IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 02 January 2020 21:38 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6945B120096 for <cfrg@ietfa.amsl.com>; Thu, 2 Jan 2020 13:38:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zj18XoW0mIdT for <cfrg@ietfa.amsl.com>; Thu, 2 Jan 2020 13:38:12 -0800 (PST)
Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com [209.85.167.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C293612004D for <cfrg@irtf.org>; Thu, 2 Jan 2020 13:38:12 -0800 (PST)
Received: by mail-oi1-f172.google.com with SMTP id 18so12868406oin.9 for <cfrg@irtf.org>; Thu, 02 Jan 2020 13:38:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=55nzFHhO5faL0jNHKg/I1fVgvi160wPtq4oXQ92WqAU=; b=qQ6jBT/AZKr7dXyLSRcMMxyaMIuV1klb7ndjlCBzmt5RhlJjhUSzm996P2FaokDLnO 9tZG6lVXs6YV0EDTJn7xZleOOYgKH9K3tH1KjHrX7XqdDgwn8SQdOOJs6jQHMecZfDle ztZ8eiYUwPf4OF5H10xnu28yywPVyXl4G9UgpYcCqR4vFvktFF9sd0LMm6gyhDEtg4Rd UJ3ZD6ixwdL07sfBIznuXCmknGxzAflZh1h+ZOspHPpKnah5MWD90xfI/Vk3W9+T3veA xgB5mFdagYR/TL5Qp6v93FDc3TfTkxQUVXz0IeNI0lmuqHMZVaI2WdG1uq/l8ws6dr2u Zb9g==
X-Gm-Message-State: APjAAAWus/rXMEYcD4w3w15QsFNm7mQn2gwMsls8qPwJKOCtZdLSY0bw xI6AcH3VPxMVhnnwxBPFHoHZbfm821W1KfC+58A=
X-Google-Smtp-Source: APXvYqyyexERo2KskkiaEInTz+hlkUw/WmkBHqK6j9Tuok0SErwaAkr+fg+njwyP0rlKwG3YFT5dOP+Dj+KJRci4nRE=
X-Received: by 2002:a54:4f04:: with SMTP id e4mr2831133oiy.111.1578001091988; Thu, 02 Jan 2020 13:38:11 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <CAHOTMVK+XiKyGSW6mO3D_HK29jYE-YnxN-6f-fW_0jLLRuEUbQ@mail.gmail.com>
In-Reply-To: <CAHOTMVK+XiKyGSW6mO3D_HK29jYE-YnxN-6f-fW_0jLLRuEUbQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 02 Jan 2020 16:38:00 -0500
Message-ID: <CAMm+Lwg2W9S9HKqjTOhi825nTK_UsZemwYenbjGhDrVXiBW++g@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000008b11ce059b2f022a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/LZmYZMwpse3v2uLUCpuugnqHlk8>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jan 2020 21:38:15 -0000

Well I will be looking for co-authors :-)

The big difference is that I want the threshold sigs to be plug compatible
with regular RFC8032. One of my big motivations for this work is to have a
clear 'want list' to give to the likes of Intel, AMD, Cypress etc for
onboard crypto co-processors to support Curve {X/ED}{25519/448} so that
they can support application level crypto operations providing a host bound
mix in to the application keys without exposing the on-chip keys to
external parties.

The point here is that with the interest from NIST and my needs for the
Mesh, I would like to move forward on choice of one scheme we can start
using.

The killer app for threshold sigs could be code signing. Shamir (n,k)
schemes would be particularly good for open source projects.


One thing I would like to understand what the security rationale for tying
the signature hash value k to the value R is. Because that is what creates
the need for a two round protocol.



On Thu, Jan 2, 2020 at 2:57 PM Tony Arcieri <bascule@gmail.com> wrote:

> I'd be interested in comparing / contrasting your scheme to prior art with
> running code, notably:
>
> - KZen's Multiparty EdDSA, a straightforward application of distributed
> threshold Schnorr to Ed25519:
> https://github.com/KZen-networks/multi-party-eddsa
> - CoSi, a Merkle-tree based approach for collective Ed25519 signing
> targeting something more along the lines of a consensus protocol:
> https://tools.ietf.org/id/draft-ford-cfrg-cosi-00.html
>
> On Thu, Jan 2, 2020 at 2:28 PM Phillip Hallam-Baker <phill@hallambaker.com>
> wrote:
>
>> OK so with quite a bit of help, have got a prototype of threshold
>> signatures going. There is a bit more to the draft than just the algorithm
>> though as the way the scheme is presented and packaged has consequences.
>>
>> From the presentation side, I want to be able to argue that the threshold
>> sig scheme has (almost) precisely the same security properties as the
>> RFC8032 scheme. Which means that the core of the presentation must align as
>> closely as possible with the RFC8032 scheme.
>>
>> There are some subtle design choices that don't impact security but may
>> well have impact on specific use cases. The use cases I am currently
>> considering are
>>
>> 1) HSM module: One or both parts of the signature key shares are located
>> in a HSM providing resistance against extraction of the public key. This is
>> an important use case as we want the operation of the HSM to be stateless.
>> The signing algorithm requires multiple rounds, in the first round, the
>> signer commits to a value R_i = r_i..B. In the second round, the value r_i
>> is used. So it is kinda important to construct r_i in such fashion that the
>> HSM can restore it from one round to the next even though it may have
>> performed other operations in the meantime.
>>
>> Another issue that comes up with HSMs is auditability. The construction
>> of r_i must be auditalble which means it must be deterministic.
>>
>> 2) Code signing: The code signing role is split across two or more
>> signers and MAY permit a signature to be created by a quorum smaller than
>> the total number of authorized signers (n, t). Signing quorums may prove
>> particularly attractive for open source projects.
>>
>> I have introduced a new role, of coordinator for the party that manages
>> the process.
>>
>> Are there additional use cases that should be considered. That is use
>> cases that raise additional requirements. The need to sign blockchains is
>> often raised but that doesn't seem to raise additional requirements over
>> code signing.
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>
>
> --
> Tony Arcieri
>

v2.23.0 | Report a Bug | By Email