Re: [Cfrg] Threshold cryptography on CFRG curves
Phillip Hallam-Baker <phill@hallambaker.com> Sat, 28 December 2019 02:11 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0B321200C4 for <cfrg@ietfa.amsl.com>; Fri, 27 Dec 2019 18:11:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.396
X-Spam-Level:
X-Spam-Status: No, score=-1.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vk7omrNtBoMJ for <cfrg@ietfa.amsl.com>; Fri, 27 Dec 2019 18:11:29 -0800 (PST)
Received: from mail-ot1-f41.google.com (mail-ot1-f41.google.com [209.85.210.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5933120086 for <cfrg@irtf.org>; Fri, 27 Dec 2019 18:11:29 -0800 (PST)
Received: by mail-ot1-f41.google.com with SMTP id 66so38419293otd.9 for <cfrg@irtf.org>; Fri, 27 Dec 2019 18:11:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yhhnz3zgIy84KkfR7JNDrieoORbRsT9lBw4VLkabeoQ=; b=SIU44UcpW47hazgJ6Qi9IvJXcsa3OVrNPZITBGKig/14YJ9Ko7wff/MIeZq2gJEZCw sDecS8LBNbikQqJBlv8YX39ZaaMHuXFiuPl10JyOHFRb95sFaww50yy9/kXwIdnXJzIA jivaOVlH/9DBDxAWhzAlG3PmACNSvcC7zfChiWK38yCrLvQ0r0Gis3PpH7pc8xIkwidc kgkWKzJ9dd/ECVYtFtSsJFbcM+hbrf4wmp8mFi3XaNA1YAQIzC9HNknCKhVU4JwrsXpR c3McMIZeEYujOYLJdPNC27t9zWG/uqNggbPmN7mU+VBIIqr/e/EDahQq410lotH/GiEB pzHw==
X-Gm-Message-State: APjAAAXhHznSD/+2pcrXxUyTlS3pn00uExh+rvqWW4edcDnIndcfYXB2 xZNR2sidOEJz46CyhBIIDDYe0MifuBoeQR05L7A=
X-Google-Smtp-Source: APXvYqzSHwYAeB4gzY7SdLpvhpJxJ99QeKlL44qShhqC5qG+3GCWTzYM4h/f+hiWgLT+TKVwgj1sBGSpuDNIO0ZFsGY=
X-Received: by 2002:a05:6830:1481:: with SMTP id s1mr43320051otq.66.1577499089144; Fri, 27 Dec 2019 18:11:29 -0800 (PST)
MIME-Version: 1.0
References: <CAMm+Lwjagk4eObv283hTH0WCaYYfCAv6bWdFDPYCtNZwZqLT-Q@mail.gmail.com> <CAOLP8p4MES_c4qiJxJ8TXhCFZ+pUv=fsO3k2C86C-njM5Strjw@mail.gmail.com>
In-Reply-To: <CAOLP8p4MES_c4qiJxJ8TXhCFZ+pUv=fsO3k2C86C-njM5Strjw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 27 Dec 2019 21:11:17 -0500
Message-ID: <CAMm+LwgUj6+V3Dj4TZTmOEEHCA0+p__GHhDipNF4a6eMW4Z82w@mail.gmail.com>
To: Bill Cox <waywardgeek@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000d790b1059aba2080"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/prLdOdXOFaC9Ug_Z9EcMH8APhds>
Subject: Re: [Cfrg] Threshold cryptography on CFRG curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Dec 2019 02:11:31 -0000
On Fri, Dec 27, 2019 at 2:37 PM Bill Cox <waywardgeek@gmail.com> wrote: > On Tue, Dec 17, 2019 at 8:55 AM Phillip Hallam-Baker < > phill@hallambaker.com> wrote: > >> >> I can split the signature between Alice and Bob so that both of them have >> to co-operate to sign. But whoever assembles the contributions can extract >> the private key (!). Which isn't going to work if we want Alice and Bob to >> split up the signature duties. >> > > I think this is a limitation of Ed25519 and similar signature schemes. > There are CCA-secure threshold signature schemes over the same curves that > do not require reconstruction of the shared secret. Does it have to be > Ed25519/x25519? > I think we are OK. It is not possible to comply with the Ed25519 MUSTs but it is possible to securely construct a threshold signature that is indistinguishable from a Ed25519 sig. This would be very useful in code signing applications. I have a draft that describes basic threshold operations almost ready for submission. Just needs some checking and working on the encoding format. I will write a companion draft on signatures. Unfortunately, the approach I was hoping might work for threshold key agreement is a bust :-( I have a different proposal though.
- [Cfrg] Threshold cryptography on CFRG curves Phillip Hallam-Baker
- Re: [Cfrg] Threshold cryptography on CFRG curves Rene Struik
- Re: [Cfrg] Threshold cryptography on CFRG curves Bill Cox
- Re: [Cfrg] Threshold cryptography on CFRG curves Phillip Hallam-Baker