Secure Applications of Pedersen’s Distributed Key Generation Protocol

  • Rosario Gennaro
  • Stanislaw Jarecki
  • Hugo Krawczyk
  • Tal Rabin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2612)


A Distributed Key Generation (DKG)p rotocol is an essential component of any threshold cryptosystem. It is used to initialize the cryptosystem and generate its private and public keys, and it is used as a subprotocol, for example to generate a one-time key pair which is a part of any threshold El-Gamal-like signature scheme. Gennaro et al. showed [GJKR99] that a widely-known non-interactive DKG protocol suggested by Pedersen does not guarantee a uniformly random distribution of generated secret keys even in the static adversary model. Furthermore, Gennaro et al. proposed to replace this protocol with one that guarantees a uniform distribution of the generated key but requires an extra round of reliable broadcast communication.

We investigate the question whether some discrete-log based threshold cryptosystems remain secure when implemented using the more efficient DKG protocol of Pedersen, in spite of the fact that the adversary can skew the distribution of the secret key generated by this protocol. We answer this question in the positive. We show that threshold versions of some schemes whose security reduces to the hardness of the discrete logarithm problem, remain secure when implemented with Pedersen DKG. We exemplify this claim with a threshold Schnorr signature scheme.

However, the resulting scheme has less efficient security reduction (in the random oracle model)from the hardness of the discrete logarithm problem than the same scheme implemented with the computationally more expensive DKG protocol of Gennaro et al. Thus our results imply a trade-o. in the design of threshold versions of certain discrete-log based schemes between the round complexity of a protocol and the size of the modulus.


Threshold cryptography distributed key generation discrete logarithm exact security random oracle model 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Bac85]
    E. Bach. Analytic Methods in the Analysis and Design of Number-Theoretic Algorithms ACM Distiguished Dissertation (1984). MIT Press, Cambridge, MA, 1985. 378Google Scholar
  2. [BB89]
    J. Bar-Ilan and D. Beaver. Non-cryptographic fault-tolerant computing in a constant number of rounds. In Proc. 8th ACM Symp. on Principles of Distributed Computation, pages 201–209, 1989.Google Scholar
  3. [BR93]
    Mihir Bellare and Phillip Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In ACM Conference on Computer and Communications Security, pages 62–73, 1993. 379Google Scholar
  4. [CG99]
    R. Canetti and S. Goldwasser. An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack. In Eurocrypt’ 99, pages 90–106, 1999. LNCS No. 1592. 374, 389Google Scholar
  5. [CGJ+99]
    Ran Canetti, Rosario Gennaro, StanisIlaw Jarecki, Hugo Krawczyk, and Tal Rabin. Adaptive security for threshold cryptosystems. In Proc. CRYPTO 99, pages 98–115. Springer-Verlag, 1999. LNCS No. 1666. 383Google Scholar
  6. [CGS97]
    R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally efficient multi-authority election scheme. In Eurocrypt’ 97, pages 103–118, 1997. LNCS No. 1233. 374Google Scholar
  7. [CP92]
    D. Chaum and T. Pederson. Wallet databases with observers. In Crypto’ 92, LNCS No. 740, pages 89–105, 1992. 389Google Scholar
  8. [CP02]
    C. Cachin, and J.A. Poritz Secure Intrusion-tolerant Replication on the Internet. In Proc. Intl. Conference on Dependable Systems and Networks (DNS-2002), Washington DC, USA, IEEE, 2002. (see also 375, 377, 378, 388
  9. [CMI93]
    M. Cerecedo, T. Matsumoto, and H. Imai. Efficient and secure multiparty generation of digital signatures based on discrete logarithms. IEICE Trans. Fundamentals, E76-A(4):532–545, 1993. 374Google Scholar
  10. [Des87]
    Yvo Desmedt. Society and group oriented cryptography: A new concept. Crypto’87, pages 120–127, 1987. LNCS No. 293. 373Google Scholar
  11. [DF89]
    Y. Desmedt and Y. Frankel. Threshold cryptosystems. In Crypto’ 89, pages 307–315, 1989. LNCS No. 435. 373Google Scholar
  12. [Fel87]
    P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In Proc. 28th FOCS, pages 427–437. IEEE, 1987. 379Google Scholar
  13. [FS86]
    Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Crypto’86, pages 186–194, 1986. LNCS No. 263. 382Google Scholar
  14. [FMY99]
    Y. Frankel, P. D. MacKenzie, and M. Yung. Adaptively-secure distributed Public Key systems. In Algorithms-ESA’99, 7th Annual European Symposium, Prague, pages 4–27, 1999. LNCS No. 1643 375, 383Google Scholar
  15. [GJKR96]
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust threshold DSS signatures. In Information and Computation 164, pp.54–84, 2001. 374, 382zbMATHCrossRefMathSciNetGoogle Scholar
  16. [GJKR99]
    R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. The (in)security of distributed key generation in dlog-based cryptosystems. In Eurocrypt’ 99, pages 295–310, 1999. LNCS No. 1592. 373, 374, 377, 380, 388Google Scholar
  17. [GMR88]
    Shafi Goldwasser, Silvio Micali, and Ronald Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281–308, April 1988. 378, 382zbMATHCrossRefMathSciNetGoogle Scholar
  18. [GRR98]
    Rosario Gennaro, Michael Rabin, and Tal Rabin. Simplified VSS and fast-track multiparty computations with applications to threshold cryptography. In Proc. 17th ACM Symp. on Principles of Distributed Comp.. ACM, 1998.Google Scholar
  19. [Har94]
    L. Harn. Group oriented (t, n)di gital signature scheme. In IEE Proc.-Comput.Digit.Tech, 141(5):307–313, Sept 1994. 374Google Scholar
  20. [HJJ+97]
    A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung. Proactive public key and signature systems. In 1997 ACM Conference on Computers and Communication Security, 1997. 374Google Scholar
  21. [Jar01]
    S. Jarecki. Efficient Threshold Cryptosystems. MIT PhD Thesis, June 2001, 377
  22. [JL00]
    StanisIlaw Jarecki and Anna Lysyanskaya. Adaptively secure threshold cryptosystems without erasures. In Eurocrypt’00, pages 221–242, 2000. LNCS. No. 1807. 383Google Scholar
  23. [LHL94]
    C.-H. Li, T. Hwang, and N.-Y. Lee. (t, n)thres hold signature schemes based on discrete logarithm. In Eurocrypt’ 94, pp. 191–200, 1994. LNCS No. 950. 374Google Scholar
  24. [LV01]
    A. K. Lenstra and E. R. Verheul Selecting Cryptographic Key Sizes. In Journal of Cryptology, vol. 14(4), 2001, pages 255–293. 388zbMATHMathSciNetGoogle Scholar
  25. [Ped91a]
    Torben Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Crypto’ 91, pages 129–140. 1991.Google Scholar
  26. [Ped91b]
    Torben Pedersen. A threshold cryptosystem without a trusted party. In Eurocrypt’ 91, pages 522–526, 1991. LNCS No. 547. 374, 379Google Scholar
  27. [PK96]
    C. Park and K. Kurosawa. New ElGamal Type Threshold Digital Signature Scheme. IEICE Trans. Fundamentals, E79-A(1):86–93, January 1996. 374Google Scholar
  28. [PS96]
    D. Pointcheval, and J. Stern, Security Proofs for Signature Schemes. Eurocrypt’ 96, pages 387–398, 1996. LNCS No. 1070. 376, 382, 385, 387, 389Google Scholar
  29. [Sha79]
    A. Shamir. How to Share a Secret. CACM, 22:612–613, 1979. 373, 374zbMATHMathSciNetGoogle Scholar
  30. [Sch89]
    P. Schnorr. Efficient identification and signatures for smart cards.-Crypto’89, pages 235–251, 1989. LNCS No. 435. 375, 382Google Scholar
  31. [Sho00]
    Victor Shoup. Practical threshold signatures. In Eiurocrypt’ 00, pages 207–220. Springer-Verlag, 2000. 375Google Scholar
  32. [SG98]
    V. Shoup and R. Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. In Eurocrypt’ 98, pages 1–16, 1998. LNCS No. 1403. 374CrossRefGoogle Scholar
  33. [Wei00]
    Wei Dai. Benchmarks for the Crypto++ 4.0 library performance. Available at 388

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Rosario Gennaro
    • 1
  • Stanislaw Jarecki
    • 2
  • Hugo Krawczyk
    • 1
  • Tal Rabin
    • 1
  1. 1.IBM T.J.Watson ResearchUSA
  2. 2.Stanford UniversityUSA

Personalised recommendations