[Cfrg] Proposal: Threshold cryptography for CFRG curves + UDF
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 06 January 2020 05:42 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E502A1200B1 for <cfrg@ietfa.amsl.com>; Sun, 5 Jan 2020 21:42:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.417
X-Spam-Level:
X-Spam-Status: No, score=-1.417 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khvSiHgDFTlB for <cfrg@ietfa.amsl.com>; Sun, 5 Jan 2020 21:42:35 -0800 (PST)
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com [209.85.210.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D42AA120098 for <cfrg@irtf.org>; Sun, 5 Jan 2020 21:42:34 -0800 (PST)
Received: by mail-ot1-f42.google.com with SMTP id r27so70147051otc.8 for <cfrg@irtf.org>; Sun, 05 Jan 2020 21:42:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=uZ9mfi42prwNN5oEc08x5/J55pvrgBO+OV3WLry+pZQ=; b=angxYW+QbfWsNGBV1HfQeVt5t2OfaBo1B3/GIq+POkzuQxjiCFSq/2eo9YUz0PPiLV gC9vuntsPtZve+vK7W/BT5Ljn5m3G4HzSVZFnDoW0f6SkfzoBqYEMtb8sxZIf+hQjQDp UdbbaEfiLSI8sT8PTC/v7lzmJ+cmt74c0OqgYf9SrCS7hFHUKEp1weta89fIcPGD4jJy pgbySj6p+/quh2MhnOQDscSPM3DjlQLOV+83TX0qONZklHfx9RcN7YQWWOSIOVc3iIkb BQUaansQSbN9nPHqe9q7Q5Alu5xf/dVgPeUmpAEuyQGzaoB4qMeK9nOlebSwy1QWpOT3 e1hg==
X-Gm-Message-State: APjAAAUdl0zoPSdX4rYGHcHYDeYxWFzUe6enpf0JEu+gdTrzUhVZYZsu 9PUJ6d9OY9B/hx9GLSV2CNH7M+3pr4QEgY2VEPDP/Kj341Y=
X-Google-Smtp-Source: APXvYqwc+7D5W2KwnJC4xC7/5wHOSVRaBoiPHMxNGclER4KN7rAEAdPluWEXf8vUGOlbTJ3khk/s0qcanOvLKPAOmBg=
X-Received: by 2002:a9d:7c8a:: with SMTP id q10mr106573592otn.124.1578289353874; Sun, 05 Jan 2020 21:42:33 -0800 (PST)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 06 Jan 2020 00:42:24 -0500
Message-ID: <CAMm+Lwj0WC7JUH-5=tM3styYLrCH9+fVjbSkx1zFWFG3JinsnQ@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000004a618b059b72206e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OANz4SSQwMkSOkuBF_o3_VnCVYw>
Subject: [Cfrg] Proposal: Threshold cryptography for CFRG curves + UDF
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2020 05:42:37 -0000
All, I have just submitted two new drafts: https://www.ietf.org/id/draft-hallambaker-threshold-00.html https://www.ietf.org/id/draft-hallambaker-threshold-sigs-00.html I wish to (in due course) propose these as CFRG work items together with the existing draft: https://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html (should have a proper HTML version of above soon, stress test on the tools.) These are of course work that is motivated by my work on the Mathematical Mesh. And since the obvious question for the IESG to ask is whether CFRG has looked at the crypto, it probably makes sense to begin by discussing the crypto here. But more importantly, the Mesh is merely a vehicle to try to persuade the field to start using some post 1990s crypto. So it isn't a problem for me if the outcome is we end up putting threshold decryption into legacy CRM schemes rather than deploying my new one. The first draft describes the addition of three new capabilities to the X25519 / X448 / Ed25519 / Ed448 repertoire: 1) Threshold Decryption (n, n) 2) Threshold Key Generation 3) Side channel disclosure resistance The implementation of threshold signature is described in a separate draft. Two schemes are described for Ed25519/Ed448 1) Unanimous threshold i.e. (n, n) 2) Quorate threshold, i.e. (n, t) The third document describes the presentation of certain types of cryptographic material that it is necessary for people to interact with under certain circumstances. This began as a very tightly constrained piece of work to 'do digest fingerprints right'. It has since grown in response to requests and now has some capabilities that I think really need some CFRG input: 1) Deterministic functions for generating ECDH and RSA keys from a specified key via a KDF 2) Shamir secret sharing for escrow of encrypted keying material 3) Shamir secret sharing for escrow of seed used to generate key pairs As previously discussed on the list, the threshold signatures are not aggregate signatures. They are however compatible with the existing RFC7748 and RFC8032 curves and algorithms and that is my overarching goal. I am aware of the BLS work but I don't see it as overlapping. There are numerous references and citations missing including to previous IETF/IRTF proposals. I am more than willing to share authorship. The key thing is to move the work ahead. Many thanks to all those who have helped on or off the list. Will be following up to ask folk who helped me offlist if they want their names mentioned in the acknowledgements. Also need to chase down the references to source. Security considerations are intentionally left blank as I think it better to start this only after the scope is understood or things get missed. Questions: 1) Should CFRG look at any/all of this work? 2) Is (n,k) quorum Threshold decryption worth adding? 3) UDF provides two escrow models at present, do we need to add in direct escrow of the private keys? 4) If threshold signature is worth doing, should there be one threshold spec for the RFC7748 and RFC8032 curves or keep these as two? 5) I was planning to kill OID UDFs, they were originally added as a way to allow QR code transmission of private keys and then Michael Richardson gave me a better idea. I understand that UDF might be a little on the 'lite' side and not so suited to CFRG. But I would like people to take a look at the deterministic key gen because it solves a very important problem a lot of sysadmins face today: how to keep SSH keys in sync across machines. Some of the instructions given on the net on how to do this are pitiful. This technique is not as simple or easy to use as the Mesh of course, but it does support 'offline' and 'paper' pretty well.
- Re: [Cfrg] Proposal: Threshold cryptography for C… Phillip Hallam-Baker
- [Cfrg] Proposal: Threshold cryptography for CFRG … Phillip Hallam-Baker
- Re: [Cfrg] Proposal: Threshold cryptography for C… Phillip Hallam-Baker
- Re: [Cfrg] Proposal: Threshold cryptography for C… Phillip Hallam-Baker
- Re: [Cfrg] Proposal: Threshold cryptography for C… Phillip Hallam-Baker