IETF Logo Mail Archive

Re: [Cfrg] Recommendations Regarding Deterministic Signatures

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 21 December 2019 22:37 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74A3D12008A for <cfrg@ietfa.amsl.com>; Sat, 21 Dec 2019 14:37:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9Qy-HxWu3_h for <cfrg@ietfa.amsl.com>; Sat, 21 Dec 2019 14:37:37 -0800 (PST)
Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DD1012007C for <cfrg@irtf.org>; Sat, 21 Dec 2019 14:37:37 -0800 (PST)
Received: by mail-ot1-f46.google.com with SMTP id h9so14285677otj.11 for <cfrg@irtf.org>; Sat, 21 Dec 2019 14:37:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xWf+ERNyBRSFohmveAAKP9Tcj8JFFusorWQvM3gP7e4=; b=NU/f6+jkYBn0d/Xb8eEX4QCbItaQ0TDCjSSReFdDvzVfyK+r7W+knawmkGtDxVIRFV +agNlv8V/cFMMLtb6IY6XMSWdubXXs/qWtrT3qRjhrOJ1y5mTxKgNlgDCmIsRKS/1LaZ WT4wbnnQzi3JLwnNTMNW5RVapYao2SDpth/nPZmOFs5gNXhw8k1ljdna1vawVog5PyFT NT3mIrMcA//5OaNdZqMLfR9AMvIIP25Gv3yNI6/qWFk4JUgGQEHZ19FGlQHh1FiFowtf EdV68aVaHmhRfm30XjhSNEVYIJU284Vs/Ibp+ZdeJGMnZ6dB5L6knqy84+fNFaYfmsRw HCxQ==
X-Gm-Message-State: APjAAAV/tQ7Onx/Qg0oxIqT+EyLja0dF+sAjwu+QmMdcrE4/ArnxGiEn bmQrJkYoBCMlOLzyawfm6QHh4K7VJK7KDC6lRew=
X-Google-Smtp-Source: APXvYqx35dmQtha12XhJQxLtlXZrR0lX5rhgOTDY80JVzAOUDjM44Z6x08yVrz3DKhyLALKgctoAtbH8+8OwUmNbeFw=
X-Received: by 2002:a05:6830:147:: with SMTP id j7mr23666391otp.44.1576967856323; Sat, 21 Dec 2019 14:37:36 -0800 (PST)
MIME-Version: 1.0
References: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com> <CAMm+LwhzejJSWqHUpisLuyuoqhQbum5qN-P09xeWdSN3A_-o_A@mail.gmail.com> <BN8PR11MB3666FB9FAC26C7C13DFE098BC12D0@BN8PR11MB3666.namprd11.prod.outlook.com>
In-Reply-To: <BN8PR11MB3666FB9FAC26C7C13DFE098BC12D0@BN8PR11MB3666.namprd11.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Sat, 21 Dec 2019 17:37:26 -0500
Message-ID: <CAMm+Lwg8F+XvV3ZRR791w7TwT-M=R84u8+-LXV3a5NKwHEg1Tw@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000e6009e059a3e709f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/VS1cTGvWbmDnvCStnG0H1c0L8rg>
Subject: Re: [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Dec 2019 22:37:38 -0000

OK, I think I understand it now. Will write it up.

On Fri, Dec 20, 2019 at 3:02 PM Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
wrote:

> As far as an RFC8032-compatible threshold signature scheme, it would
> appear to be fairly easy to do, as long as:
>
>
>
>    - You don’t mind not following the precise algorithm in RFC8032, but
>    want something that generates signatres that is computationally
>    indisguishable from RFC8032 signatures.
>    - You don’t mind it if the algorithm is nondetermanistic (that is,
>    signing the same message twice, with different subsets of signers, yields
>    different signatures).
>
>
>
> The public keys and the verification process are completely RFC8032.
>
>
>
> To be frank, this is simple enough that I would be rather surprised if it
> wasn’t already published.  However, if people are interested, I will write
> it up…
>
>
>
> *From:* Cfrg <cfrg-bounces@irtf.org> *On Behalf Of * Phillip Hallam-Baker
> *Sent:* Friday, December 20, 2019 1:09 PM
> *To:* John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
> *Cc:* cfrg@irtf.org; saag@ietf.org
> *Subject:* Re: [Cfrg] Recommendations Regarding Deterministic Signatures
>
>
>
> The objections to the deterministic signature approach raised in that NIST
> paper could be avoided by applying the Kocher blinding approach whose
> patent has recently expired as I point out in another message.
>
>
>
> However, there is also NIST interest in threshold cryptography and while
> {Ed/X}{25519/448} support threshold key generation and threshold decryption
> and threshold key agreement, RFC8032 does not appear to be viable as a good
> threshold signature scheme. (It is possible to do multi-signatures of
> course and I have a defective threshold scheme that might make sense in a
> TPM environment)
>
>
>
> I will be submitting an Internet Draft describing threshold key generation
> and threshold decryption by the end of the year (the code runs) and I
> should have a threshold key agreement draft shortly after. It would be
> really nice if we had a threshold signature scheme to complete the set (get
> that 20% matched set armor rating).
>
>
>
> In particular, I believe that we need a threshold signature scheme that is
> non-interactive. This is because I need to be able to explain the scheme to
> a layperson who does not understand the signature scheme. For example: The
> Alice+Bob aggregate signature is secure because it is constructed a
> signature contribution from Alice and a signature contribution from Bob,
> both of which are secure signatures in their own right and both of which
> have the same exact construction with respect to Alice and Bob's public key
> as the aggregate signature does to the aggregate key.
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email