IETF Logo Mail Archive

Re: [Cfrg] Recommendations Regarding Deterministic Signatures

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 20 December 2019 20:02 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F3A21209BD for <cfrg@ietfa.amsl.com>; Fri, 20 Dec 2019 12:02:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=H+fTxImH; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=sUnJ0ZA8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwHFh6K5rlHx for <cfrg@ietfa.amsl.com>; Fri, 20 Dec 2019 12:02:13 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4FE81209CE for <cfrg@irtf.org>; Fri, 20 Dec 2019 12:02:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18366; q=dns/txt; s=iport; t=1576872132; x=1578081732; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=4cMvDWI3y7D093cy40AjPP7La6xx/b6Eb/LE8qG4u9g=; b=H+fTxImHaXKNLQqRsfQE4yuM4Azhl4sv2nhEhxizOLhlyIC6zRX9hJsJ eUtiDPG0bepXMB6NmuUG3QxP4ishNnC8I5cSCWB/pzF3iGsDa4pPWUfvE hOgAej2mOHU5sQV1Xewx/pzV5BzLjzhC/+0KJdTvgjuSuDXGf1tEsd3LB k=;
IronPort-PHdr: 9a23:HIDj9RbDYSWgR4BIpyC3pmf/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gabRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavxYSgnHN5PTndu/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B9CAAWKP1d/5BdJa1lHAEBAQEBBwEBEQEEBAEBgXyBHi8kLAVsWCAECyoKg32DRgOKdIJfkyeEYYJSA1QJAQEBDAEBLQIBAYRAAheCBSQ4EwIDDQEBBAEBAQIBBQRthQsHJQyFXgEBAQEDEhEKEwEBNwEPAgEIEQQBASsCAgIwHQgCBAENBQgagwGBeU0DLgECoGwCgTiIYXWBMoJ+AQEFhRkYggwJgTaMGRqBQT+BEUeCTD6CZASBY4MOMoIsjTuCfYVXgkKVTHQKgjSWM5pVjlGaVAIEAgQFAg4BAQWBaSKBWHAVgydQGA2FeIcag3OKU3QBAYEmkSoBMF8BAQ
X-IronPort-AV: E=Sophos;i="5.69,337,1571702400"; d="scan'208,217";a="397393092"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Dec 2019 20:02:12 +0000
Received: from XCH-ALN-007.cisco.com (xch-aln-007.cisco.com [173.36.7.17]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id xBKK2Bvj013146 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 20 Dec 2019 20:02:12 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 20 Dec 2019 14:02:11 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 20 Dec 2019 14:02:10 -0600
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 20 Dec 2019 14:02:10 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=drJaq5qJmYMse+4WjP1iGXLD+Nvs6M9gHcDjq07VFSZRonbqRcGv+oxiPBQruLqPuRXeSOtXZ/zZaE6VU8MDv2TViHSdZHBMERMGbk1eFAa/kiSUKL6c/GOu3SuYbx/UjEG3f0cCtbOdCA4jfDK0pEIwFKT0FpSJYO3mCBunOmeCvWzkoAx+2sZtigwq/1nG2pbBiMlBCH4l+lG7KeovgdIzbXpN497JNdTJy5C0TBgclBLyntvQ0GI+WEEGTCCHGZi4DK+1Kc6n1sTC9oQGcpDhTVHf5T4idib++gzIbnFMybYCqnGXCn2DRJlOJLYA2fB+VgiCWBccXr3IgESHBw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4cMvDWI3y7D093cy40AjPP7La6xx/b6Eb/LE8qG4u9g=; b=SopF4i9fe82sU2Y4IS24W/aE14W0MBzxtTqx1UTV62xM4y0ZT1hlehMA9IqBff1B/qghLlaAT9H0GltJxu4G67IwoK6Xc/oepqg0O2joka4jI0EdDhTpPH1IL4SIpMteTe3elhvrTdxIEVr/xbmoOPdnbqgE0c1t8/+VYZ4K6xH7TRGi26OTik1B4kutuynIDSybge6v0XVASBhIB64Gry1kaenaPxb2L0of9xJ6SSFfz9yAnL5jT1WZJ13jBkUCAjif1PP0OV6KbnYcKoqNSXONPsYuBGO3CEf1b1v+Ynr0SUfxcJ6kVTX1Jjj3+1oKDHBSTtrKojZOg8fSKhwquw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4cMvDWI3y7D093cy40AjPP7La6xx/b6Eb/LE8qG4u9g=; b=sUnJ0ZA8S0HvEUX/2dZIQnBWDgzo6AcqjWXX7sc1EbG9YhKyBzpMuVblPL4f+0cuJ9gnPICKS24Ost9nzbuOaZldO0qPYn5amentC6+LSJlckYrNXbJU3Sa57SYdpWU/3uN8PWZRZgcvhxsAjU+FsVrmPdKsyAHwxskyLXSgCnw=
Received: from BN8PR11MB3666.namprd11.prod.outlook.com (20.178.221.19) by BN8PR11MB3633.namprd11.prod.outlook.com (20.178.220.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.14; Fri, 20 Dec 2019 20:02:09 +0000
Received: from BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::e197:a6bd:76f6:ac39]) by BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::e197:a6bd:76f6:ac39%7]) with mapi id 15.20.2559.016; Fri, 20 Dec 2019 20:02:09 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Recommendations Regarding Deterministic Signatures
Thread-Index: AQHVpRPCzwhjXo0nk0GZjF6FACZgb6fDdvgAgAAamFA=
Date: Fri, 20 Dec 2019 20:02:09 +0000
Message-ID: <BN8PR11MB3666FB9FAC26C7C13DFE098BC12D0@BN8PR11MB3666.namprd11.prod.outlook.com>
References: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com> <CAMm+LwhzejJSWqHUpisLuyuoqhQbum5qN-P09xeWdSN3A_-o_A@mail.gmail.com>
In-Reply-To: <CAMm+LwhzejJSWqHUpisLuyuoqhQbum5qN-P09xeWdSN3A_-o_A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [173.38.117.71]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 861f43e7-7b82-49af-abb3-08d785877f02
x-ms-traffictypediagnostic: BN8PR11MB3633:
x-microsoft-antispam-prvs: <BN8PR11MB3633723CDBAA6E9D4D5529C0C12D0@BN8PR11MB3633.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 025796F161
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(346002)(39860400002)(376002)(136003)(189003)(199004)(52536014)(81156014)(86362001)(81166006)(71200400001)(26005)(66574012)(186003)(5660300002)(4326008)(33656002)(6506007)(53546011)(7696005)(55016002)(9686003)(2906002)(8676002)(478600001)(76116006)(66556008)(66446008)(66946007)(316002)(110136005)(8936002)(64756008)(66476007); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR11MB3633; H:BN8PR11MB3666.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oTQaKrk77+DlVoS2X1CXE+NBJdst21cYC1PZQ/hTyxcFgrJV26XM2FIROZ8wIL9jHKSu6rMp8NWeykPK0vCxCVtaMRZ9SRoUa30ukZv36d7ZuipGGU6dUubrmn2clEwl/l4Ckk1JTRVOoL0JhkS/8eFXzRjQaZAjaSHvvzOcExoAb3vdw3WJuxZ34QPetpyQLtRz9TnPBB8a+7WigrdRvNgBTVg/uUPpoYhZTkX4MB2I/A8abqIUm/ywQ2Nyufinysdszd+L8u+7Yxc1T8IwOTGNGyOI6srYDgGnh8w/OZXU3xUyumudUcESXi1SdwJ9Xf+Wh9qnlTbmhKjnDr3VYonxI9PO/OLQvH9T8/gz44u3uiuNspBlOJkJ6a4kwh/x/H50mvY6stPspvObJuC4+1EVQIguSdeIEQUZBw2nzCzLOlcuoNVg+gN/ur4CAIAl
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN8PR11MB3666FB9FAC26C7C13DFE098BC12D0BN8PR11MB3666namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 861f43e7-7b82-49af-abb3-08d785877f02
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2019 20:02:09.2725 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: D4bBFJGGSkUnRFIBWc3SbzgGQfyirWhoG4y5x4mCUsHCBN53lEn9Y+neYvuX+nEsQ+wYUH/HGNDBJIAzIxL9gw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3633
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.17, xch-aln-007.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/FMAengY9esBlHpjnZHC4VzFFIb0>
Subject: Re: [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 20:02:15 -0000

As far as an RFC8032-compatible threshold signature scheme, it would appear to be fairly easy to do, as long as:


  *   You don’t mind not following the precise algorithm in RFC8032, but want something that generates signatres that is computationally indisguishable from RFC8032 signatures.
  *   You don’t mind it if the algorithm is nondetermanistic (that is, signing the same message twice, with different subsets of signers, yields different signatures).

The public keys and the verification process are completely RFC8032.

To be frank, this is simple enough that I would be rather surprised if it wasn’t already published.  However, if people are interested, I will write it up…

From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Phillip Hallam-Baker
Sent: Friday, December 20, 2019 1:09 PM
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: cfrg@irtf.org; saag@ietf.org
Subject: Re: [Cfrg] Recommendations Regarding Deterministic Signatures

The objections to the deterministic signature approach raised in that NIST paper could be avoided by applying the Kocher blinding approach whose patent has recently expired as I point out in another message.

However, there is also NIST interest in threshold cryptography and while {Ed/X}{25519/448} support threshold key generation and threshold decryption and threshold key agreement, RFC8032 does not appear to be viable as a good threshold signature scheme. (It is possible to do multi-signatures of course and I have a defective threshold scheme that might make sense in a TPM environment)

I will be submitting an Internet Draft describing threshold key generation and threshold decryption by the end of the year (the code runs) and I should have a threshold key agreement draft shortly after. It would be really nice if we had a threshold signature scheme to complete the set (get that 20% matched set armor rating).

In particular, I believe that we need a threshold signature scheme that is non-interactive. This is because I need to be able to explain the scheme to a layperson who does not understand the signature scheme. For example: The Alice+Bob aggregate signature is secure because it is constructed a signature contribution from Alice and a signature contribution from Bob, both of which are secure signatures in their own right and both of which have the same exact construction with respect to Alice and Bob's public key as the aggregate signature does to the aggregate key.

v2.23.0 | Report a Bug | By Email