IETF Logo Mail Archive

Re: [Cfrg] Recommendations Regarding Deterministic Signatures

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 20 December 2019 21:19 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD23E1208C5 for <cfrg@ietfa.amsl.com>; Fri, 20 Dec 2019 13:19:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.396
X-Spam-Level:
X-Spam-Status: No, score=-1.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6M8FmK2raMK for <cfrg@ietfa.amsl.com>; Fri, 20 Dec 2019 13:19:19 -0800 (PST)
Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D93E1208A4 for <cfrg@irtf.org>; Fri, 20 Dec 2019 13:19:19 -0800 (PST)
Received: by mail-ot1-f44.google.com with SMTP id r27so13469025otc.8 for <cfrg@irtf.org>; Fri, 20 Dec 2019 13:19:19 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BBW2sdtjS/rSRhc+9stu9kHDYBttydtTsrw7QuRksJo=; b=HJFt47PzJfj9H3NQZOaYSk9L4XJoqmxpknZd13HEKNBR2WO36h6OaPk6cshUtECbA6 zsGAiW0+4FbzfyoDreogHCb84wmgRM1FAHYpxOJVifEcUnT4vp/4RpnZ9AgWnhArC3Ua ouDxME2TxbhSG9iwOceCEC6dZ+ULW3n63q8ouFZqShuO/Taa1ZNPoMkz6bg1NyANkED5 Vqm2xBXSF92rZR7bACBso4Qu48bweZsPYznQYhyYb+TeDcW6Bv/639TanfquTEhD1KKg +s04lBaC205csGBEhO2/U4PJDvFKmoqsrmiP40dW0KH8qR/BtewTPYhfMsg7k7Sv7v52 CJ5w==
X-Gm-Message-State: APjAAAUIBacXR4wKlXomtFxcH6IsQdMO5co9pjj4uMJNGYy6lHY3OZDG IubSO64zUB3/BP1PKlmv+RiN7Fg5SONs1G8t0MI=
X-Google-Smtp-Source: APXvYqw7+F5Md62b1edIBYzZTXFJMjcSgZNe8hWQCZJ8iy94lxdfwgMUwX2eS2vrZ5zSgW02Ka+hxNugnkwOZVGd3tg=
X-Received: by 2002:a05:6830:50:: with SMTP id d16mr18192936otp.155.1576876758912; Fri, 20 Dec 2019 13:19:18 -0800 (PST)
MIME-Version: 1.0
References: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com> <CAMm+LwhzejJSWqHUpisLuyuoqhQbum5qN-P09xeWdSN3A_-o_A@mail.gmail.com> <BN8PR11MB3666FB9FAC26C7C13DFE098BC12D0@BN8PR11MB3666.namprd11.prod.outlook.com>
In-Reply-To: <BN8PR11MB3666FB9FAC26C7C13DFE098BC12D0@BN8PR11MB3666.namprd11.prod.outlook.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 20 Dec 2019 16:19:07 -0500
Message-ID: <CAMm+Lwjx+CGNE4MdxwpqAM_rKE=Ydjj4bZuTVKBGNjQWOEr81A@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000011d28d059a293b2c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/spJVMZu8BzA7-kfVkE-Z9UAAnj4>
Subject: Re: [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 21:19:21 -0000

On Fri, Dec 20, 2019 at 3:02 PM Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
wrote:

> As far as an RFC8032-compatible threshold signature scheme, it would
> appear to be fairly easy to do, as long as:
>
>
>
>    - You don’t mind not following the precise algorithm in RFC8032, but
>    want something that generates signatres that is computationally
>    indisguishable from RFC8032 signatures.
>    - You don’t mind it if the algorithm is nondetermanistic (that is,
>    signing the same message twice, with different subsets of signers, yields
>    different signatures).
>
>
>
> The public keys and the verification process are completely RFC8032.
>
>
>
> To be frank, this is simple enough that I would be rather surprised if it
> wasn’t already published.  However, if people are interested, I will write
> it up…
>

I certainly think it would be of interest. I am not at all bothered about
strict conformance with RFC8032. If the aggregate signature will verify
correctly with legacy code, that is good enough. We would probably want to
introduce new algorithm identifiers. But we might well want to have a
nondeterministic variant of RFC8032 in any case.

The big concern that I would have is the risk that the aggregate sig
contributions might end up disclosing one of the private keys or providing
sufficient information to allow a forgery of an RFC8032 or other sig.

And then the second order concern is how to convince folk who are not deep
in crypto that the scheme is not going to break something.

v2.23.0 | Report a Bug | By Email