IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 03 January 2020 13:53 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84B8F12024E for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 05:53:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gW7lhNoAwLtw for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 05:53:21 -0800 (PST)
Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1665120077 for <cfrg@irtf.org>; Fri, 3 Jan 2020 05:53:20 -0800 (PST)
Received: by mail-ot1-f45.google.com with SMTP id a15so61247804otf.1 for <cfrg@irtf.org>; Fri, 03 Jan 2020 05:53:20 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QE27Gee1O6BHu2fdKnpwCdwRadzuzhQ2nXV+9g1RHkA=; b=fjeA2jSttLBa1UE5QzzLzBZvAWrFlQrRhvaWJFrbT9Ay7JzJ3jqNNoXAaMEvLeUqcC ukhBldA5VgQnfmsOYj4fNEY6RpIxHb1Ur2Iy30b7n+c0P9+f+GXwgCUfLYikWnQaSsiA g/dPnVA4UWrKs4VuzhdJzaCfjPnlPUO4U7CT7ec5FzxPal2b9/cMs1R4YFy7CpfRiVBi AZ5ntZ3eNN7aIzR5Pqv9FjmOGxD8xLTzi6TVPijdkxK7GcP0FHwstZzxv92H4o+uMUSI LmIefXyCBjfkcbuy8GY+0kHjTa3UV595PDbaXSiUMZ18o+H1rWktsuregv0ARhqhJ2RE f0WA==
X-Gm-Message-State: APjAAAVd+qgV40TZaWuy+AUOtK4k3A6KkyZqjyYP2c/Xp0taSXLI4/zV hEzyBELkSwar5f77VzLrCFsiauvUeYg4HGx9vH8=
X-Google-Smtp-Source: APXvYqwuJta+w+WPTiubpMYGB6AnVXuR84OyP7KeXujeIPUgiRq9Kz9pgXqfrfTepVhKRQyX4krGCL0D4FxRBYBXGXo=
X-Received: by 2002:a9d:7c8a:: with SMTP id q10mr92352399otn.124.1578059600131; Fri, 03 Jan 2020 05:53:20 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <CAHOTMVK+XiKyGSW6mO3D_HK29jYE-YnxN-6f-fW_0jLLRuEUbQ@mail.gmail.com>
In-Reply-To: <CAHOTMVK+XiKyGSW6mO3D_HK29jYE-YnxN-6f-fW_0jLLRuEUbQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 03 Jan 2020 08:53:08 -0500
Message-ID: <CAMm+LwiHCrhoKh3449kVMp4Xqjn=XVSvJ3ooiLF5SUVibHdTng@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000e67c69059b3ca1f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9qT_PqDc9QzKIJ7E0D0GnEDpAvQ>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 13:53:23 -0000

So I am currently deep into the literature and trying to understand quite
where people are coming from.

There seems to be a lot of conflation of 'we can't prove this is secure'
with 'this is insecure'.

Sure, if you allow people to 'bring your own key', you are going to have to
validate those keys in some fashion before you begin. But that isn't a
signature round, it is part of the certification and/or key distribution
protocol and so it does not count against my digital signature scheme
rounds.

The path to success in academia is to invent problems that don't need
solving that have cute proofs. Yes, been there, done that. Tony Hoare was
my College Tutor. It is important to make sure that the security and
protocol properties we are validating for are in fact part of our real
requirements. I spent months reading about attempts to create 'proper'
proxy re-encryption schemes until I realized that I could avoid all the
complexity by giving people the decryption keypair rather than using one
they already had.

The field spent 20 years thinking RSA was superior to DH because DH doesn't
do 'true' public key encryption. But embedded in a protocol, DH provides
exactly the same capability as RSA - establishing a shared session key. And
it is far more flexible and does so with far less complexity. DH is
actually the better scheme but it took us too long to realize that.

So the security concerns I recognize are:

1) Engaging in the protocol causes disclosure of a participants private
signature key.

2) Engaging in the protocol to sign document M, provides an attacker with
information that allows them to sign document M' without the participation
of the full signature quorum.


Security concerns that aren't (much of) a concern to me are:

1) Introducing spurious information into the protocol causes the creation
of a signature that fails validation.

It is probably sensible for the coordinator to verify that the signature
validates. If it is possible to construct a rogue key that results in a
valid signature, then our base signature scheme is broken. But this
particular attack is irrelevant for most of the scenarios I am considering
because the key shares are split from a master key and distributed to the
key share holders in two of the three schemes. And I can use either
threshold key generation or a proof of possession mechanism in the third.

The only information the signers provide in the protocol I am currently
considering is R_i in the first round and S_i = r_i + s_i.k in the second.
Presenting a false R_i in the first round will cause the signature protocol
to fail.


As for how long it takes for the industry to get a clue, that should not be
of any concern in IRTF. I am quite happy sitting in a House or Senate
hearing telling the members of Congress that we do have the technology to
win the cryptowars but it isn't being used. I don't (often) get to talk to
current NSA directors but I do get to talk to past directors and it seems
that one of those may have started the chain reaction that caused NIST to
start looking at threshold (pity they didn't invite me to the party last
year but that is the cost of Chatham House rules).

The reason NSA was vulnerable to the Snowden breach was that the Microsoft
CRM system they were using was not designed to protect against an insider
threat. I doubt that I am the only person who has pointed out that
employing threshold decryption would allow the existing system to afford
the necessary separation of duties.

The industry does move very slowly, but one of the main reasons for that is
that there are very few people in the industry pushing to do stuff that is
breaking the established pattern because most folk are resigned to failure.
If people are resigned to failure let them say so and get out of the way of
those of us who are not. We have work to do.


On Thu, Jan 2, 2020 at 2:57 PM Tony Arcieri <bascule@gmail.com> wrote:

> I'd be interested in comparing / contrasting your scheme to prior art with
> running code, notably:
>
> - KZen's Multiparty EdDSA, a straightforward application of distributed
> threshold Schnorr to Ed25519:
> https://github.com/KZen-networks/multi-party-eddsa
> - CoSi, a Merkle-tree based approach for collective Ed25519 signing
> targeting something more along the lines of a consensus protocol:
> https://tools.ietf.org/id/draft-ford-cfrg-cosi-00.html
>
> On Thu, Jan 2, 2020 at 2:28 PM Phillip Hallam-Baker <phill@hallambaker.com>
> wrote:
>
>> OK so with quite a bit of help, have got a prototype of threshold
>> signatures going. There is a bit more to the draft than just the algorithm
>> though as the way the scheme is presented and packaged has consequences.
>>
>> From the presentation side, I want to be able to argue that the threshold
>> sig scheme has (almost) precisely the same security properties as the
>> RFC8032 scheme. Which means that the core of the presentation must align as
>> closely as possible with the RFC8032 scheme.
>>
>> There are some subtle design choices that don't impact security but may
>> well have impact on specific use cases. The use cases I am currently
>> considering are
>>
>> 1) HSM module: One or both parts of the signature key shares are located
>> in a HSM providing resistance against extraction of the public key. This is
>> an important use case as we want the operation of the HSM to be stateless.
>> The signing algorithm requires multiple rounds, in the first round, the
>> signer commits to a value R_i = r_i..B. In the second round, the value r_i
>> is used. So it is kinda important to construct r_i in such fashion that the
>> HSM can restore it from one round to the next even though it may have
>> performed other operations in the meantime.
>>
>> Another issue that comes up with HSMs is auditability. The construction
>> of r_i must be auditalble which means it must be deterministic.
>>
>> 2) Code signing: The code signing role is split across two or more
>> signers and MAY permit a signature to be created by a quorum smaller than
>> the total number of authorized signers (n, t). Signing quorums may prove
>> particularly attractive for open source projects.
>>
>> I have introduced a new role, of coordinator for the party that manages
>> the process.
>>
>> Are there additional use cases that should be considered. That is use
>> cases that raise additional requirements. The need to sign blockchains is
>> often raised but that doesn't seem to raise additional requirements over
>> code signing.
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>
>
> --
> Tony Arcieri
>

v2.23.0 | Report a Bug | By Email