A new publication by cryptography experts at the National Institute of Standards and Technology (NIST) proposes the direction the technical agency will take to develop a more secure approach to encryption. This approach, called threshold cryptography, could overcome some of the limitations of conventional methods for protecting sensitive transactions and data.

The document, released today in a final version as NIST Roadmap Toward Criteria for Threshold Schemes for Cryptographic Primitives (NISTIR 8214A), offers an outline for developing a new way to implement the cryptographic tools that developers use to secure their systems. Its authors are inviting the cryptography community to collaborate with them on NIST’s budding Threshold Cryptography project, which in part seeks to ensure that threshold implementations are interoperable.

“We are kicking the threshold cryptography development effort into high gear,” said Apostol Vassilev, a NIST computer scientist. “Over the coming months, the Threshold Cryptography project will be engaging with the public to define criteria for this work. We want to get feedback from the community so we can consider a variety of threshold schemes and standardization paths.”

Threshold cryptography takes its name from the idea that individual keyholders cannot open a lock on their own, as is common in conventional cryptography, says NIST. "Instead, out of a group of keyholders, there must be a minimum number of them — a “threshold” number — working together to open the lock. In practice, this lock is an electronic cryptosystem that protects confidential information, such as a bank account number or an authorization to transfer money from that account," adds NIST. 

"A threshold system is complicated because the keyholders must be able to collaborate on a task without seeing one another’s parts of the key. But a successful system might address some of the weak spots in conventional cryptography, because a threshold system would be safe even if some of the keyholders get hacked," notes NIST. 

In conventional cryptosystems, “the main problem is the single point of failure,” Vassilev said. “If you give all your authority to a single individual, you’ve given them a lot of trust and responsibility. Not only can single individuals get corrupted, but they also get sick or go on vacation. If they’re unavailable, it can cause bottlenecks.”

The idea of threshold cryptography is not new in and of itself, but some of the algorithms needed to effectively carry out a threshold scheme have only recently become mature enough to consider developing standards, Vassilev said. The new NIST publication and its previously released companion, NISTIR 8214, are an initial step toward those standards, with the aim of gathering a solid rationale to devise criteria for standards. 

“The first one, NISTIR 8214, describes what it is we want to work on,” he said, “while NISTIR 8214A outlines a road map for how to get there. Those two things are what we’re trying to clarify with the help of the cryptography community.”

A near-term goal will be to develop ways to apply threshold schemes to what are known as “cryptographic primitives” — the fundamental building blocks of logic that can be combined to make software for cryptography systems, says NIST. "A primitive handles a specific task like creating a digital signature, but it must be combined with others to do complex jobs such as maintaining a secure internet connection. A well-considered set of primitives could form the basis of effective threshold cryptography systems. The larger goal is to enhance the security of the implementation and operations of standardized cryptographic primitives. The Threshold Cryptography project will explore what threshold schemes have the best potential for interoperability and effectiveness when applied to NIST-approved primitives. The end results may span a variety of formats, including guidance, recommendations and reference definitions. The integration with existing standards will become more clear as the project moves along."

The NIST team has organized the development effort into two tracks: one will focus on threshold cryptography for single-device hardware, such as computer processors, which are particularly vulnerable to side-channel attacks, and the other will focus on multiparty devices, which typically consist of several computers connected over a network collaborating in a threshold computation. These devices bring their own challenges, such as performing tasks when the parts of the secret key are distributed among devices spread across several locations, says NIST. 

For more information, please visit https://www.nist.gov/news-events/news/2020/07/nist-kick-starts-threshold-cryptography-development-effort