RSA Laboratories

7.16 What are proactive security techniques?

Proactive security combines the ideas of distributed cryptography (also called secret sharing) (see Question 2.1.9). with the refreshment of secrets. The term proactive refers to the fact that it's not necessary for a breach of security to occur before secrets are refreshed, the refreshment is done periodically (and hence, proactively).Key refreshment is an important addition to distributed cryptography because without it, an adversary who is able to recover all the distributed secrets given enough time will eventually be successful in breaking the system. For example, consider the following proactive version of Shamir's secret sharing scheme (see Question 3.6.12):

A polynomial

f0(x) = a0 +a1 x+ ¼+ am-1 xm-1

over GF(q) is constructed, and the secret is a0. From the beginning, each user has a point (xi, f0(xi)) with xi ¹ 0. For the first key refreshment, a new polynomial f1 is constructed from f0. More generally, for the kth key refreshment, a polynomial fk+1 is constructed from fk. The polynomial fk+1 is equal to fk + gk, where gk is a random (m-1)-degree polynomial with gk(0) = 0. After each key refreshment the secret is unchanged, but user i's new secret share is (xi, fk+1(xi)) = (xi, fk(xi) + gk(xi)). An adversary who knows less than m current secret shares at any particular time knows nothing about the secret.

More recent techniques in proactive security include proactive RSA [FGM97] and proactive signatures (see [GJK96] and [HJJ97]). For an overview of proactive techniques see [CGH97].

Top of the page