IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 03 January 2020 17:08 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53AF512008F for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 09:08:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.397
X-Spam-Level:
X-Spam-Status: No, score=-1.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mL8sDze-SY2A for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 09:08:49 -0800 (PST)
Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com [209.85.210.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35E071200DE for <cfrg@irtf.org>; Fri, 3 Jan 2020 09:08:49 -0800 (PST)
Received: by mail-ot1-f47.google.com with SMTP id p8so25468332oth.10 for <cfrg@irtf.org>; Fri, 03 Jan 2020 09:08:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=to+dPIPf/f95JpnXTX75AOXRiBASE6umhGfuAjEaeBw=; b=GnP9iB3wFFUrtY18oiXCzmlC7qmxhWXZssDmUCS9uXLPRV27uK68hTrE501AJ3mulV 5ehS2PdEOjIj4HkzP9IXoQmKPV0i8IBbuHtqKXrMn5hZ2ZZZFc6KfLo+F4kyuznkwzxm dhOuqkexaWma2X+gib230iO8qHpclhKxJMO/gvzQ5vySq3St4tIC0sZwUKhOmSilEG7A qJMSuGWpiw7Q5z25dpq3q5XsNK1F4EW3g3WuI9gPG7sDFY/KxdOPC5NrHG11yW5jh+IE 9BDMlxiIIu3MjswpeLQnWDQFWcQUW/YUidML4e3CzgAP1F5FntNX9s/HuWk8xzStt8iK 4aDw==
X-Gm-Message-State: APjAAAWMa+hAZmzv0k1xELlgFZerYKR4llTWgq6lk20oiYVblhJagRQU cHJcIRtqaG6zd9l3KrJY7/XtZrg+sowx07vODUU=
X-Google-Smtp-Source: APXvYqwvLN1uad19N09WnexOZrqt92qaV7giDHTUxuBSyRh0eNkSMS2pkXnlxUBG26VqE45uLn/X7QR4fZPufk27BX8=
X-Received: by 2002:a05:6830:1481:: with SMTP id s1mr82697328otq.66.1578071328448; Fri, 03 Jan 2020 09:08:48 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com> <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com>
In-Reply-To: <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 03 Jan 2020 12:08:39 -0500
Message-ID: <CAMm+Lwi2McsbferSyRC4K4gQAc-p4_hB4kcd5gyertc7JPWNcg@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Cc: Bill Cox <waywardgeek@gmail.com>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000f66693059b3f5c94"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nqASMQ5cbdOtOz75ovJo1sIWzeY>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 17:08:50 -0000

On Fri, Jan 3, 2020 at 11:42 AM Tony Arcieri <bascule@gmail.com> wrote:

> On Fri, Jan 3, 2020 at 10:04 AM Phillip Hallam-Baker <
> phill@hallambaker.com> wrote:
>
>> At this point, I think we need to focus on making X25519/448 and
>> Ed25519/448 the basis for the next gen of security products. It took about
>> five years from AES being announced as a winner for it to become the new
>> normal.
>>
>
> Given your stated goals of a multisignature which can work for both
> developers and things like HSMs and cloud KMS services, and code signing
> systems only supporting a single signature as opposed to threshold
> signature sets, I think it's worth questioning whether Ed25519 signatures
> are the right tool for the job.
>
> I think draft-boneh-bls-signature might be a better fit as it supports
> offline aggregation. This means HSMs/KMS systems do not need to participate
> in an interactive protocol to produce a signature. It also facilitates
> offline/"airgapped" codesigning (using e.g. hardware tokens).
>

They may well be more convenient if the number of signers is greater than
two. For the case where n=2 and the coordinator is one of the parties,
Ed25519 is fine.

BLS requires protocol designers like myself to get comfortable with an
entirely new mathematical construct. That is a much bigger ask than you
seem to think.

Rather than seeing threshold variants of Ed25519 as competing with BLS, you
should consider the possibility that acceptance and use of Threshold
Ed25519 is likely to be a necessary pre-condition to considering BLS type
signatures at all.



> An interactive signing protocol where all of the participants must be able
> to reach a central online "broker" in order to produce a multisignature
> (and also all be online at the same time) is an onerous requirement, as
> opposed to one where each system can produce a signature and they can be
> retroactively aggregated.
>

If a device isn't online, it is not communicating. If it is not
communicating it is hardly going to need a threshold signature scheme
capable of supporting a huge value of n.

People are always positing central control as a potential source of
unreliability which is rather odd as in my experience, peer-peer systems
are vastly more fragile in practice.

v2.23.0 | Report a Bug | By Email