IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Bill Cox <waywardgeek@gmail.com> Fri, 03 January 2020 14:43 UTC

Return-Path: <waywardgeek@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 265D5120077 for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 06:43:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ruNpnKPbWeg3 for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 06:43:53 -0800 (PST)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 421CD120046 for <cfrg@irtf.org>; Fri, 3 Jan 2020 06:43:53 -0800 (PST)
Received: by mail-qt1-x834.google.com with SMTP id l12so36955225qtq.12 for <cfrg@irtf.org>; Fri, 03 Jan 2020 06:43:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Dx0LC+ZUpdqoPQUS+UZGs2odwcC/2GohEJfS+j3OtC4=; b=pDb0VLKBKCY9hC+uVjfkX1z/jRH3oA50lO2NybflVZUk6GSELIA3TX+6BWTxqk0XWe k35fWOXQAVWetr1Shzsu/eOSXEROuHOzTP4JlwbX7c/Lre3fIl/79WSNkKgNmtHpbfjj QM45QtBByq39B3OJEJxeSdsViDfdWPGpeQVSA9GEvoIS0C6JW88+Oe8m1PjFXpl8SiOC 8L5fKjxVuy4klMyu/B4lbgMpPSGy1BTdvLMHzYWzvLphTvRA3X7Ox+fVY+/1viBc3RRu FQNguwueGtpwqdykne7r33q6q6ydteFg75hpA/mJP7JC+oMVj+317XlMSxElDvv0JMNT PCMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Dx0LC+ZUpdqoPQUS+UZGs2odwcC/2GohEJfS+j3OtC4=; b=rUUj9rr2RQZxvAZqNdhxUZygMzU+xVde7gPRaIqkfzgeEGQdFaovrN6c/PKVgog3MJ LeVVUGJoDlKyoSBXoAKQ1630rXJEjCkEBrSSBeGlSF5A7j89MB9Boc0yjUlgQS3Dmxdo /mI7+PJc2bprZN4BV52qGrsPkLqHLzJvWci0kGAktaIENNiKu25pkeUWSs2UYw1WRJFA H0DbWwwjBfH7xWh8DHtYrCWR2OZeg1177mXwuV9/yc398bMrjznwRYtg7niy4dsRL6qA 85+bmt+vfk5CnJ2iJ7WFgDX9rRO9g3Uae/OCRH6IZsQbJ3lqQ22OoVpXySqZ0kUCVRD4 4PIg==
X-Gm-Message-State: APjAAAWDKhASViqHxuVcyzVU/4mp0lzbY7VseWJjqDt070yQPia9sPQe rldNQIof+g2UuLSR1+zGapC8soOv+HEqXFvWGChLXZHkA2s=
X-Google-Smtp-Source: APXvYqyuTf9iRdiBCtV2p94wGWC2ViUIYS99wPY/Ljq6rPYgVJVDORxFLkse8phufZNjH47kxROBTJCltYxZ5flDIP4=
X-Received: by 2002:aed:3c7b:: with SMTP id u56mr64083749qte.82.1578062632254; Fri, 03 Jan 2020 06:43:52 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org>
In-Reply-To: <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org>
From: Bill Cox <waywardgeek@gmail.com>
Date: Fri, 03 Jan 2020 06:43:41 -0800
Message-ID: <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com>
To: Jeff Burdges <burdges@gnunet.org>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000a0ff1d059b3d56fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/BgE3J4CD3u5qg8JbUbIVQtgZ_B4>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 14:43:55 -0000

On Thu, Jan 2, 2020 at 4:18 PM Jeff Burdges <burdges@gnunet.org> wrote:

>
> You need pairings ala BLS signatures for a one round trip multi-signature
> scheme.  I donno if anyone proved that but you’ll get nothing from fancy
> zero-knowlede proof tricks among the signers obviously.  I’d expect BLS
> smart cards for cyber-coin validators within the next couple years, if not
> already.
>
> Jeff
>

You can also use this pairing scheme for rate-limited threshold
password-authenticated key generation.  This could be useful for his
Mathematical Mesh, but as he says, crypto on devices changes only very
slowly.  A brilliant intern we had last year re-invented this pairing
scheme, and I spent a week trying to work out how to do it without bilinear
pairing.  It can also be done on RSA-like groups of unknown order (the OPRF
server is allowed to know the order, but probably should forget it), but
the security of the scheme is less obvious.  Both of these schemes also
enable the quorum members to do extra work to strengthen password guesses,
similar to Makwa.

What is unclear to me is whether these schemes are generally useful because:

1) It is important for the server to know whether the password guess was
correct, which is a key signal in rate-limiting.
2) Secret shares can only migrate to new HSMs/cloud providers when the user
re-enters their password.

More traditional threshold password-protected secret sharing schemes
address these issues, at the cost of higher complexity and more
communication rounds.  Which way should the world go?

v2.23.0 | Report a Bug | By Email