IETF Logo Mail Archive

Re: [Cfrg] Proposal: Threshold cryptography for CFRG curves + UDF

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 06 January 2020 22:37 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92A1D1208F9 for <cfrg@ietfa.amsl.com>; Mon, 6 Jan 2020 14:37:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.417
X-Spam-Level:
X-Spam-Status: No, score=-1.417 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fw94tBsDcsby for <cfrg@ietfa.amsl.com>; Mon, 6 Jan 2020 14:37:51 -0800 (PST)
Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 828591208E8 for <cfrg@irtf.org>; Mon, 6 Jan 2020 14:37:51 -0800 (PST)
Received: by mail-ot1-f44.google.com with SMTP id b18so51854284otp.0 for <cfrg@irtf.org>; Mon, 06 Jan 2020 14:37:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6N04ZKf+VVHYkjXtYMQbNrrac0TEkKZ12dW+fv8D1KM=; b=J6Omgj1i6ZwRNJZnqTRXLSm2QFkuXtz7RrKjxPqXln/6fuWj8u2Y8rQ8JBQf7bgfGn BUSzR8FhZbWoTl+0axpwsrZxw9N44yI4B2Ylvsb1V6maFsegiHDNxScl0X3YR1cy3xM8 TzPiIhxCtV4z3HvTLQpLlDNoEDYvztT1v6iZ+oYmMtatyc9nzozHMc6OhFoHeCKY3O6k vumolqq7rQNcIG490uQrg/ODMK2I2tV8qertCUZTNft3DbsV97fGSVA1jHOCY0eG9+YX rYOyrPTUGD6fDrGGOP/X0khqmfJrdduo9eEyr41J204bvVuHHqhnAAoUKU4SAfPPOFYM KbEg==
X-Gm-Message-State: APjAAAXSByHzq1ntLR0YaO6RNtNpOjlROZ18inyr41+gwPc57iz24Bn5 +IcW59VXUzCx7nyEZNiYN6YsHfIa/SK98Gf0Yu2GcPt3XXM=
X-Google-Smtp-Source: APXvYqwOmPK7pnVCHMXWPf9ycwXVFNxRISIfe2131lUKjNsTio/jStdve1HFy/YQPR9VDWAs8vWXycJAm5u1rRAJFbU=
X-Received: by 2002:a9d:6758:: with SMTP id w24mr56329998otm.155.1578350270516; Mon, 06 Jan 2020 14:37:50 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+Lwj0WC7JUH-5=tM3styYLrCH9+fVjbSkx1zFWFG3JinsnQ@mail.gmail.com>
In-Reply-To: <CAMm+Lwj0WC7JUH-5=tM3styYLrCH9+fVjbSkx1zFWFG3JinsnQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 06 Jan 2020 17:37:40 -0500
Message-ID: <CAMm+Lwiv6ibYjErbi-DmwFHOV716L50b9WOFfdV+Y7phOVbJOg@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000349145059b804fb3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/UKmP6RA3JWlqYodr8I2ju_2PShg>
Subject: Re: [Cfrg] Proposal: Threshold cryptography for CFRG curves + UDF
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2020 22:38:00 -0000

I managed to get the UDF draft through the HTML version of the Internet
Draft tools:

https://www.ietf.org/id/draft-hallambaker-mesh-udf-08.html

I am not proposing CFRG do the whole daft. Rather I would propose removing
all the URI and SIN naming components, the motivation sections, etc etc.

On Mon, Jan 6, 2020 at 12:42 AM Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

> All,
>
> I have just submitted two new drafts:
>
> https://www.ietf.org/id/draft-hallambaker-threshold-00.html
> https://www.ietf.org/id/draft-hallambaker-threshold-sigs-00.html
>
> I wish to (in due course) propose these as CFRG work items together with
> the existing draft:
>
> https://mathmesh.com/Documents/draft-hallambaker-mesh-udf.html
>
> (should have a proper HTML version of above soon, stress test on the
> tools.)
>
> These are of course work that is motivated by my work on the Mathematical
> Mesh. And since the obvious question for the IESG to ask is whether CFRG
> has looked at the crypto, it probably makes sense to begin by discussing
> the crypto here.
>
> But more importantly, the Mesh is merely a vehicle to try to persuade the
> field to start using some post 1990s crypto. So it isn't a problem for me
> if the outcome is we end up putting threshold decryption into legacy CRM
> schemes rather than deploying my new one.
>
>
> The first draft describes the addition of three new capabilities to the
> X25519 / X448 / Ed25519 / Ed448 repertoire:
>
> 1) Threshold Decryption (n, n)
> 2) Threshold Key Generation
> 3) Side channel disclosure resistance
>
> The implementation of threshold signature is described in a separate
> draft. Two schemes are described for Ed25519/Ed448
>
> 1) Unanimous threshold i.e. (n, n)
> 2) Quorate threshold, i.e. (n, t)
>
> The third document describes the presentation of certain types of
> cryptographic material that it is necessary for people to interact with
> under certain circumstances. This began as a very tightly constrained piece
> of work to 'do digest fingerprints right'. It has since grown in response
> to requests and now has some capabilities that I think really need some
> CFRG input:
>
> 1) Deterministic functions for generating ECDH and RSA keys from a
> specified key via a KDF
> 2) Shamir secret sharing for escrow of encrypted keying material
> 3) Shamir secret sharing for escrow of seed used to generate key pairs
>
> As previously discussed on the list, the threshold signatures are not
> aggregate signatures. They are however compatible with the existing RFC7748
> and RFC8032 curves and algorithms and that is my overarching goal. I am
> aware of the BLS work but I don't see it as overlapping. There are numerous
> references and citations missing including to previous IETF/IRTF proposals.
> I am more than willing to share authorship. The key thing is to move the
> work ahead.
>
> Many thanks to all those who have helped on or off the list. Will be
> following up to ask folk who helped me offlist if they want their names
> mentioned in the acknowledgements. Also need to chase down the references
> to source.
>
> Security considerations are intentionally left blank as I think it better
> to start this only after the scope is understood or things get missed.
>
>
> Questions:
>
> 1) Should CFRG look at any/all of this work?
>
> 2) Is (n,k) quorum Threshold decryption worth adding?
>
> 3) UDF provides two escrow models at present, do we need to add in direct
> escrow of the private keys?
>
> 4) If threshold signature is worth doing, should there be one threshold
> spec for the  RFC7748 and RFC8032 curves or keep these as two?
>
> 5) I was planning to kill OID UDFs, they were originally added as a way to
> allow QR code transmission of private keys and then Michael Richardson gave
> me a better idea.
>
> I understand that UDF might be a little on the 'lite' side and not so
> suited to CFRG. But I would like people to take a look at the deterministic
> key gen because it solves a very important problem a lot of sysadmins face
> today: how to keep SSH keys in sync across machines. Some of the
> instructions given on the net on how to do this are pitiful.
>
> This technique is not as simple or easy to use as the Mesh of course, but
> it does support 'offline' and 'paper' pretty well.
>
>

v2.23.0 | Report a Bug | By Email