IETF Logo Mail Archive

[Cfrg] Proposal: Threshold cryptography for CFRG curves + UDF

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 06 January 2020 05:42 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E502A1200B1 for <cfrg@ietfa.amsl.com>; Sun, 5 Jan 2020 21:42:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.417
X-Spam-Level:
X-Spam-Status: No, score=-1.417 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khvSiHgDFTlB for <cfrg@ietfa.amsl.com>; Sun, 5 Jan 2020 21:42:35 -0800 (PST)
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com [209.85.210.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D42AA120098 for <cfrg@irtf.org>; Sun, 5 Jan 2020 21:42:34 -0800 (PST)
Received: by mail-ot1-f42.google.com with SMTP id r27so70147051otc.8 for <cfrg@irtf.org>; Sun, 05 Jan 2020 21:42:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=uZ9mfi42prwNN5oEc08x5/J55pvrgBO+OV3WLry+pZQ=; b=angxYW+QbfWsNGBV1HfQeVt5t2OfaBo1B3/GIq+POkzuQxjiCFSq/2eo9YUz0PPiLV gC9vuntsPtZve+vK7W/BT5Ljn5m3G4HzSVZFnDoW0f6SkfzoBqYEMtb8sxZIf+hQjQDp UdbbaEfiLSI8sT8PTC/v7lzmJ+cmt74c0OqgYf9SrCS7hFHUKEp1weta89fIcPGD4jJy pgbySj6p+/quh2MhnOQDscSPM3DjlQLOV+83TX0qONZklHfx9RcN7YQWWOSIOVc3iIkb BQUaansQSbN9nPHqe9q7Q5Alu5xf/dVgPeUmpAEuyQGzaoB4qMeK9nOlebSwy1QWpOT3 e1hg==
X-Gm-Message-State: APjAAAUdl0zoPSdX4rYGHcHYDeYxWFzUe6enpf0JEu+gdTrzUhVZYZsu 9PUJ6d9OY9B/hx9GLSV2CNH7M+3pr4QEgY2VEPDP/Kj341Y=
X-Google-Smtp-Source: APXvYqwc+7D5W2KwnJC4xC7/5wHOSVRaBoiPHMxNGclER4KN7rAEAdPluWEXf8vUGOlbTJ3khk/s0qcanOvLKPAOmBg=
X-Received: by 2002:a9d:7c8a:: with SMTP id q10mr106573592otn.124.1578289353874; Sun, 05 Jan 2020 21:42:33 -0800 (PST)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 06 Jan 2020 00:42:24 -0500
Message-ID: <CAMm+Lwj0WC7JUH-5=tM3styYLrCH9+fVjbSkx1zFWFG3JinsnQ@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000004a618b059b72206e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OANz4SSQwMkSOkuBF_o3_VnCVYw>
Subject: [Cfrg] Proposal: Threshold cryptography for CFRG curves + UDF
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2020 05:42:37 -0000

All,

I have just submitted two new drafts:

https://www.ietf.org/id/draft-hallambaker-threshold-00.html
https://www.ietf.org/id/draft-hallambaker-threshold-sigs-00.html

I wish to (in due course) propose these as CFRG work items together with
the existing draft:

https://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html

(should have a proper HTML version of above soon, stress test on the tools.)

These are of course work that is motivated by my work on the Mathematical
Mesh. And since the obvious question for the IESG to ask is whether CFRG
has looked at the crypto, it probably makes sense to begin by discussing
the crypto here.

But more importantly, the Mesh is merely a vehicle to try to persuade the
field to start using some post 1990s crypto. So it isn't a problem for me
if the outcome is we end up putting threshold decryption into legacy CRM
schemes rather than deploying my new one.


The first draft describes the addition of three new capabilities to the
X25519 / X448 / Ed25519 / Ed448 repertoire:

1) Threshold Decryption (n, n)
2) Threshold Key Generation
3) Side channel disclosure resistance

The implementation of threshold signature is described in a separate draft.
Two schemes are described for Ed25519/Ed448

1) Unanimous threshold i.e. (n, n)
2) Quorate threshold, i.e. (n, t)

The third document describes the presentation of certain types of
cryptographic material that it is necessary for people to interact with
under certain circumstances. This began as a very tightly constrained piece
of work to 'do digest fingerprints right'. It has since grown in response
to requests and now has some capabilities that I think really need some
CFRG input:

1) Deterministic functions for generating ECDH and RSA keys from a
specified key via a KDF
2) Shamir secret sharing for escrow of encrypted keying material
3) Shamir secret sharing for escrow of seed used to generate key pairs

As previously discussed on the list, the threshold signatures are not
aggregate signatures. They are however compatible with the existing RFC7748
and RFC8032 curves and algorithms and that is my overarching goal. I am
aware of the BLS work but I don't see it as overlapping. There are numerous
references and citations missing including to previous IETF/IRTF proposals.
I am more than willing to share authorship. The key thing is to move the
work ahead.

Many thanks to all those who have helped on or off the list. Will be
following up to ask folk who helped me offlist if they want their names
mentioned in the acknowledgements. Also need to chase down the references
to source.

Security considerations are intentionally left blank as I think it better
to start this only after the scope is understood or things get missed.


Questions:

1) Should CFRG look at any/all of this work?

2) Is (n,k) quorum Threshold decryption worth adding?

3) UDF provides two escrow models at present, do we need to add in direct
escrow of the private keys?

4) If threshold signature is worth doing, should there be one threshold
spec for the  RFC7748 and RFC8032 curves or keep these as two?

5) I was planning to kill OID UDFs, they were originally added as a way to
allow QR code transmission of private keys and then Michael Richardson gave
me a better idea.

I understand that UDF might be a little on the 'lite' side and not so
suited to CFRG. But I would like people to take a look at the deterministic
key gen because it solves a very important problem a lot of sysadmins face
today: how to keep SSH keys in sync across machines. Some of the
instructions given on the net on how to do this are pitiful.

This technique is not as simple or easy to use as the Mesh of course, but
it does support 'offline' and 'paper' pretty well.

v2.23.0 | Report a Bug | By Email