A new publication by cryptography experts at the National Institute of Standards and Technology (NIST) proposes the direction the technical agency will take to develop a more secure approach to encryption. This approach, called threshold cryptography, could overcome some of the limitations of conventional methods for protecting sensitive transactions and data.
The document, released today in a final version as NIST Roadmap Toward Criteria for Threshold Schemes for Cryptographic Primitives (NISTIR 8214A), offers an outline for developing a new way to implement the cryptographic tools that developers use to secure their systems. Its authors are inviting the cryptography community to collaborate with them on NIST’s budding Threshold Cryptography project, which in part seeks to ensure that threshold implementations are interoperable.
“We are kicking the threshold cryptography development effort into high gear,” said Apostol Vassilev, a NIST computer scientist. “Over the coming months, the Threshold Cryptography project will be engaging with the public to define criteria for this work. We want to get feedback from the community so we can consider a variety of threshold schemes and standardization paths.”
Threshold cryptography takes its name from the idea that individual keyholders cannot open a lock on their own, as is common in conventional cryptography. Instead, out of a group of keyholders, there must be a minimum number of them – a “threshold” number – working together to open the lock. In practice, this lock is an electronic cryptosystem that protects confidential information, such as a bank account number or an authorization to transfer money from that account.
A threshold system is complicated because the keyholders must be able to collaborate on a task without seeing one another’s parts of the key. But a successful system might address some of the weak spots in conventional cryptography, because a threshold system would be safe even if some of the keyholders get hacked.
In conventional cryptosystems, “the main problem is the single point of failure,” Vassilev said. “If you give all your authority to a single individual, you’ve given them a lot of trust and responsibility. Not only can single individuals get corrupted, but they also get sick or go on vacation. If they’re unavailable, it can cause bottlenecks.”
Another vulnerability of conventional systems is the “side-channel attack,” in which an adversary monitors a computer performing an encryption operation in order to obtain details such as the power the chip consumes or the time it takes to produce a key. These details give insights about the key, eventually permitting attacks such as the recent Spectre and Meltdown hacks on widely available computer processors. Threshold systems might address this and other weaknesses as well, said Vassilev’s colleague Luís Brandão.
“The threshold paradigm can prevent the computer itself from becoming the single point of failure,” said Brandão, a coauthor of the report. “The computer never has the key in the first place.”
The idea of threshold cryptography is not new in and of itself, but some of the algorithms needed to effectively carry out a threshold scheme have only recently become mature enough to consider developing standards, Vassilev said. The new NIST publication and its previously released companion, NISTIR 8214, are an initial step toward those standards, with the aim of gathering a solid rationale to devise criteria for standards.
“The first one, NISTIR 8214, describes what it is we want to work on,” he said, “while NISTIR 8214A outlines a road map for how to get there. Those two things are what we’re trying to clarify with the help of the cryptography community.”
A near-term goal will be to develop ways to apply threshold schemes to what are known as “cryptographic primitives” – the fundamental building blocks of logic that can be combined to make software for cryptography systems. A primitive handles a specific task like creating a digital signature, but it must be combined with others to do complex jobs such as maintaining a secure internet connection. A well-considered set of primitives could form the basis of effective threshold cryptography systems.
The larger goal is to enhance the security of the implementation and operations of standardized cryptographic primitives. The Threshold Cryptography project will explore what threshold schemes have the best potential for interoperability and effectiveness when applied to NIST-approved primitives. The end results may span a variety of formats, including guidance, recommendations and reference definitions. The integration with existing standards will become more clear as the project moves along.
The NIST team has organized the development effort into two tracks. One will focus on threshold cryptography for single-device hardware, such as computer processors, which are particularly vulnerable to side-channel attacks. The other will focus on multiparty devices, which typically consist of several computers connected over a network collaborating in a threshold computation. These devices bring their own challenges, such as performing tasks when the parts of the secret key are distributed among devices spread across several locations.
The single-device track is the subject of a July 7-9 webinar hosted by the Belgian university KU Leuven – an event that will help NIST continue to work with the international community on technical advancements in cryptography. The NIST webinar presentation slides are available online, and the NIST Threshold Cryptography project page contains more information on collaborating with the team. This collaboration will be crucial to the long-term development effort, Vassilev said.
“It is quite important to have feedback and contributions from the community,” he said. “Some of the additional concrete ways in which we will advance will become clear as we work together. Join the party if you want to influence the direction the effort goes.”