Re: [Cfrg] Threshold signatures
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 03 January 2020 16:28 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931E7120043 for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 08:28:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTQQm6dAletX for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 08:28:52 -0800 (PST)
Received: from mail-oi1-f196.google.com (mail-oi1-f196.google.com [209.85.167.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C3BA12000F for <cfrg@irtf.org>; Fri, 3 Jan 2020 08:28:52 -0800 (PST)
Received: by mail-oi1-f196.google.com with SMTP id d62so14517772oia.11 for <cfrg@irtf.org>; Fri, 03 Jan 2020 08:28:52 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vESHjoxO14QZqwXwuH6iTNdTzBUI7PfTTk9WMP5i5DQ=; b=ZUEp6mafmHqkWcC7q5o1fTBqcfRIf2qrphtoXCG/3Bj+dxPduz87cJhQIglBuPmG6d uvk9m1gyusxfIpvikuNwxgATAfjHd46VGYgUFb9392aCxNTUBNKjAJJfIhkiKMqWkCf8 uAwdmAon1G1oVvmNhr9tBpCVdu7y/iA8s0JVzD0/9/Aw6tilrS+s493W4kxi+wccXNyf 7pxD1Ltn1VRc7MPu9wP7bhAI5hUrsjLgRusBXp23bx7B25YJk1EZz+LNJ+17NRz6yeh8 Ohyn5GzPW3up4XRmTAfpkVo+xOfXFiktNEYRtA6fUbeKb5X/25iCVV0VBuIZWWTkJgb9 bnJA==
X-Gm-Message-State: APjAAAV4RNg5D9mKwWoBBiDEcnCziPy24bpBHcCRU+i2LQxwyG2x/U1J OewAfO4ei+J2xcIPY/WtHIp0CzwN5fjL6V3G9uQ=
X-Google-Smtp-Source: APXvYqzPt2DMD3Zvgup8VTfThTbM7z2jqrxV6WTKwiLkvAArqaRkZeYRMB/mItMocFerUnNiHlsWzbsYc+HnmBhTpnQ=
X-Received: by 2002:aca:c30d:: with SMTP id t13mr4400248oif.166.1578068931446; Fri, 03 Jan 2020 08:28:51 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com> <CAOLP8p5==74BH-F6U5=w-J0WJcn0gBnJ=Nm6DKHUeAkcbQK4aQ@mail.gmail.com>
In-Reply-To: <CAOLP8p5==74BH-F6U5=w-J0WJcn0gBnJ=Nm6DKHUeAkcbQK4aQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 03 Jan 2020 11:28:40 -0500
Message-ID: <CAMm+Lwgsz1FOj41xiU0BdsVRPy_PxFeQ6SQ+nN3zrQrvskWOYQ@mail.gmail.com>
To: Bill Cox <waywardgeek@gmail.com>
Cc: Jeff Burdges <burdges@gnunet.org>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000170a80059b3ece9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/LguKWVu2D8y7IpmbsIhL0zije_I>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 16:28:53 -0000
OK, right, you can keep your device unlock codes and your device based biometrics. Let us leverage both. The reason for focusing on this threshold stuff now is that we can supplement the data locking capability you are describing with a key binding capability. Well over 90% of TLS key breaches are the result of private keys being recorded to backups. Most of the rest are due to a machine on the network being compromised and a private key file being found on an accessible share. CA breaches are close to non existent and which is why we can have the post mortems and blamestorming sessions. Binding TLS keys to a key that is embedded in and cannot be extracted from the Host service without national lab scale tech (and physical access) would greatly reduce exposure. Splitting the code signing key for authenticode between a cloud service and the software provider would only require the CAs to offer the relevant cloud service. Sure, some enterprises that have legacy KMS software that would lock them in to the obsolete approach. But that is less than 1% of the software providers. Threshold sig was not a priority for me at the start as I thought multisig would be sufficient. That may well be true. But I think it is going to be much easier to sell a complete suite of threshold capabilities than something that looks like a work in progress. Put threshold decryption and Key generation on the table and people will say 'let me know when you are finished'. Add threshold sig and there is a complete set. On Fri, Jan 3, 2020 at 11:14 AM Bill Cox <waywardgeek@gmail.com> wrote: > On Fri, Jan 3, 2020 at 7:04 AM Phillip Hallam-Baker <phill@hallambaker.com> > wrote: > >> >> What is unclear to me is whether these schemes are generally useful >>> because: >>> >>> 1) It is important for the server to know whether the password guess was >>> correct, which is a key signal in rate-limiting. >>> 2) Secret shares can only migrate to new HSMs/cloud providers when the >>> user re-enters their password. >>> >>> More traditional threshold password-protected secret sharing schemes >>> address these issues, at the cost of higher complexity and more >>> communication rounds. Which way should the world go? >>> >> >> Lets make it easy to use public key authentication across devices and >> forget about passwords altogether. >> > > Yes, kill passwords, but please don't disable my device unlock secret. > > Both Apple and Google use secure hardware to protect your phone unlock > secret, and these HSMs (Titan chips in Google's case) will restore your > data to your new device if you first login, and then prove you know the > unlock secret. Neither Google nor Apple can trivially decrypt your data > due to hardware rate-limiting. I would guestimate that about 100M people > per year are currently making use of these features. Can we ignore 100M > data recoveries per year? Most users around the world still only have only > one device running Android or IOs. Running a Mesh protocol on a USB key > for $15 would be great, but we're finding that users don't want hardware > keys. It might be simple to replace all the crypto protocols currently > baked into all the world's devices, than to change user behavior. > > When I want to recover my data on a new device after hot-tubbing for an > hour with my only Android device (happened to me 2 years ago), what is the > right protocol? There are two main threshold schemes, OPRF-based, and > traditional pasword-protected secret sharing. Honestly, I'd be interested > in any good insight into which way to go. >
- [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Jeff Burdges
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Bill Cox
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Threshold signatures Bill Cox
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Dan Wing
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Michael StJohns
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker