“Threshold Cryptography” Bolsters Protection of Sensitive Data

Another vulnerability of conventional systems is the “side-channel attack,” in which an adversary monitors a computer performing an encryption operation in order to obtain details such as the power the chip consumes or the time it takes to produce a key. These details give insights about the key, eventually permitting attacks such as the recent Specter and Meltdown hacks on widely available computer processors. Threshold systems might address this and other weaknesses as well, said Vassilev’s colleague Luís Brandão. 

“The threshold paradigm can prevent the computer itself from becoming the single point of failure,” said Brandão, a coauthor of the report. “The computer never has the key in the first place.”

The idea of threshold cryptography is not new in and of itself, but some of the algorithms needed to effectively carry out a threshold scheme have only recently become mature enough to consider developing standards, Vassilev said. The new NIST publication and its previously released companion, NISTIR 8214, are an initial step toward those standards, with the aim of gathering a solid rationale to devise criteria for standards. 

“The first one, NISTIR 8214, describes what it is we want to work on,” he said, “while NISTIR 8214A outlines a road map for how to get there. Those two things are what we’re trying to clarify with the help of the cryptography community.”

A near-term goal will be to develop ways to apply threshold schemes to what are known as “cryptographic primitives” — the fundamental building blocks of logic that can be combined to make software for cryptography systems. A primitive handles a specific task like creating a digital signature, but it must be combined with others to do complex jobs such as maintaining a secure internet connection. A well-considered set of primitives could form the basis of effective threshold cryptography systems.

The larger goal is to enhance the security of the implementation and operations of standardized cryptographic primitives. The Threshold Cryptography project will explore what threshold schemes have the best potential for interoperability and effectiveness when applied to NIST-approved primitives. The end results may span a variety of formats, including guidance, recommendations and reference definitions. The integration with existing standards will become clearer as the project moves along.

NIST says that the NIST team has organized the development effort into two tracks. One will focus on threshold cryptography for single-device hardware, such as computer processors, which are particularly vulnerable to side-channel attacks. The other will focus on multiparty devices, which typically consist of several computers connected over a network collaborating in a threshold computation. These devices bring their own challenges, such as performing tasks when the parts of the secret key are distributed among devices spread across several locations.

The single-device track was the subject of a 7-9 July webinar hosted by the Belgian university KU Leuven — an event that helped NIST continue to work with the international community on technical advancements in cryptography. The NIST webinar presentation slides are available online, and the NIST Threshold Cryptography project page contains more information on collaborating with the team. This collaboration will be crucial to the long-term development effort, Vassilev said. 

“It is quite important to have feedback and contributions from the community,” he said. “Some of the additional concrete ways in which we will advance will become clear as we work together. Join the party if you want to influence the direction the effort goes.”