Authenticated Broadcast with a Partially Compromised Public-Key Infrastructure
Given a public-key infrastructure (PKI) and digital signatures, it is possible to construct broadcast protocols tolerating any number of corrupted parties. Almost all existing protocols, however, do not distinguish between corrupted parties (who do not follow the protocol), and honest parties whose secret (signing) keys have been compromised (but who continue to behave honestly). We explore conditions under which it is possible to construct broadcast protocols that still provide the usual guarantees (i.e., validity/agreement) to the latter.
Consider a network of n parties, where an adversary has compromised the secret keys of up to t c honest parties and, in addition, fully controls the behavior of up to t a other parties. We show that for any fixed t c > 0, and any fixed t a , there exists an efficient protocol for broadcast if and only if 2t a + min (t a , t c ) < n. (When t c = 0, standard results imply feasibility.) We also show that if t c , t a are not fixed, but are only guaranteed to satisfy the bound above, then broadcast is impossible to achieve except for a few specific values of n; for these “exceptional” values of n, we demonstrate a broadcast protocol. Taken together, our results give a complete characterization of this problem.
KeywordsBroadcast Protocol Honest Party Byzantine Agreement Corrupted Party Honest User
Unable to display preview. Download preview PDF.
- 4.Gordon, S., Katz, J., Kumaresan, R., Yerukhimovich, A.: Authenticated broadcast with a partially compromised public-key infrastructure (2009), http://eprint.iacr.org/2009/410
- 6.Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
- 9.MS00-008: Incorrect registry setting may allow cryptography key compromise. Microsoft Help and Support, http://support.microsoft.com/kb/259496