Towards a Threshold Key Infrastructure

Abstract: The Mathematical Mesh (Mesh) is a Threshold Key Infrastructure (TKI) that uses threshold techniques to manage public key pairs and threshold key shares. The resulting architecture shares many similarities to traditional Kohnfelder model PKIs (e.g. X.509) but with significant differences. The use of threshold techniques provides the ‘key portability’ advantage of using smartcards without the need for a physical token. Devices that are connected to a Mesh profile can decrypt data and authenticate to internal or external infrastructures as authorized by the user/administrator. Authorizations are expressed as threshold key shares mediated by a Mesh service. Through the use of threshold techniques, the service is zero-trust with respect to confidentiality and integrity concerns and limited trust with respect to availability. The Mesh may be used to manage keys for traditional PKI applications (SSH, OpenPGP, S/MIME) or as a platform for building new applications. Current applications include sharing of encrypted data-at-rest between groups of users, a password vault, a contact manager and a replacement for second factor authentication schemes that actually makes sense.