulting
that
signature
will properly
partial
with the requests,
request.
results
same
partial
decrypt
a request
has been
results
in deliver'
partial
to decrypt
each request,
because
correct
most
importantly,
and
routine
from step 2. Similarly,
sets of partial results.
again
Finally
to disseminate
from the use of ok in that
for a correct
results
be used
can now be used to disseminate
in their each
Am,T)).
broadcast
search
will use a set of k correct
message results
deliver((cl,
reLiable
case) exponential
to attempt
to include
4 that
to find a set of partial
servers
required
execute
So, the key improvement
from de/iver _. Reliable
are no longer longer
noted
then
and thus
Also,
servers
clients
no
will always
Claims
5 and 6
to: if a correct
> k, then
client
the second
issues
a request,
half of Delivery 24
it will be delivered Validity
holds.)
at all correct
and Claim
9
correct
>_ k.
That
This protocol
is, llveness
sections
is guaranteed
The
of atomic
>_ k.
which
appendix, of this
broadcast
It is not difficult
(for client
to verify
requests)
that
the
whenever
other
claims
of
assumptions The
made
distributed
loosely
coupled
component actions
and
tems.
provides
and
are
computation,
and
become
simply,
widely
Initially,
Isis did not address the
architecture
and
the
are intended
research.
to be used in the
applications.
In this
will incorporate
the
degree
it supports
design
provide
strong
ordered
including
services,
to which
mechanisms the
questions from the
the
by other
sys-
these
to recover
network
mechanisms,
reliable
data,
from failures
A still higher
file system,
system,
virtually
replicated
so forth.
by hundreds
in which
blocks:
for managing
and developing
of distributed bottom
and greater
security.
up was initiated. thrusts
attention
the basic goal of this security
abstractions
Using
despite
and
level
a network
a programming
reactive
of academic,
control
sys-
commercial
efforts.
as one of the major
philosophy
multicast.
messaging
used
taken
building
and
on supporting
applications
reconfiguring
highly
guarantees
the actions
mechanisms
a wide-area
is currently
has been
two basic
computation,
applications
and
towards
group
for building
consistency
with
components,
of tools
project
such as a fault-tolerant
system,
and development
Isis system
of the
to the programmer
of system
popular
a collection
Isis is oriented
causally
distributed
has emerged
the present,
of the Isis system
of Isis that
be coordinated
provided,
load-balancing
researchers
of a micro-kernel
in our protocols.
of ongoing
distributed
the focus
primary-backup
reliable
for instrumenting
to reimplement
reliable
to develop
must
must
the status
military
Until
Put
atomic,
tools
highly
manager
security
that
component
monitoring
Isis has
highly
its inception,
recoveries.
groups
parallel
environment
direction
in this paper
architecture
To this end, Isis provides
synchronization,
of software
Isis security
applications
of higher-level
or overloads,
secure,
of a new version
Since
by one system
process
a number
developed
in 1985 as an effort
software.
tem components.
resource
began
failures
synchronous
for developing
on the
distributed
taken
is an important
benefits
in this paper.
Isis project
reliable
would yield substantial
algorithms
i and 6, the techniques
the architecture
focusing
schemes
architecture
is a toolkit
we outline paper,
verification
security
in sections
Isis system,
of verifiable
of possible
Isis
As mentioned
and
if correct
the introduction
investigation
B
the specification
4 and 5 hold as stated.
Obviously The
satisfies
in the face of various
25
starting
Introduction
of this activity,
to performance
work has been forms
However,
to guarantee
of malicious
of a comprehensive
along and
attack.
in 1991, an effort
with the adoption
real time. the correct
behavior
Informally,
a system
is viewedasa set of system
provides
guaranteeing that
"islands"
services,
any
on behalf
process
group
of this model,
group,
particular,
we believe
substantial
degrees
and
a number
we expect
of practical
need
not be able
reconfigure clients.
services,
This
replaced
cause that
feature
assumed
the atomic atomic involved
protecting
physical
measures.
(for the time being) To summarize,
service
supported
by the
3. The primary
the
assumed
Recall that
Isis protocols
This approach and sufficient our
few additional
limitations
the implementation with
the
eighteen
new
in section
3 is resilient
we suggested
Isis system,
for most
including
as a security
in
assuring architecture
"tool"
Such
within
this
a tool would
offer
of highly
Second,
fault-tolerant
due to the feature
service
identity
of servers,
that
administrators
systems
a compromise systems,
supporting modes described the
does involve differs
mentioned
without
could affecting
to be transparently
to more
albeit
replicating
systems that
services
hostile
that
implementation
months.
26
practical
of these
to report
techniques,
that
the Isis which
procedures
and
for practicality of our solutions.
application This
in section
will provide
We hope
than
architecture.
enumerated
can be tolerated,
in this paper.
boot
to the security
a security
the assumptions
6, namely
failures
be-
ways from
for this difference,
via secure
has
however,
in important
we view as necessary
at a cost
to include
tradeoffs,
in section
one way to compensate
site operating
represents
of the techniques
respects;
1993.
servers,
architecture
was already
within
on the failure
by early
a
the limitations
of simultaneously
in existing
difference
reimplemented
goes a long way toward
services
Isis security
is now being
architecture
and
site within
of the security
processes.
in the Isis system
for securely
which
number
of initiating
in several
the implementation
individual
the
capable
Despite
key Isis services.
of some server
technique
Isis system,
paper
of
implementations.
techniques
protocol.
of the present
non-replicated
of these
protocol
figures
the
the feasibility
corrupt
advance
capable
performance
facilitate
changing
group.
Implementation
to implement
it would
that
as a significant
or authenticate
even
replicated
in section
broadcast
First,
may also allow
model
broadcast
to using them
and
of even a single
within
to which
but under the assumption
trusted
the first systems
the methods
to identify
implementation
the system
architecture
the corruption
possibly
with secure,
The
violations
to have detailed
benefits.
withstand
the presence
agents
In [22], we showed
be equally
and fault-tolerance.
to implement
of Isis, in addition
that could
clients
Security
itself.
hostile
in such an environment,
Thus,
the new Isis to be among
of both
by potentially
protect
sites would
security
the Isis security
It is our intention new version
it must
as a whole.
lead to arbitrary
we view
is now underway,
which
all member
of the group
could
sites surrounded
of the basic Isis services
process
actions
services
but against
the integrity
within
of trusted
a viable
in the security
3, and with a platform
for
on our experience within
one
year
to
