MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com>
In-Reply-To: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Thu, 2 Jan 2020 14:57:42 -0500
Message-ID: <CAHOTMVK+XiKyGSW6mO3D_HK29jYE-YnxN-6f-fW_0jLLRuEUbQ@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000d20283059b2d9b61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Uc9MS23fMuyaSJOfwO_LlH0bckw>
Subject: Re: [Cfrg] Threshold signatures
Precedence: list

--000000000000d20283059b2d9b61
Content-Type: text/plain; charset="UTF-8"

I'd be interested in comparing / contrasting your scheme to prior art with
running code, notably:

- KZen's Multiparty EdDSA, a straightforward application of distributed
threshold Schnorr to Ed25519:
https://github.com/KZen-networks/multi-party-eddsa
- CoSi, a Merkle-tree based approach for collective Ed25519 signing
targeting something more along the lines of a consensus protocol:
https://tools.ietf.org/id/draft-ford-cfrg-cosi-00.html

On Thu, Jan 2, 2020 at 2:28 PM Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

> OK so with quite a bit of help, have got a prototype of threshold
> signatures going. There is a bit more to the draft than just the algorithm
> though as the way the scheme is presented and packaged has consequences.
>
> From the presentation side, I want to be able to argue that the threshold
> sig scheme has (almost) precisely the same security properties as the
> RFC8032 scheme. Which means that the core of the presentation must align as
> closely as possible with the RFC8032 scheme.
>
> There are some subtle design choices that don't impact security but may
> well have impact on specific use cases. The use cases I am currently
> considering are
>
> 1) HSM module: One or both parts of the signature key shares are located
> in a HSM providing resistance against extraction of the public key. This is
> an important use case as we want the operation of the HSM to be stateless.
> The signing algorithm requires multiple rounds, in the first round, the
> signer commits to a value R_i = r_i..B. In the second round, the value r_i
> is used. So it is kinda important to construct r_i in such fashion that the
> HSM can restore it from one round to the next even though it may have
> performed other operations in the meantime.
>
> Another issue that comes up with HSMs is auditability. The construction of
> r_i must be auditalble which means it must be deterministic.
>
> 2) Code signing: The code signing role is split across two or more signers
> and MAY permit a signature to be created by a quorum smaller than the total
> number of authorized signers (n, t). Signing quorums may prove particularly
> attractive for open source projects.
>
> I have introduced a new role, of coordinator for the party that manages
> the process.
>
> Are there additional use cases that should be considered. That is use
> cases that raise additional requirements. The need to sign blockchains is
> often raised but that doesn't seem to raise additional requirements over
> code signing.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>


-- 
Tony Arcieri

--000000000000d20283059b2d9b61
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I&#39;d be interested in comparing / contrasting=C2=A0your=
 scheme to prior art with running code, notably:<div><br></div><div>- KZen&=
#39;s Multiparty EdDSA, a straightforward application of distributed thresh=
old Schnorr to Ed25519:=C2=A0<a href=3D"https://github.com/KZen-networks/mu=
lti-party-eddsa">https://github.com/KZen-networks/multi-party-eddsa</a></di=
v><div>- CoSi, a Merkle-tree based approach for collective Ed25519 signing =
targeting something more along the lines of a consensus protocol:=C2=A0<a h=
ref=3D"https://tools.ietf.org/id/draft-ford-cfrg-cosi-00.html">https://tool=
s.ietf.org/id/draft-ford-cfrg-cosi-00.html</a></div></div><br><div class=3D=
"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Jan 2, 2020 at =
2:28 PM Phillip Hallam-Baker &lt;<a href=3D"mailto:phill@hallambaker.com">p=
hill@hallambaker.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204=
);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_default" style=3D"=
font-size:small">OK so with quite a bit of help, have got a prototype of th=
reshold signatures going. There is a bit more to the draft than just the al=
gorithm though as the way the scheme is presented and packaged has conseque=
nces.</div><div class=3D"gmail_default" style=3D"font-size:small"><br></div=
><div class=3D"gmail_default" style=3D"font-size:small">From the presentati=
on side, I want to be able to argue that the threshold sig scheme has (almo=
st) precisely the same security properties as the RFC8032 scheme. Which mea=
ns that the core of the presentation must align as closely as possible with=
 the RFC8032 scheme.</div><div class=3D"gmail_default" style=3D"font-size:s=
mall"><br></div><div class=3D"gmail_default" style=3D"font-size:small">Ther=
e are some subtle design choices that don&#39;t impact security but may wel=
l have=C2=A0impact on specific use cases. The use cases I am currently cons=
idering are</div><div class=3D"gmail_default" style=3D"font-size:small"><br=
></div><div class=3D"gmail_default" style=3D"font-size:small">1) HSM module=
: One or both parts of the signature key shares are located in a HSM provid=
ing resistance against extraction of the public key. This is an important u=
se case as we want the operation of the HSM to be stateless. The signing al=
gorithm requires multiple rounds, in the first round, the signer commits to=
 a value R_i =3D r_i..B. In the second round, the value r_i is used. So it =
is kinda important to construct r_i in such fashion that the HSM can restor=
e it from one round to the next even though it may have performed other ope=
rations in the meantime.</div><div class=3D"gmail_default" style=3D"font-si=
ze:small"><br></div><div class=3D"gmail_default" style=3D"font-size:small">=
Another issue that comes up with HSMs is auditability. The construction of =
r_i must be auditalble which means it must be deterministic.=C2=A0</div><di=
v class=3D"gmail_default" style=3D"font-size:small"><br></div><div class=3D=
"gmail_default" style=3D"font-size:small">2) Code signing: The code signing=
 role is split across two or more signers and MAY permit a signature=C2=A0t=
o be created by a quorum smaller than the total number of authorized signer=
s (n, t). Signing quorums may prove particularly attractive for open source=
 projects.</div><div class=3D"gmail_default" style=3D"font-size:small"><br>=
</div><div class=3D"gmail_default" style=3D"font-size:small">I have introdu=
ced a new role, of coordinator for the party that manages the process.</div=
><div class=3D"gmail_default" style=3D"font-size:small"><br></div><div clas=
s=3D"gmail_default" style=3D"font-size:small">Are there additional use case=
s that should be considered. That is use cases that raise additional requir=
ements. The need to sign blockchains is often raised but that doesn&#39;t s=
eem to raise additional requirements over code signing.=C2=A0</div><div cla=
ss=3D"gmail_default" style=3D"font-size:small"><br></div></div>
_______________________________________________<br>
Cfrg mailing list<br>
<a href=3D"mailto:Cfrg@irtf.org" target=3D"_blank">Cfrg@irtf.org</a><br>
<a href=3D"https://www.irtf.org/mailman/listinfo/cfrg" rel=3D"noreferrer" t=
arget=3D"_blank">https://www.irtf.org/mailman/listinfo/cfrg</a><br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
 class=3D"gmail_signature">Tony Arcieri<br></div>

--000000000000d20283059b2d9b61--