Re: [Cfrg] Call for adoption: Threshold Signatures

Phillip Hallam-Baker <> Thu, 29 October 2020 01:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 351093A0A6E for <>; Wed, 28 Oct 2020 18:49:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id q1-Y2Tkdx8Pn for <>; Wed, 28 Oct 2020 18:49:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D1E873A0A64 for <>; Wed, 28 Oct 2020 18:49:21 -0700 (PDT)
Received: by with SMTP id m188so872393ybf.2 for <>; Wed, 28 Oct 2020 18:49:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/o+Gno+1W6LzSL8iMRbKHq9uMbENfBmPzvC+vRz4z00=; b=QmdH16jzkiUeBZSTqkO94uw/yhX08B5oybclkhfzTojCyuzZ1L6aHS8xuLSa+199HI efuEXznM8GPRhWaY95gRQ3CGcsBNJjuHU9yJKO9QVGVvtou4NW7HJ8HNvdsMuyHrG+9Q grkJPSchFzzy+Kq0BLVbNYW0dcV4Dfa66SfKiEpIgNb/FuK7ck55XE7FufT106Iv7+85 jhlp3pueBo7G5UIPMsB11bbEwrCD/xRL2EStAZ0llzncb5nfiduRHhoFsBYeiKU7cXej ArDSkidRThtzsxQLtirl3yhftFd7Vk0ZQcD04qdGLTzGaGUH3lkhhX+koucucLdkfit7 yySQ==
X-Gm-Message-State: AOAM5306udW2PQ1vqK2fbacqhJGIsSUxI8EQTCLBr7csCHwtDLK3rjqJ tNTcRHqlfLPa48QuSK1i5GQlc0lMdif6slRmJ8VhHA0ymzg=
X-Google-Smtp-Source: ABdhPJwcg/QjTEPAsHYugYNkAzGk3RwGBz08hr1rPTPyRBWqrmyntGlQFjOYrcYr9xHF/eXLC+GdRbRwzkxxD8foKG8=
X-Received: by 2002:a25:df45:: with SMTP id w66mr2975820ybg.302.1603936160913; Wed, 28 Oct 2020 18:49:20 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Wed, 28 Oct 2020 21:49:10 -0400
Message-ID: <>
To: Christopher Wood <>
Cc: Nick Sullivan <>, IRTF CFRG <>
Content-Type: multipart/alternative; boundary="0000000000001d1eaf05b2c57d93"
Archived-At: <>
Subject: Re: [Cfrg] Call for adoption: Threshold Signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Oct 2020 01:49:23 -0000

On Wed, Oct 28, 2020 at 3:57 PM Christopher Wood <>

> On Thu, Oct 8, 2020, at 9:33 AM, Nick Sullivan wrote:
> > a) should this topic be adopted by the CFRG as a work item, and if so
> Yes. There are many emerging use cases for threshold signatures, as
> evidenced by the NIST effort, and I think it'd be useful for CFRG to
> complement RFC8032 with this functionality.
> > b) should one or both of these documents should be considered as a
> starting point for this work
> Probably only one. The structure of draft-hallambaker-threshold-sigs as an
> extension to RFC8032 is attractive, though I think draft-komlo-frost (and
> the related paper) is generally a better starting point, especially given
> its assessment of attacks on related schemes such as 2020/945. It also
> seems to have plenty of backing implementations and reviews. If we can
> specialize it to RFC8032, perhaps with Richard's work as the basis for that
> change, then I prefer FROST.

As I keep pointing out, I just want algorithms I can use in my Threshold
Key Infrastructure.

Ian and Chelsea have convinced me that the attack is an issue so I think we
should plan on using the FROST algorithm. But I think the draft is quite a
way from being a standards specification. It is also clear that there is
going to be quite a lot of discussion to get any signature spec agreed. It
is a hard problem. We are going to need to discuss various proofs etc.

The point of CFRG process is to produce useful tools that the IETF and
related communities can use.

Why is it that we are insisting on doing the hardest threshold problem and
only the hardest problem?