Re: [Cfrg] Threshold signatures
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 03 January 2020 21:19 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A85D120045 for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 13:19:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.14
X-Spam-Level:
X-Spam-Status: No, score=-1.14 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IM20c9Hj1fpJ for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 13:19:36 -0800 (PST)
Received: from mail-oi1-f175.google.com (mail-oi1-f175.google.com [209.85.167.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A370E120026 for <cfrg@irtf.org>; Fri, 3 Jan 2020 13:19:36 -0800 (PST)
Received: by mail-oi1-f175.google.com with SMTP id k4so15015419oik.2 for <cfrg@irtf.org>; Fri, 03 Jan 2020 13:19:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pmRib7Tytp73oFJJ2E+uI0SJ5sL8FUuu33MV3T3ftZ8=; b=AbUVFH31pKZgTkWz6rm6qsi6yMqXfVkWh+6sewVpzMcw2vSECQXDZdzZl4ha4p1T69 esthNWTn3nVfG8kRCFjE8PqxyVRwBIf0ezfBYEP9Hjm77tarMe+5XCcyEAhDPS0ZukOF EyFJwb1Uk9MYrvrXPjvYsrzFIaL9UpVT+OdL+tYGSzGlkuz8kiYXF2zOvjlZ46iVUM0F 7Yf+uRZX1ML0dBamrd+lVTqK9LwWNdAtKXvHa5vMY5yWH8HQE+C/fSK4aQySjbFM7ikP ge6sSW3NHCWCWuH30QuMakaN1WjlbmvZ3aRyuGw0qdNCpA3XOtf8suL11BZV7c4DO/DY RA1A==
X-Gm-Message-State: APjAAAVmVp7Pl2BDtvjVl9qUNgT39CghubnNr9ru4yYOLlnYaTpfnSFw hI3bmUt+agdxMePWPRtxwc6gE0iZ2hQDYbY8jN5irZvfckw=
X-Google-Smtp-Source: APXvYqwJRLJwTQrcOlJZEvmjgTwztbPK955O+brxVx1ItYMVBysu4e/JqnlDzSTmbzs6AuCrQw6jcbZKS8dtRAs17Rg=
X-Received: by 2002:aca:c30d:: with SMTP id t13mr4866942oif.166.1578086375868; Fri, 03 Jan 2020 13:19:35 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com> <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com> <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com> <CAMm+LwgeE29OsrcbTzQqcM-aL2avT73k3k8krq9pcd5cmuukqA@mail.gmail.com> <5aaadff7-3752-e49c-a386-194da312e3cd@nthpermutation.com>
In-Reply-To: <5aaadff7-3752-e49c-a386-194da312e3cd@nthpermutation.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 03 Jan 2020 16:19:26 -0500
Message-ID: <CAMm+LwjtR1Xu+AKDwJ=C_Hd2pDW51AjTPrijUupwdtE2z+s-rA@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000dbd13a059b42ddab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gi6yW7N53rH1Xuwvg98WU6qf_6k>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 21:19:38 -0000
On Fri, Jan 3, 2020 at 2:03 PM Michael StJohns <msj@nthpermutation.com> wrote: > A generic N of M threshold scheme involving HSMs is (And I think this > what Dan was suggesting sort of): > > 1) Generate M key pairs (one per signer), done individually say on smart > cards > > 2) Generate live key pair K using the public keys from M and specify N as > the threshold as parameters > > Yes, I will add this to the draft. It is kind of a middle ground between multi-sigs and true threshold sigs. And going to a DH based system gives us great flexibility because we can obtain (n,t) quorums where the secret scalar is the thing that drops out. So we have a continuum: 1) Multi Sigs, Document is signed by Alice Bob and Carol 2) HSM activated by multiple key holders, Document is signed by the HSM, Alice, Bob and Carol hold activation keys 3) Multi-round threshold signatures 4) Single round threshold signatures. AFAICT, all of the EC* schemes based on Shamir require the private key to > be reconstituted somewhere secure (e.g. an HSM). I haven't found a scheme > like Shoup's that's usable in threshold systems exactly. > I have running code. It certainly exists. Whether it is secure... It is really easy to divide up S.B = R + kA into Ri = ri.B and Si = ri + ksi . What makes it hard is that the difficulty of constructing a value S.B = R + kA comes from the fact that k is strongly coupled to R by means of a digest. If we are allowed to pick any value of R we like, forgery is trivial. We can just pick any value of S and then calculate R = kA - S.B Which means that we have to know R before we can calculate Si It is possible, but we need at least two rounds for the signature. If we are going to allow users to 'bring their own key' then the last person to join the club can take a look at all the other signer's public keys and pick one. This is not a signature round (because we are only going to do it once for a given aggregate key). But it does need to be considered. In practice, this particular attack that has caused endless papers to be written is pure piffle. Sure, mallet gets control of the master signature key and that is a real concern in contexts like BitCoin where there is no PKI. Lets think through how this attack works for a code signing scheme like authenticode, right? We form the aggregate public signature key A = A1 + A2 + … + An But Mallet is signer n! He creates a public key {m.B, m} he sends in m.B - (A1 + A2 + … + An-1) Horrors! When the administrator calculates A = (A1 + A2 + … + An-1) m.B - (A1 + A2 + … + An-1) A = m.B Yeah right, but the minute the administrator tries to apply for the code signing certificate for A, the signature group is unable to sign the CSR. So this key is never going to be the one that is used. This is exactly like an attack on the Student Union elections that happened when I was at Southampton. Someone stole the returning officer's stamp used to validate the ballots between the elections. But it was the only stamp he had so they had to make a new one which was entirely different. Wading through the papers on why these schemes don't work is incredibly tedious as the cryptographers don't seem to appreciate how crypto protocols actually work in practice.
- [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Jeff Burdges
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Bill Cox
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Threshold signatures Bill Cox
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Tony Arcieri
- Re: [Cfrg] Threshold signatures Dan Wing
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Michael StJohns
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker
- Re: [Cfrg] Threshold signatures Phillip Hallam-Baker