Re: [CFRG] Threshold Sig required - Random bit flip hits Cert Transparency Log

Phillip Hallam-Baker <> Thu, 08 July 2021 16:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E2FD53A28B5 for <>; Thu, 8 Jul 2021 09:37:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.402
X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PWmZEf7GL7Yh for <>; Thu, 8 Jul 2021 09:37:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 36A2D3A28B4 for <>; Thu, 8 Jul 2021 09:37:11 -0700 (PDT)
Received: by with SMTP id i18so9886465yba.13 for <>; Thu, 08 Jul 2021 09:37:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5lBWSciYxfyIFK5UBsJex4E408cWRCm1tdyLf7YluQw=; b=EJrd4oKJN1UrR7JCzrGSd4Y7YqcRkDK5s1qDLUpSJ6Fsc8HpVUmKdmnvD7dZowO+hS 1RoyI8PzVTC0Yk+TskA718yqVplPg+lYY7uoJiIwyISToYkgX9IbqhmocPAL+5u7w6mp B3catenliapdFMdoNtu9g+whxJTo830QMSO33fjfTqx5SDj0/9WqpWOsYKLLF7wYhgzD iuwM2lyCnCerXJKzDhcFvrkULfaanWIiqN+dWtVIklnXbShqTfyVM1VODo1vTZ/6w6ZA b3INE1wPjLh7qsNQV8hSP2H8PjJSfSvel2X8aNy8pdjjdlLWKN38/Zhm8FIKpDfMcqpz VFlQ==
X-Gm-Message-State: AOAM53144baR35MgjaXs4eZG7nsDep34v/f2iyKFmC4kPHkOwNbOnz45 apMuHSp7ysdQyDqpfV4KRGCZAYQ5fqWay/CGIIc=
X-Google-Smtp-Source: ABdhPJyvF+IQVpjB2ck6iIlvJ2CDBz7g/2fyuDTDaWpxeEv7rYPOVOBWSCtd1DmABucop8M1BRd3/qU8uPLWRzqqGJ8=
X-Received: by 2002:a25:f0b:: with SMTP id 11mr41395722ybp.518.1625762230248; Thu, 08 Jul 2021 09:37:10 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Phillip Hallam-Baker <>
Date: Thu, 08 Jul 2021 12:36:59 -0400
Message-ID: <>
To: Tim Dierks <>
Content-Type: multipart/alternative; boundary="0000000000003928bb05c69f44c6"
Archived-At: <>
Subject: Re: [CFRG] Threshold Sig required - Random bit flip hits Cert Transparency Log
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 08 Jul 2021 16:37:16 -0000

On Thu, Jul 8, 2021 at 11:21 AM Tim Dierks <> wrote:

> On Thu, Jul 8, 2021 at 12:54 AM Phillip Hallam-Baker <
>> wrote:
>> If you have a single CPU, you will always have the possibility of an
>> error. Not all faults are transient. If the data was corrupted in
>> the cache, it is going to be corrupted both times it is hashed. And
>> optimizing compilers can screw you in really imaginative ways.
> We will always have errors, that's the reason we have to take care. But I
> believe that errors like this can be detected and prevented from being
> committed/released using relatively straightforward redundant checks as
> illustrated. If you can identify in the flow described where a bit error
> could occur without detection, I'd be interested to know; we're protecting
> a lot of data using similar designs. The failure of a reproducible log is
> one thing; I'm very interested in avoiding errors when wrapping keys that
> might lead to large quantities of data being unrecoverable if not detected
> prior to commit.

The potential for loss of static data is something that has been of
great concern to me throughout. Data at Rest is a much harder problem than
data in transit precisely because of the fact that loss of data is usually
more serious than disclosure.

Ransomware works because nobody can take new pictures of the kids.

When encrypting data to a threshold group that the encryptor is a member
of, I perform a trial decryption using the threshold shares. But that does
not work for cases where the encryptor is not permitted to decrypt.