Shatter: Using Threshold Cryptography to Protect Single Users with Multiple Devices

Erinn Atwater, Urs Hengartner

The average computer user is no longer restricted to one device. They may have several devices and expect their applications to work on all of them. A challenge arises when these applications need the cryptographic private key of the devices’ owner. Here the device owner typically has to manage keys manually with a “keychain” app, which leads to private keys being transferred insecurely between devices – or even to other people. Even with intuitive synchronization mechanisms, theft and malware still pose a major risk to keys. Phones and watches are frequently removed or set down, and a single compromised device leads to the loss of the owner’s private key, a catastrophic failure that can be quite difficult to recover from.

We introduce Shatter, an open-source framework that runs on desktops, Android, and Android Wear, and performs key distribution on a user’s behalf. Shatter uses threshold cryptography to turn the security weakness of having multiple devices into a strength. Apps that delegate cryptographic operations to Shatter have their keys compromised only when a threshold number of devices are compromised by the same attacker. We demonstrate how our framework operates with two popular Android apps (protecting identity keys for a messaging app, and encryption keys for a note-taking app) in a backwards-compatible manner: only Shatter users need to move to a Shatter-aware version of the app. Shatter has minimal impact on app performance, with signatures and decryption being calculated in 0.5s and security proofs in 14s.

Review:
The paper presents Shatter, an open-source framework for Android and desktop devices that uses threshold cryptography for sharing private keys across different devices. The idea is that the private key can then be securely used for identifying a single user across different services that are used on all devices of the user. The solution provides further convenience when the user loses one of the devices, as she does not need to revoke the key pair and create a new private/public key-pair, but rather simply revoke the share used in the lost device. The authors have not only implemented Shatter, but they have also demonstrated how it can be introduced in backwards compatible manner for two real-life applications. The solution is carefully analyzed from the performance point of view.

The reviewers appreciated that Shatter is a significant step forward in bringing threshold cryptography from theory to practice. However, concerns were raised about merits of the paper in terms of purely scientific contributions. Shatter enables further scientific studies (e.g., usability) of threshold cryptography-based mechanisms, but leaves these studies for future work. Milder concerns were raised on several issues. First, delays in communication are relatively long and performance would need to be improved significantly before wider adoption could be expected. Second, reviewers questioned whether automatic acknowledgements of signing requests would provide a sensible trade-off between security and usability in this context.