IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Bill Cox <waywardgeek@gmail.com> Fri, 03 January 2020 16:14 UTC

Return-Path: <waywardgeek@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2707120043 for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 08:14:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JHihyE6RDNku for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 08:14:35 -0800 (PST)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6380E12000F for <cfrg@irtf.org>; Fri, 3 Jan 2020 08:14:35 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id 21so34167507qky.4 for <cfrg@irtf.org>; Fri, 03 Jan 2020 08:14:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i6O1/B/R9ElP24NgUXuQXxf7iMWjy/+9zjDuzjhiFds=; b=L3qJFAWMMzrmQUtNJ0WT8ehZwUSz2GwSSjhBFJnzDaDjT6dtUwaRASGLlCc+H4wBJn UOWdmSU1r+EOAs7OB15uadofHngIodA+BT+/dY6FooTrsL3Ltgk9ErQ4V1iUs3ubH5jC vgbwH1jtycX551SsEhQkHfCVz+BmSJm6UB9vgH70b8b9mZWVFRXFK5WasGQRAB0eZ4XU iMs95lTlVfjtP9tJ9LjyUDvPnJtlT0/ArY73rK56rp3qEjBXIJewfcDbyA8S+m1QYtK/ ziMOt0NzPjD9a2/hFqsIC3fg/nfrOSm58qg7DhcG0sUg09oVc2EZby/mkdy2ro5DOcsS 6rYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i6O1/B/R9ElP24NgUXuQXxf7iMWjy/+9zjDuzjhiFds=; b=AdFWuDeTJVCeI7ODMTyvVmlQW/nLz0Pq383cevgMj/+4YLDW0fGF0MsYtdXoihpBg6 pvDXoIw12fhuNhE5gXkQU+URwlSv3lUdzXoIXflzX9dzaJrxQRPzyY1icSghgmof+w3c upiJpxrLeMEdWl36dXQs3jqyich/lr02y13JPidfwthqzi2rA0Xl3DERLAKRAhn11czk T+w6OEtqTbyEnlEvEi8RAiovUu1RQms8ds5QUPDxBqZNAtwS41uPKfgcOsqoK+Ejzt9a 6L+JS9x8YlQ4X53C4Te5zGFbre5quQR808FSXG5Wpy3PYX+eADAO+xJnTyOnw5VqiKp4 VnPg==
X-Gm-Message-State: APjAAAWmvYyHh8qJQsuaLcpwN15LRVIHjUqhQADA+XYPoyVK67zxi+nf LbQ1SkYQhCC4vs9aqagH5vWzB6ItLKUAbMFDYVs=
X-Google-Smtp-Source: APXvYqzeiiqPfh/HT4pprSG2plxi9+bTTO/xZ4AJDXmgO3mOuynhM5bcCSrvMfm/owxHasFvwuLQ4R9b18/g+9ySUio=
X-Received: by 2002:a05:620a:1333:: with SMTP id p19mr72775682qkj.73.1578068074428; Fri, 03 Jan 2020 08:14:34 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com>
In-Reply-To: <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com>
From: Bill Cox <waywardgeek@gmail.com>
Date: Fri, 03 Jan 2020 08:14:23 -0800
Message-ID: <CAOLP8p5==74BH-F6U5=w-J0WJcn0gBnJ=Nm6DKHUeAkcbQK4aQ@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: Jeff Burdges <burdges@gnunet.org>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000001fe19059b3e9bca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EXaEHCWPrfQenB3ywzkEoRL9VBk>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 16:14:37 -0000

On Fri, Jan 3, 2020 at 7:04 AM Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

>
> What is unclear to me is whether these schemes are generally useful
>> because:
>>
>> 1) It is important for the server to know whether the password guess was
>> correct, which is a key signal in rate-limiting.
>> 2) Secret shares can only migrate to new HSMs/cloud providers when the
>> user re-enters their password.
>>
>> More traditional threshold password-protected secret sharing schemes
>> address these issues, at the cost of higher complexity and more
>> communication rounds.  Which way should the world go?
>>
>
> Lets make it easy to use public key authentication across devices and
> forget about passwords altogether.
>

Yes, kill passwords, but please don't disable  my device unlock secret.

Both Apple and Google use secure hardware to protect your phone unlock
secret, and these HSMs (Titan chips in Google's case) will restore your
data to your new device if you first login, and then prove you know the
unlock secret.  Neither Google nor Apple can trivially decrypt your data
due to hardware rate-limiting.  I would guestimate that about 100M people
per year are currently making use of these features.  Can we ignore 100M
data recoveries per year?  Most users around the world still only have only
one device running Android or IOs.  Running a Mesh protocol on a USB key
for $15 would be great, but we're finding that users don't want hardware
keys.  It might be simple to replace all the crypto protocols currently
baked into all the world's devices, than to change user behavior.

When I want to recover my data on a new device after hot-tubbing for an
hour with my only Android device (happened to me 2 years ago), what is the
right protocol?  There are two main threshold schemes, OPRF-based, and
traditional pasword-protected secret sharing.  Honestly, I'd be interested
in any good insight into which way to go.

v2.23.0 | Report a Bug | By Email