IETF Logo Mail Archive

Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11

Tim Ruffing <crypto@timruffing.de> Wed, 07 December 2022 01:42 UTC

Return-Path: <crypto@timruffing.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3344CC15271E for <cfrg@ietfa.amsl.com>; Tue, 6 Dec 2022 17:42:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=timruffing.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OigkrQJeXBpm for <cfrg@ietfa.amsl.com>; Tue, 6 Dec 2022 17:42:02 -0800 (PST)
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [IPv6:2001:67c:2050:0:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E08EC1516F2 for <cfrg@irtf.org>; Tue, 6 Dec 2022 17:42:00 -0800 (PST)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4NRg4b5Zhhz9sQx; Wed, 7 Dec 2022 02:41:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timruffing.de; s=MBO0001; t=1670377311; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UhhGShzmBgAcaxrml7jPnJgraHLTB5T4rlUUnblkpQw=; b=QlR3lVSiGxAki/wdn/U3qP7av4buNDeFndyOGv11evgOPPhMLYO2wl0DEOKY3BwchZfg/5 60bZn8UsxLyKJKpheyoJEDjvZWXCi4B3aqwjxt/+nYLBRjhqFCjv/246RvAvEIacYEHWgk qWDKSEwpL+iOZisFfEN67JFOocB+snHYTGsciu0nQ/dss15jC1lFcEQmmaLvr+/6HPb3rF EGwbAKLHI6obqeQf7CKwaZyTbauDG6eWh72vw9LjrG1jR9SJMuuazrNetkIScQK8YvFnTz /O3cO/XP+3uTQrcfnnprNT6a4eYgxs6vJ8Z+FVy9CwB7/1bquf7GAqPsaUvgwA==
Message-ID: <3d019002f6745e707b398424cf3ca501e9135d33.camel@timruffing.de>
From: Tim Ruffing <crypto@timruffing.de>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>
Cc: cfrg-chairs@ietf.org, draft-irtf-cfrg-frost@ietf.org
Date: Wed, 07 Dec 2022 02:41:42 +0100
In-Reply-To: <CAMr0u6==n00GkiVw5yo_L1joDvkCAKByrgSV6VNzYoU6WSWKqA@mail.gmail.com>
References: <CAMr0u6==n00GkiVw5yo_L1joDvkCAKByrgSV6VNzYoU6WSWKqA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Rspamd-Queue-Id: 4NRg4b5Zhhz9sQx
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/QQhyjvvcoaqLslaX3gWwABqHN-s>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Dec 2022 01:42:07 -0000

Dear chairs and authors,

I spent some time to go through the document, and I think this looks
pretty mature, and is ready for an RFC modulo some minor and editorial
comments below. (I did not look at every detail in every algorithm, and
I did not look at the appendices.)

----

It may make sense to mention that FROST can be used in the case
MIN_PARTICIPANTS == MAX_PARTICIPANTS but in this special case of
multisignatures, other schemes (MuSig2, SpeedyMuSig) with nicer
properties (e.g., much simpler key generation) are available but out of
scope of this document. I believe this could be a useful hint for
applications that purely need an "n-of-n" solution. Of course, even for
these application, one may still come to the conclusion that FROST is
the way to go given that it's a RFC (assuming it makes it). 

> The nonce values produced by this function MUST NOT be reused in more
than one invocation of FROST, and it MUST be generated from a source of
secure randomness.

It's not clear what an "invocation" is in a two-round protocol. Maybe
"more than one invocation of the second round algorithm" or something
along these lines? Below you say "and MUST use the nonce to generate at
most one signature share." -- this is very clear.

>  Applications which require that participants not process arbitrary
input messages are also required to also perform relevant application-
layer input validation checks; see Section 7.5 for more details.

(Duplicate "also"). And this could make it a bit more explicit that
these don't just include adherence to some formal checks (syntax etc)
but also could involve the actual content of the message / willingness
to sign the message: For example, a cryptocurrency transaction must not
only be syntactically valid, it must also be *intended* by the
participants. (The second example Section 7.5 is an example of that
kind but when reading 7.5 as a whole, I again had the feeling that this
aspect could be emphasized.)

> Each participant MUST delete the nonce and corresponding commitment
after this round completes

It's not entirely clear what "completes" means here. (One could for
example wrongly assume that the round does not "complete" before the
aggregator outputs a signature.)

> If any signature share fails to verify, i.e., if
verify_signature_share returns False for any participant share, the
Coordinator MUST abort the protocol for correctness reasons (this is
true regardless of the size or makeup of the signing set selected by
the Coordinator).

To be honest, I'm not entirely sure why you require verification if the
individual signature shares. I assume this is to identify misbehaving
participants because you also say "However, in order to identify any
participant which has misbehaved (resulting in the protocol aborting)
to take actions such as excluding them from future signing operations
verification." If this is the case, then this purpose should be
clarified here. And then, it could make sense to mention the
optimization that the coordinator can simply first build the final
signature and verify it. Only if it doesn't verify, the coordinator
must look at the shares.

By the way, it took me a while to convince myself that misbehaving
participants cannot force the group commitment to be the identity
element (which typically couldn't be part of a valid signature even
though signature share verification would pass for all shares). This
can happen in the scheme in our MuSig2 BIP draft due to the fact that
we use the same binding factor for everyone (because we want commitment
aggregation). And then we need to be careful when we deal with the
identity element, and need some special casing, see the paragraph
https://github.com/jonasnick/bips/blob/musig2/bip-musig2.mediawiki#Dealing_with_Infinity_in_Nonce_Aggregation
if you're interested in the details. But this doesn't seem to be a
problem here in your draft now that you've switched to different
binding factors.

> This includes checking that [...] that the point is not the point at
infinity. Additionally, this function validates that the resulting
element is not the group identity element.

These two checks are in fact the same check.

> Honest-but-curious coordinator. We assume an honest-but-curious
Coordinator which, at the time of signing, does not perform a denial of
service attack. A denial of service would include any action which
either prevents the protocol from completing or causing the resulting
signature to be invalid. Such actions for the latter include sending
inconsistent values to participants, such as messages or the set of
individual commitments.

Towards what (security) property do you assume this? In the next
paragraph say "Under this threat model, FROST aims to achieve signature
unforgeability". But unforgeability holds even if the coordinator is
fully malicious. Or do you have this because it's required for
"Identifiable aborts", i.e., the ability to identify misbehaving
participants? (Here honest participants need to rely on what the
coordinators claimed were the messages of the other participants.)

The way I see it is that it's already true that any malicious
participant can perform a DoS attack on signing run by not responding,
so I think protection against DoS is anyway out of scope? (And as you
say further below, robustness is not a goal.) So I suggest to clarify
that the coordinator must be trusted to identify misbehaving
participants correctly but assuming honest-but-curious is not necessary
for unforgeability.

> the scheme remains secure against Existential Unforgeability Under
Chosen Message Attack (EUF-CMA) attacks, as defined in [BonehShoup],
Definition 13.2.

I think a reference to a "single-singer" EUF-CMA definition is plain
wrong for a threshold signature scheme. What would the definition even
mean in this setting?

> However, in the setting that a player attempts to split the view of
all other players by sending disjoint values to a subset of players,
the signing operation will output an invalid signature. To avoid this
denial of service, implementations may wish to define a mechanism where
messages are authenticated, so that cheating players can be identified
and excluded.

Identifying and excluding cheating players would require additional
measures, e.g., you'll need terminating reliable broadcast
(=consensus), and not just authentication, in order to agree who is
malicious and should be excluded. Or alternatively, you'd need
something like ROAST to get robustness. But I think that all of this is
too subtle to capture in one or two sentences. Since you anyway say
that robustness is not a goal, I suggest to drop this remark and leave
robustness out of scope.

> One possible example is to construct this pre-hash over message m as
H(contextString \|\| "pre-hash" \|\| m).

I don't think that the blackslashes are intended here.

Best,
Tim


On Mon, 2022-11-14 at 11:22 +0300, Stanislav V. Smyshlyaev wrote:
> Dear CFRG participants,
> 
> This message is starting 3 weeks RGLC on draft-irtf-cfrg-frost-
> 11 ("Two-Round Threshold Schnorr Signatures with FROST") that will
> end on December 6th 2022. If you've read the document and think that
> it is ready (or not ready) for publication as an RFC, please send a
> message in reply to this email or directly to CFRG chairs
> (cfrg-chairs@ietf.org) If you have detailed comments, these would
> also be very helpful at this point.
> 
> Thomas Pornin provided a review of the document on behalf of Crypto
> Review Panel,
> https://mailarchive.ietf.org/arch/msg/crypto-panel/bPyYzwtHlCj00g8YF1tjj-iYP2c/
> 
> Thank you,
> Stanislav, for CFRG chairs
> 
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.37.1 | Report a Bug | By Email | System Status