Re: [Cfrg] BLS - proofs of possession may not be enough?

Kobi Gurkan <> Mon, 18 November 2019 21:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A1D9120B55 for <>; Mon, 18 Nov 2019 13:04:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 83PgXqSgl6SI for <>; Mon, 18 Nov 2019 13:04:53 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EFF22120B09 for <>; Mon, 18 Nov 2019 13:04:52 -0800 (PST)
Received: by with SMTP id t1so21213889wrv.4 for <>; Mon, 18 Nov 2019 13:04:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FYCXiwhcTscbP1ZNFmSjMoU9rT9ZyKLEof6B4Qu9Jq8=; b=gG/nQg3FtejhY+AiBlOEr/PA77XFbcK8ZTIFC4LldeoCgSwBlS6VBR4HAntHzO5TY7 4bQH3pJKnlCKq8MVPXWuSRhT9xDO67tVj8sGpSKDciCjP6qHWylkiyD0Ds2H0LfgJTd4 KLV2yiFjuhjinCVgdB6qSoTjEMS+CzAkiNzuWrVhwwz9e3tE1XGnND+TcF8UzMaYpdgr wX1PVHh+wzH2EN97YQ/KdSxmif0T02c0HrxchSdQY1MPVmlG4ypXyDSsYNx89qjVnRJr H27HKOiFjuRrk9z9Dnc9oy0lmx5jVYgk2CwSx6tvPzjsdvfywAgxr5gR6xPF8ZSEssNa IZ4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FYCXiwhcTscbP1ZNFmSjMoU9rT9ZyKLEof6B4Qu9Jq8=; b=HfbGTIzUwFUToawTtBvkqqekA/SjapNOSHzLW7+r3rhU9p2xsgxadzAyhahPaffToX dj/z9jnQlKRNvbzmmtv91udXRvHma3cuqYNBmlDpdwIbmksdq649WmVIXTQs6KHHDjtg JPMIIDLqJFlQuHdXj3s1U1KavQb+LF8MEWD242dSIdz99AH+PXWZrla/BNE2nBFw+8H5 8/xdes7J1mZvxatXizAgzr9+/VrgKKzZSDWdMTyx/D9n3aePznEDR8yEVchX49vcjVuT 2TKnG91Hhl07pz8HH8brPL5z1ZEQe7HGfgxmKbET3HBtIUUjz2EYQH/NYwNqTqBPp0Zy 15ug==
X-Gm-Message-State: APjAAAWEPQ/vk6zbWg6vMYbrARawONAklK7ONfbKNqwBtOmXrRWEqI7p M2z/zUwygpHI0qAxj8CxOfw=
X-Google-Smtp-Source: APXvYqwTIfkIg1ElIaD7sQJolBpAiNikpkcTlUB9Z0XE+wP5R8Q4v5O1h76SY6UKkiryWXE8ENNW7Q==
X-Received: by 2002:adf:fe0c:: with SMTP id n12mr32395936wrr.174.1574111091352; Mon, 18 Nov 2019 13:04:51 -0800 (PST)
Received: from kobis-mbp.lan ([]) by with ESMTPSA id y189sm683073wmb.13.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Nov 2019 13:04:50 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
From: Kobi Gurkan <>
In-Reply-To: <>
Date: Mon, 18 Nov 2019 23:04:46 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Jeff Burdges <>
X-Mailer: Apple Mail (2.3594.4.19)
Archived-At: <>
Subject: Re: [Cfrg] BLS - proofs of possession may not be enough?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Nov 2019 21:04:58 -0000

Hey Jeff,

Thanks for the comment, also in our one-to-one chat.

I think that the practical impact of the property that I describe are not catastrophic. Some comment I got recently was that it could been achieved just as well by publishing the secret keys.


> On 17 Nov 2019, at 21:48, Jeff Burdges <> wrote:
> I’d still characterise sum_i sk_i = 0 as an unusual DGK that changes the properties of the signature similarly to any other DKG does.  In particular, any proof-of-possesion security proof should show this does not impact other signers under normal threat models.
> As we discussed, there are threat models with non-standard interactions between signatures in which sum_i sk_i = 0 does facilitate attacks, namely when a signer waits for other signers and can be punished for signing too early.  I’ll note however that BLS cannot achieve security for that signer anyways because the earlier signers can subtract their signatures even without any relationship among the secret keys.
>> On 17 Nov 2019, at 14:12, Kobi Gurkan <> wrote:
>> It seems that delinearization, as described in, is strictly stronger than proofs of possession in terms of security - as this attack does not effect protocols that use them.
> I suspect it’s strictly stronger but actually nobody proved this.  An approach for showing that delinearization is stronger than proof-of-possesion might be working in some composability framework, but this gets delicate because classically these handle state poorly.
> Jeff
> _______________________________________________
> Cfrg mailing list