IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 03 January 2020 17:22 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E602312008F for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 09:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQW-Ay4Yo7TF for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 09:22:52 -0800 (PST)
Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93E09120088 for <cfrg@irtf.org>; Fri, 3 Jan 2020 09:22:52 -0800 (PST)
Received: by mail-ot1-f46.google.com with SMTP id d7so57511946otf.5 for <cfrg@irtf.org>; Fri, 03 Jan 2020 09:22:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cUI+RCI1JBYvdhReEsFHniQXuy5wvB9PnFh/+aLRVgc=; b=fIIzZvzB8/gepIrskwOHqLxMBUpR/+z3s/n3YCmkIO0TGnXc+oTFIv80EVORtPkKeO mVpE/Ja7sjJZaq1arGJVm/upKhvhOmGYPD4pinUHYClW2vHi45+e/uJCNjRLsgwauqJN UQG8d8+0atoLC66EyDtwx4GsT9s7qYGiJ45pu+zlti62wIKfTlaTXoc1MkRLI3RfBomD RMaggRgYktt3Dd1pc6dEUBGTv+elG7DvUKudaYq+73eEWZlb0LNyhJ4OXXAgiusUEZLX c0PGdqad2UifArQP8DDwefwW5Haipd7Ej72Jkfuua8lxuDb0Ojjj3bX3a4yeiZOw+Z5c TFfA==
X-Gm-Message-State: APjAAAVD79gRVUhd2uYny22vnXTX+hV5BA4WrVOmOZViJby1r2/W+YA+ kpO2HL+1ynWr6cYp8f0dnZl+D9uZJkd4aUnVRbE=
X-Google-Smtp-Source: APXvYqwgZtjfihU1c8x/SSv1U0OhkvQS27ghk/Lv9Z21QGf3PoID1CIrta0ZOsiE2I39/1f+6+S/lFdG2wq5m7bzYvw=
X-Received: by 2002:a9d:6758:: with SMTP id w24mr36836046otm.155.1578072171873; Fri, 03 Jan 2020 09:22:51 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com> <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com> <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com>
In-Reply-To: <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 03 Jan 2020 12:22:42 -0500
Message-ID: <CAMm+LwgeE29OsrcbTzQqcM-aL2avT73k3k8krq9pcd5cmuukqA@mail.gmail.com>
To: Dan Wing <danwing@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>, Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000003c0b98059b3f8f3e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CQ-CXauZr89xatp-Cb4WdK2BTNA>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 17:22:54 -0000

On Fri, Jan 3, 2020 at 12:08 PM Dan Wing <danwing@gmail.com> wrote:

> Also, if just need signatures, why not do 3 normal signatures where each
> signature says "to be valid, there need to be 2 other valid signatures".
> Or are you trying to enforce correctness via crypto (so that if only one
> signature, it can't be valid)?  If so, that is admirable, but unless
> something critical is encrypted, not achievable.
>
> -d
>

That is a perfectly valid approach in my view. The cost of three signatures
over two is that the verifier has to check three signatures and three
signature key validation chains. It also means that the verifier knows the
structure of who signed.

So let us consider the case where BigCorp decides Alice, Bob or Mallet can
sign code releases. Today, they all get the same private key, no separation
of duties, no accountability if the key is lost.

Introducing a simple two way split between a cloud service and tokens
separately issued to Alice, Bob, Mallet means that we now have the
potential for accountability if Mallet sells his key on hacker-bay, we can
prevent it being used to sign more stuff after we find out.

Introducing shamir secret sharing (n,t) scheme would allow us to require
two of the engineers to sign.


Back in the days when I was doing XML Web Services, we discovered that a
compressed encoding was an absolute and inescapable requirement for
deployment. The problem was that message size was really easy for a
journalist with an shoe size level IQ to measure and print a snotty
irrelevant report. So we wrote a stupid compression scheme and journalists
stopped commenting on the message sizes (10K vs 5K) and nobody ever used
it. But we couldn't have got people using SAML etc. without that.

So it might well be that multi-signatures turn out to be perfectly adequate
for everyone's needs. But we probably still need Edwards curve threshold
sigs to get people to agree that is the case.

v2.23.0 | Report a Bug | By Email