IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 03 January 2020 21:19 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A85D120045 for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 13:19:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.14
X-Spam-Level:
X-Spam-Status: No, score=-1.14 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IM20c9Hj1fpJ for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 13:19:36 -0800 (PST)
Received: from mail-oi1-f175.google.com (mail-oi1-f175.google.com [209.85.167.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A370E120026 for <cfrg@irtf.org>; Fri, 3 Jan 2020 13:19:36 -0800 (PST)
Received: by mail-oi1-f175.google.com with SMTP id k4so15015419oik.2 for <cfrg@irtf.org>; Fri, 03 Jan 2020 13:19:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pmRib7Tytp73oFJJ2E+uI0SJ5sL8FUuu33MV3T3ftZ8=; b=AbUVFH31pKZgTkWz6rm6qsi6yMqXfVkWh+6sewVpzMcw2vSECQXDZdzZl4ha4p1T69 esthNWTn3nVfG8kRCFjE8PqxyVRwBIf0ezfBYEP9Hjm77tarMe+5XCcyEAhDPS0ZukOF EyFJwb1Uk9MYrvrXPjvYsrzFIaL9UpVT+OdL+tYGSzGlkuz8kiYXF2zOvjlZ46iVUM0F 7Yf+uRZX1ML0dBamrd+lVTqK9LwWNdAtKXvHa5vMY5yWH8HQE+C/fSK4aQySjbFM7ikP ge6sSW3NHCWCWuH30QuMakaN1WjlbmvZ3aRyuGw0qdNCpA3XOtf8suL11BZV7c4DO/DY RA1A==
X-Gm-Message-State: APjAAAVmVp7Pl2BDtvjVl9qUNgT39CghubnNr9ru4yYOLlnYaTpfnSFw hI3bmUt+agdxMePWPRtxwc6gE0iZ2hQDYbY8jN5irZvfckw=
X-Google-Smtp-Source: APXvYqwJRLJwTQrcOlJZEvmjgTwztbPK955O+brxVx1ItYMVBysu4e/JqnlDzSTmbzs6AuCrQw6jcbZKS8dtRAs17Rg=
X-Received: by 2002:aca:c30d:: with SMTP id t13mr4866942oif.166.1578086375868; Fri, 03 Jan 2020 13:19:35 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com> <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com> <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com> <CAMm+LwgeE29OsrcbTzQqcM-aL2avT73k3k8krq9pcd5cmuukqA@mail.gmail.com> <5aaadff7-3752-e49c-a386-194da312e3cd@nthpermutation.com>
In-Reply-To: <5aaadff7-3752-e49c-a386-194da312e3cd@nthpermutation.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 03 Jan 2020 16:19:26 -0500
Message-ID: <CAMm+LwjtR1Xu+AKDwJ=C_Hd2pDW51AjTPrijUupwdtE2z+s-rA@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000dbd13a059b42ddab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gi6yW7N53rH1Xuwvg98WU6qf_6k>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 21:19:38 -0000

On Fri, Jan 3, 2020 at 2:03 PM Michael StJohns <msj@nthpermutation.com>
wrote:

> A generic N of M threshold scheme involving HSMs is   (And I think this
> what Dan was suggesting sort of):
>
> 1) Generate M key pairs (one per signer), done individually say on smart
> cards
>
> 2) Generate live key pair K using the public keys from M and specify N as
> the threshold as parameters
>
> Yes, I will add this to the draft. It is kind of a middle ground between
multi-sigs and true threshold sigs.

And going to a DH based system gives us great flexibility because we can
obtain (n,t) quorums where the secret scalar is the thing that drops out.

So we have a continuum:

1) Multi Sigs,  Document is signed by Alice Bob and Carol

2) HSM activated by multiple key holders, Document is signed by the HSM,
Alice, Bob and Carol hold activation keys

3) Multi-round threshold signatures

4) Single round threshold signatures.


AFAICT, all of the EC* schemes based on Shamir require the private key to
> be reconstituted somewhere secure (e.g. an HSM).  I haven't found a scheme
> like Shoup's that's usable in threshold systems exactly.
>
I have running code. It certainly exists. Whether it is secure...

It is really easy to divide up S.B = R + kA into Ri = ri.B and Si = ri + ksi
.

What makes it hard is that the difficulty of constructing a value  S.B =
R + kA comes from the fact that k is strongly coupled to R by means of a
digest.

If we are allowed to pick any value of R we like, forgery is trivial. We
can just pick any value of S and then calculate R = kA - S.B

Which means that we have to know R before we can calculate Si It is
possible, but we need at least two rounds for the signature.

If we are going to allow users to 'bring their own key' then the last
person to join the club can take a look at all the other signer's public
keys and pick one. This is not a signature round (because we are only going
to do it once for a given aggregate key). But it does need to be considered.


In practice, this particular attack that has caused endless papers to be
written is pure piffle. Sure, mallet gets control of the master signature
key and that is a real concern in contexts like BitCoin where there is no
PKI. Lets think through how this attack works for a code signing scheme
like authenticode, right?

We form the aggregate public signature key A = A1 + A2 + … + An
But Mallet is signer n! He creates a public key {m.B, m} he sends in m.B -
(A1 + A2 + … + An-1)

Horrors! When the administrator calculates A = (A1 + A2 + … + An-1) m.B -
(A1 + A2 + … + An-1)
A = m.B

Yeah right, but the minute the administrator tries to apply for the code
signing certificate for A, the signature group is unable to sign the CSR.
So this key is never going to be the one that is used.

This is exactly like an attack on the Student Union elections that happened
when I was at Southampton. Someone stole the returning officer's stamp used
to validate the ballots between the elections. But it was the only stamp he
had so they had to make a new one which was entirely different.


Wading through the papers on why these schemes don't work is incredibly
tedious as the cryptographers don't seem to appreciate how crypto protocols
actually work in practice.

v2.23.0 | Report a Bug | By Email