Re: [Cfrg] Recommendations Regarding Deterministic Signatures

Tony Arcieri <> Fri, 20 December 2019 18:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B490412087E for <>; Fri, 20 Dec 2019 10:21:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zApltC6ME_Tm for <>; Fri, 20 Dec 2019 10:21:24 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F136412084D for <>; Fri, 20 Dec 2019 10:21:23 -0800 (PST)
Received: by with SMTP id 18so4396620oin.9 for <>; Fri, 20 Dec 2019 10:21:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iTXFdF8Dwfw03ev9enjwsrFqb81yy4d9IGoEuwH7kWk=; b=cUNyquHuTsmcVjkmpo5Wd4e5UAGzl9MiJfOKESYHXOTh0RmRyrSFiiVf8SQvJGQf7r 4n7cLPNNtjW9KFArMM7N+TtZpu/LERU661VgTEVfI+zDb1joEDXU+A4RjzfeWSW+PYiM qVMMilGwrXaQGMx8xTpx+2XxPxn9ZAfWwKG8dNKPb/jFrEoFDxV91zlPWUZTt25A/IK+ SUG/9q8ughEC8WIX81tst3wE+bZF75XNe/0BxUgPXUDythWJUxwAXGC/J/ybwA5jTdRX +QswGEk9sVyv6F/s3btxWCOXl/L1h7dVFNL4krXTZxY0uiDAK2bae9+EoB81HtsDVOjO QhFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iTXFdF8Dwfw03ev9enjwsrFqb81yy4d9IGoEuwH7kWk=; b=obdeLIKy5I6gW/ND3Sd0z4c+A+awg+TNeH1qAawXsU4RoVi/KamdyS647De+82L785 VejSoNKDVm/9MExfUsl8w2CiGzfHRFWS3lqfF2zZ6JKFoZMpvo8RxFZAoMq50eTsA5+r N4mQLPMgyYG0bfiEJVtvcRd8HGHjRtMfKH2LEZt7Jknrtfvy9mag7fYNHsRjsaOXx+7a FPfRSR9yI9Ckqceht4itjHmmP5Jo/5STpLbNijXw1ZMXItGq+mI/QpP1ZDnkIscw+qki 5HlmdhWPGzW3V7SMZP4lfxjfWImUul2dz67LDZfvXWu/ys28etMPpS8O2MrGhtZWY9P7 oGug==
X-Gm-Message-State: APjAAAWFFKOxay+zAUkBkwLKn2mo3NTvx2UdadmOG/uBLPD33M1/DBgR WLCAvAnZ3ZDlEiDJ3lFU/Y7aTj8qfuRFi1BOb4A=
X-Google-Smtp-Source: APXvYqyrQviT/Af+WbgqN5FOYs6ibXRBzNwymuMQL6pQmeH4KNzrUk8pBTjg/4Z/8QMQAlJrAkX6yiovqoUeH5ZJWoQ=
X-Received: by 2002:aca:1302:: with SMTP id e2mr4682390oii.26.1576866083131; Fri, 20 Dec 2019 10:21:23 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Tony Arcieri <>
Date: Fri, 20 Dec 2019 10:21:12 -0800
Message-ID: <>
To: Phillip Hallam-Baker <>
Cc: John Mattsson <>, "" <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000be55f9059a26bee7"
Archived-At: <>
Subject: Re: [Cfrg] Recommendations Regarding Deterministic Signatures
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Dec 2019 18:21:27 -0000

On Fri, Dec 20, 2019 at 10:09 AM Phillip Hallam-Baker <>

> In particular, I believe that we need a threshold signature scheme that is
> non-interactive. This is because I need to be able to explain the scheme to
> a layperson who does not understand the signature scheme. For example: The
> Alice+Bob aggregate signature is secure because it is constructed a
> signature contribution from Alice and a signature contribution from Bob,
> both of which are secure signatures in their own right and both of which
> have the same exact construction with respect to Alice and Bob's public key
> as the aggregate signature does to the aggregate key.

There's already draft-irtf-cfrg-bls-signature work which supports
offline/non-interactive aggregation. BLS trivially supports threshold
signatures (although I don't see much mention of that in that draft).

Aside from a pairings-based scheme like BLS, I don't believe it's possible
to support offline/non-interactive aggregation using (EC)DLP security
alone, but I could be mistaken.

Tony Arcieri