MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com>
 <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org>
 <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com>
 <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com>
 <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com>
 <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com>
 <CAMm+LwgeE29OsrcbTzQqcM-aL2avT73k3k8krq9pcd5cmuukqA@mail.gmail.com>
 <5aaadff7-3752-e49c-a386-194da312e3cd@nthpermutation.com>
 <CAMm+LwjtR1Xu+AKDwJ=C_Hd2pDW51AjTPrijUupwdtE2z+s-rA@mail.gmail.com>
In-Reply-To: <CAMm+LwjtR1Xu+AKDwJ=C_Hd2pDW51AjTPrijUupwdtE2z+s-rA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 3 Jan 2020 18:01:11 -0500
Message-ID: <CAMm+Lwg+=Zv-iXL4MZ4O-xviWwVDLsM5JD4iC2WsajRDotr-0A@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000ba8eb3059b44498e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nQsuLKsf-jvlhTdvXx25KnaPaZs>
Subject: Re: [Cfrg] Threshold signatures
Precedence: list

--000000000000ba8eb3059b44498e
Content-Type: text/plain; charset="UTF-8"

OK so current state of play:

Multi-signatures are simple to create. But think about what it really takes
to verify them. We are going to have to specify a signature validation
policy which is of course a subset of the security policy problem.

I and many others are more than willing to do security policy. But there
are folk who reach for a hammer and some oak stakes.


The difference between the use cases I am considering and those that result
from the Bitcoin use cases is that they are operating under a particular
set of constraints and I am not.

Specifically, their concern is that they would like Alice Bob and Carol
with public keys A, B, C to be able to create ad-hoc compound signatures
that can be validated in a single operation under a public key f(A, B, C)
where f is a function that can be calculated by any observer.

My concern is that Alice Bob and Carol each have the ability to control the
creation of a signature under an aggregate signature key Z but do not have
the ability to create a signature without the necessary quorum of signers.
I do not require that the key Z bear any correspondence to A, B or C at all.


Boneh and co are calling the  f(A, B, C) signature an aggregate signature
and consider it as being distinct from threshold signatures. I believe that
is the correct approach and that we should adopt that nomenclature.

https://crypto.stanford.edu/~dabo/pubs/papers/aggreg.pdf

I am not surprised aggregate signatures require pairing for security. Is it
really likely that f(A, B, C) = A + B + C is going to give us the type of
security guarantee we are looking for?

--000000000000ba8eb3059b44498e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-size:small">OK =
so current state of play:</div><div class=3D"gmail_default" style=3D"font-s=
ize:small"><br></div><div class=3D"gmail_default" style=3D"font-size:small"=
>Multi-signatures are simple to create. But think about what it really take=
s to verify them. We are going to have to specify a signature validation po=
licy which is of course a subset of the security policy problem.</div><div =
class=3D"gmail_default" style=3D"font-size:small"><br></div><div class=3D"g=
mail_default" style=3D"font-size:small">I and many others are more than wil=
ling to do security policy. But there are folk who reach for a hammer and s=
ome oak stakes.</div><div class=3D"gmail_default" style=3D"font-size:small"=
><br></div><div class=3D"gmail_default" style=3D"font-size:small"><br></div=
><div class=3D"gmail_default" style=3D"font-size:small">The difference betw=
een the use cases I am considering and those that result from the Bitcoin u=
se cases is that they are operating under a particular set of constraints a=
nd I am not.=C2=A0</div><div class=3D"gmail_default" style=3D"font-size:sma=
ll"><br></div><div class=3D"gmail_default" style=3D"font-size:small">Specif=
ically, their concern is that they would like Alice Bob and Carol with publ=
ic keys A, B, C to be able to create ad-hoc compound signatures that can be=
 validated in a single operation under a public key f(A, B, C) where f is a=
 function that can be calculated by any observer.</div><div class=3D"gmail_=
default" style=3D"font-size:small"><br></div><div class=3D"gmail_default" s=
tyle=3D"font-size:small">My concern is that Alice Bob and Carol each have t=
he ability to control the creation of a signature under an aggregate signat=
ure key Z but do not have the ability to create a signature without the nec=
essary quorum of signers. I do not require that the key Z bear any correspo=
ndence to A, B or C at all.</div><div class=3D"gmail_default" style=3D"font=
-size:small"><br></div><div class=3D"gmail_default" style=3D"font-size:smal=
l"><br></div><div class=3D"gmail_default" style=3D"font-size:small">Boneh a=
nd co are calling the=C2=A0

f(A, B, C) signature an aggregate signature and consider it as being distin=
ct from threshold signatures. I believe that is the correct approach and th=
at we should adopt that nomenclature.</div><div class=3D"gmail_default" sty=
le=3D"font-size:small"><br></div><div class=3D"gmail_default" style=3D"font=
-size:small"><a href=3D"https://crypto.stanford.edu/~dabo/pubs/papers/aggre=
g.pdf">https://crypto.stanford.edu/~dabo/pubs/papers/aggreg.pdf</a>=C2=A0=
=C2=A0<br></div><div class=3D"gmail_default" style=3D"font-size:small"><br>=
</div><div class=3D"gmail_default" style=3D"font-size:small">I am not surpr=
ised aggregate signatures require pairing for security. Is it really likely=
 that f(A, B, C) =3D A=C2=A0+ B=C2=A0+ C is going to give us the type of se=
curity guarantee we are looking for?=C2=A0</div></div>

--000000000000ba8eb3059b44498e--