Re: [Cfrg] Adoption of threshold drafts by RG
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 30 September 2020 16:50 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1DF73A0BC2 for <cfrg@ietfa.amsl.com>; Wed, 30 Sep 2020 09:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Level:
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Px6YqAhoXtp for <cfrg@ietfa.amsl.com>; Wed, 30 Sep 2020 09:50:34 -0700 (PDT)
Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBF283A0B95 for <cfrg@irtf.org>; Wed, 30 Sep 2020 09:50:34 -0700 (PDT)
Received: by mail-ot1-f52.google.com with SMTP id m13so2469698otl.9 for <cfrg@irtf.org>; Wed, 30 Sep 2020 09:50:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b+Fckt+LCpNhZP/RcZu/nyu06aMRfpybD4TQNwviCmQ=; b=Q2DzjMkAKqdurnXvLSC6sUyeo2EI9nhvH/lBop9wF+MXtZcfJzEUoC5BKIuHfEQhwd 9p5KLjBSbPsJdmAoaVXySJxzVv7GPHPqflucfALosYwb7vadLiLvmKWzGM7P5eDLMwYV IU1oaLlOKX10U//6gUiOquzMP3q7dI/TkSpKkovHqQIXs81FNeGL9na/Hz6UzVcaf3CU KRbog5nqGwZ3t20IdjfGCf5BjiITQBdOC/zTzToF+LOB80eQ5lWkF5FqMG4hHsa8Dom4 aod4yyRNqFTldSWfJ3IecX8n3YQJAfkYzH5neoup2JvYsfNJnSnYP4kqHDugTT7jAySV V6Kg==
X-Gm-Message-State: AOAM532hhdJTmGQU2RC7R6tMcpvefoEbtxOhD8dQ7y7RjBay/BopWpPl SMVFQuiJjg+zgbbo/HJlKyqpkkaRAJdRU29bhBU=
X-Google-Smtp-Source: ABdhPJyUea84DPGVL0tUfo12z/HmO9SngE7FO0QMEFP0Y2eYfJMZ+wIp03ljBh7lkglfdIQgmfEe2iNmDajlpJTl/vQ=
X-Received: by 2002:a05:6830:168f:: with SMTP id k15mr2038180otr.64.1601484633897; Wed, 30 Sep 2020 09:50:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+Lwj8z0i56G7iTh-z7fZM5z5=B7-x63rVJjuWT7mC1x6x3w@mail.gmail.com> <CACsn0c=9SwWsJ=D_gAStP+gnbfmZkTEokESa0wunpBxaJPvn3g@mail.gmail.com> <CAMm+LwgZ_o28FaUHJ2JdivarT7a3vUdBTRDKa4YLajF93Gn3ag@mail.gmail.com> <76cfa2f5d3c04193aa28d153ce7d4958@uwaterloo.ca>
In-Reply-To: <76cfa2f5d3c04193aa28d153ce7d4958@uwaterloo.ca>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 30 Sep 2020 12:50:22 -0400
Message-ID: <CAMm+LwgvvocnXX5yg9=KubYT7HG-07uG7BU+rskjP51BLBLWgw@mail.gmail.com>
To: Chelsea Komlo <ckomlo@uwaterloo.ca>
Cc: IRTF CFRG <cfrg@irtf.org>, Ian Goldberg <iang@uwaterloo.ca>, Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b77f7805b08ab257"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vFeiP7pf87WuSbhzxInPcAA8m80>
Subject: Re: [Cfrg] Adoption of threshold drafts by RG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 16:50:37 -0000
I think this is starting to get into discussion of the drafts rather than the decision for the WG to move forward on the work. Which I would also like to see happen. I am indifferent as to whose draft is used as the basis for the signature part. My goal is to get a scheme I can use. As far as the use cases go, I am starting to see the basis for the Drijvers attack. Your use of the term 'concurrency' is a little confusing to me. I am a protocol guy, not a cryptographer. What is the information that you are assuming is shared between a set of 'concurrent' signatures? However I am not convinced that an HSM can perform the attack from the information made available to it. When implemented as a CPU co-processor, the HSM will only ever see the R contribution value from the other party and the message. The HSM never sees the final signature or the other contributions, nor does it get to choose the message. This is not the case for a threshold signature service however. That will see the final signature. For the CPU co-processor case, offering less than FIPS-140 level security might well be acceptable. The key concern is preventing leakage of the co-processor key. The possibility that a malicious co-processor could perform an active attack on the application key is less of a concern. It is hard to see how that sort of thing can be easily hidden in the microcode. >From my point of view, the critical thing for a threshold signature service is to enable a single request/response pattern to service a single API call to 'sign'. But I can offload a pre-commitment phase as is being done in FROST. To be more specific about my particular use case. Alice (@alice) creates a Mesh profile which she will initially use with the service example.com and later with example.net (but only one at a time). Connecting a device to her Mesh requires the creation of a Mesh Activation record and connection record for the device. These must be signed under an administrator key declared in the User profile. Alice may connect multiple administrator devices to her Mesh. She is also likely to lose one of them at some point. So the ability to split the threshold signature across the administrator device and a threshold service is really desirable but neither essential nor is it currently implemented. The quorum criteria here is going to be that Alice must use an administrator device and one of the services. The services must not be able to collude and create a signature on their own. This is achieved by first splitting the private key into two parts, giving one of them to the device and performing a Shamir secret share n=3, t=2 on the other. If use of threshold signatures is limited to the specific task of device connection, the service can compute a pre-commitment every time it receives a device connection request. But it would be nice if this could be made more general. On Tue, Sep 29, 2020 at 4:21 PM Chelsea Komlo <ckomlo@uwaterloo.ca> wrote: > Hi Phillip, > > > Here is a summary of how the Drivers attack [1] can be performed, and the > implications for schemes that are insecure. > > > Let the threshold be t=2, and assume one signer is malicious. Let the > number of victim's commitments that the attacker can learn *before* > selecting their own commitment be k >= 2 (such as by opening many > simultaneous signing connections). > > > After performing O(k*b*2^{1/lg(k)}) local computations (where b is the > bitlength of the order of the group), the adversary can compute a valid > forged signature. They do so by first completing the k signing executions, > sending the victim k messages to sign of the adversary's choosing, along > with their own commitments. From the victim's responses, the adversary can > derive a partial forged signature for the victim over a message that the > victim has never seen. The adversary then simply provides their own partial > signature to complete what is a valid forged joint signature. > > > For a scheme defined over a group order of bitlength 256, an adversary > that is allowed to make up to 3 concurrent signing operations reduces the > security of the scheme to ~95 bits of security. Allowing up to 7 concurrent > signing operations reduces the security to 75 bits, etc. > > > With that said, even if you did integrate a FROST-like approach into your > scheme, after a quick look, there are parts of your design that remain > insecure. For example, the stateless computation of the final share [2] > would remain insecure against the Drijvers attack as the final signer is > not required to commit to their nonce before seeing all other signers' > commitments. > > > We would however like schemes that are designed for specific use cases to > build upon FROST as needed. Because of the interest here and as expressed > previously on this list, I would like to ask the chairs to consider moving > our draft for FROST [3] forward. > > > Chelsea > > > [1] https://eprint.iacr.org/2018/417.pdf > [2] > https://tools.ietf.org/id/draft-hallambaker-threshold-sigs-04.html#section-3.3 > [3] https://www.ietf.org/id/draft-komlo-frost-00.txt > >
- [Cfrg] Adoption of threshold drafts by RG Phillip Hallam-Baker
- Re: [Cfrg] Adoption of threshold drafts by RG Watson Ladd
- Re: [Cfrg] Adoption of threshold drafts by RG Phillip Hallam-Baker
- Re: [Cfrg] Adoption of threshold drafts by RG Phillip Hallam-Baker
- Re: [Cfrg] Adoption of threshold drafts by RG Chelsea Komlo
- Re: [Cfrg] Adoption of threshold drafts by RG Phillip Hallam-Baker
- Re: [Cfrg] Adoption of threshold drafts by RG Ian Goldberg
- Re: [Cfrg] Adoption of threshold drafts by RG Chelsea Komlo
- Re: [Cfrg] Adoption of threshold drafts by RG Jeff Burdges
- Re: [Cfrg] Adoption of threshold drafts by RG Phillip Hallam-Baker
- Re: [Cfrg] Adoption of threshold drafts by RG Jeff Burdges
- Re: [Cfrg] Adoption of threshold drafts by RG Phillip Hallam-Baker
- Re: [Cfrg] Adoption of threshold drafts by RG Ian Goldberg