Re: [Cfrg] FROST — Flexible Round-Optimized Schnorr Threshold signatures

Jeff Burdges <burdges@gnunet.org> Thu, 09 January 2020 03:01 UTC

Return-Path: <burdges@gnunet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EABB12004F for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2020 19:01:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.554
X-Spam-Level:
X-Spam-Status: No, score=-3.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id plh94EzX9V8L for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2020 19:01:27 -0800 (PST)
Received: from mail-out1.informatik.tu-muenchen.de (mail-out1.in.tum.de [131.159.0.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 584D5120020 for <cfrg@irtf.org>; Wed, 8 Jan 2020 19:01:27 -0800 (PST)
Received: from [127.0.0.1] (sam.net.in.tum.de [IPv6:2001:4ca0:2001:42:225:90ff:fe6b:d60]) by sam.net.in.tum.de (Postfix) with ESMTP id 133EE1C00D2 for <cfrg@irtf.org>; Thu, 9 Jan 2020 04:02:58 +0100 (CET)
From: Jeff Burdges <burdges@gnunet.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_A9D70E88-6474-48C9-B077-5877B38E5A2A"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Wed, 8 Jan 2020 21:59:37 -0500
References: <CAHOTMVJOnLb2WC5zNJWc+-qTVn0erYoAerKoikwf5Sc+4pannw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
In-Reply-To: <CAHOTMVJOnLb2WC5zNJWc+-qTVn0erYoAerKoikwf5Sc+4pannw@mail.gmail.com>
Message-Id: <EDB59D88-7A84-4211-96D6-5E83AF15724F@gnunet.org>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RDP4AEyfPxtsu0mFK_WClGgE1DU>
Subject: Re: [Cfrg] =?utf-8?q?FROST_=E2=80=94_Flexible_Round-Optimized_Schnor?= =?utf-8?q?r_Threshold_signatures?=
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 03:01:30 -0000


> On 7 Jan 2020, at 12:00, Tony Arcieri <bascule@gmail.com> wrote:
> The batched non-interactive preprocessing stage sounds particularly interesting for use cases like code signing.
> https://crysp.uwaterloo.ca/software/frost/

There are no security arguments in the version available there, but their first scheme is clearly vulnerable to the the k-sum forgery attack in https://eprint.iacr.org/2018/417.pdf as are all other published two round trip Schnorr threshold or multi-sigantures.

In fact, their second variant avoids the k-sum problem by being hyper-interactive, but actually doing this inside any real system sound extremely fragile.

Jeff