Re: [Cfrg] Threshold signatures
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 03 January 2020 17:22 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E602312008F for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 09:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQW-Ay4Yo7TF for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 09:22:52 -0800 (PST)
Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93E09120088 for <cfrg@irtf.org>; Fri, 3 Jan 2020 09:22:52 -0800 (PST)
Received: by mail-ot1-f46.google.com with SMTP id d7so57511946otf.5 for <cfrg@irtf.org>; Fri, 03 Jan 2020 09:22:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cUI+RCI1JBYvdhReEsFHniQXuy5wvB9PnFh/+aLRVgc=; b=fIIzZvzB8/gepIrskwOHqLxMBUpR/+z3s/n3YCmkIO0TGnXc+oTFIv80EVORtPkKeO mVpE/Ja7sjJZaq1arGJVm/upKhvhOmGYPD4pinUHYClW2vHi45+e/uJCNjRLsgwauqJN UQG8d8+0atoLC66EyDtwx4GsT9s7qYGiJ45pu+zlti62wIKfTlaTXoc1MkRLI3RfBomD RMaggRgYktt3Dd1pc6dEUBGTv+elG7DvUKudaYq+73eEWZlb0LNyhJ4OXXAgiusUEZLX c0PGdqad2UifArQP8DDwefwW5Haipd7Ej72Jkfuua8lxuDb0Ojjj3bX3a4yeiZOw+Z5c TFfA==
X-Gm-Message-State: APjAAAVD79gRVUhd2uYny22vnXTX+hV5BA4WrVOmOZViJby1r2/W+YA+ kpO2HL+1ynWr6cYp8f0dnZl+D9uZJkd4aUnVRbE=
X-Google-Smtp-Source: APXvYqwgZtjfihU1c8x/SSv1U0OhkvQS27ghk/Lv9Z21QGf3PoID1CIrta0ZOsiE2I39/1f+6+S/lFdG2wq5m7bzYvw=
X-Received: by 2002:a9d:6758:: with SMTP id w24mr36836046otm.155.1578072171873; Fri, 03 Jan 2020 09:22:51 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com> <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com> <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com>
In-Reply-To: <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 03 Jan 2020 12:22:42 -0500
Message-ID: <CAMm+LwgeE29OsrcbTzQqcM-aL2avT73k3k8krq9pcd5cmuukqA@mail.gmail.com>
To: Dan Wing <danwing@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>, Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003c0b98059b3f8f3e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CQ-CXauZr89xatp-Cb4WdK2BTNA>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 17:22:54 -0000
On Fri, Jan 3, 2020 at 12:08 PM Dan Wing <danwing@gmail.com> wrote: > Also, if just need signatures, why not do 3 normal signatures where each > signature says "to be valid, there need to be 2 other valid signatures". > Or are you trying to enforce correctness via crypto (so that if only one > signature, it can't be valid)? If so, that is admirable, but unless > something critical is encrypted, not achievable. > > -d > That is a perfectly valid approach in my view. The cost of three signatures over two is that the verifier has to check three signatures and three signature key validation chains. It also means that the verifier knows the structure of who signed. So let us consider the case where BigCorp decides Alice, Bob or Mallet can sign code releases. Today, they all get the same private key, no separation of duties, no accountability if the key is lost. Introducing a simple two way split between a cloud service and tokens separately issued to Alice, Bob, Mallet means that we now have the potential for accountability if Mallet sells his key on hacker-bay, we can prevent it being used to sign more stuff after we find out. Introducing shamir secret sharing (n,t) scheme would allow us to require two of the engineers to sign. Back in the days when I was doing XML Web Services, we discovered that a compressed encoding was an absolute and inescapable requirement for deployment. The problem was that message size was really easy for a journalist with an shoe size level IQ to measure and print a snotty irrelevant report. So we wrote a stupid compression scheme and journalists stopped commenting on the message sizes (10K vs 5K) and nobody ever used it. But we couldn't have got people using SAML etc. without that. So it might well be that multi-signatures turn out to be perfectly adequate for everyone's needs. But we probably still need Edwards curve threshold sigs to get people to agree that is the case.
- [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Jeff Burdges
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Bill Cox
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Threshold signatures Bill Cox
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Dan Wing
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Michael StJohns
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker