Re: [CFRG] Escalation: time commitment to fix *production* security bugs for BLS RFC v4?

Jeff Burdges <burdges@gnunet.org> Tue, 27 April 2021 10:36 UTC

Return-Path: <burdges@gnunet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1004A3A0CE8 for <cfrg@ietfa.amsl.com>; Tue, 27 Apr 2021 03:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Level:
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJWryG2YdGfP for <cfrg@ietfa.amsl.com>; Tue, 27 Apr 2021 03:35:58 -0700 (PDT)
Received: from mail-out1.informatik.tu-muenchen.de (mail-out1.in.tum.de [131.159.0.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 824283A0CE5 for <cfrg@irtf.org>; Tue, 27 Apr 2021 03:35:57 -0700 (PDT)
Received: from [127.0.0.1] (sam.net.in.tum.de [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by sam.net.in.tum.de (Postfix) with ESMTP id 4DA831C00D2; Tue, 27 Apr 2021 12:37:54 +0200 (CEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Jeff Burdges <burdges@gnunet.org>
In-Reply-To: <CAAEB6gkjpQ5i_ZT+mLqjcz9+JTORFJQQVu_UfwUPOF4_X+gShw@mail.gmail.com>
Date: Tue, 27 Apr 2021 12:35:48 +0200
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <840462AE-02FC-4C24-A9A5-7AFC191C9D64@gnunet.org>
References: <CAAEB6g=tU=MF1_QKduEN55ft0rWe+7x0wBbywS083fJrjzP=XA@mail.gmail.com> <20210423195504.d6f74x4jsdrzagcc@muon> <CAAEB6g=dcsRKz6zm7F15F-uZ7Zfi_qF06KwQXmrireKEKZYHFg@mail.gmail.com> <49ca86ec6409217d60e3f2e94e3090ef2b571f80.camel@loup-vaillant.fr> <A1765592-7AF7-4F3A-8B22-C5BD6C059A7C@akamai.com> <413D8017-047F-4A86-BEDD-7BED6BBB972B@vpnc.org> <CAAEB6gkjpQ5i_ZT+mLqjcz9+JTORFJQQVu_UfwUPOF4_X+gShw@mail.gmail.com>
To: Quan Thoi Minh Nguyen <msuntmquan@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MgHxayDApyEJRMMSOoRyvHCMmOo>
Subject: Re: [CFRG] Escalation: time commitment to fix *production* security bugs for BLS RFC v4?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Apr 2021 10:36:03 -0000

> On 25 Apr 2021, at 20:23, Quan Thoi Minh Nguyen <msuntmquan@gmail.com> wrote:
> Things will get messier quickly.

This is not a forum where things should be rushed.  If an organizations wants to move fast then it should hire people who can do so securely.  

At its core BLS is a signature for consensus protocols, but consensus protocols require coherent software, invariably led by one organization, and always require an upgrade path, and they’ll always have upgrades in the pipe anyways.  We could tweak BLS every year for then next ten years with zero real harm done.

Increasingly, the serious BLS proponents have turned towards even fancier verification strategies, including:
1.  zkSNARKs verifying BLS with extra properties, ala Celo,
2.  inner pairing product arguments compressing BLS https://eprint.iacr.org/2019/1177
3.  non-BLS VUF that support vastly more scalable DKGs https://eprint.iacr.org/2021/005
4.  zkSNARKs of correct behavior in non-scalable DKGs https://eprint.iacr.org/2021/339

We’re a very long ways from establishing any human consensus across organizations over what really makes sense. 

Jeff

p.s.  It never came up, but you literally cannot deploy BLS for account keys on blockchains because then some asshat writes BIP32-BLS, and their users loose all their funny money.  It’s safer for users if developers stay scared of BLS for a while longer.