IETF Logo Mail Archive

Re: [Cfrg] Threshold signatures

Dan Wing <danwing@gmail.com> Fri, 03 January 2020 17:08 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65D2A12008F for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 09:08:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7cTea2BiUAC for <cfrg@ietfa.amsl.com>; Fri, 3 Jan 2020 09:08:24 -0800 (PST)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E6E120088 for <cfrg@irtf.org>; Fri, 3 Jan 2020 09:08:24 -0800 (PST)
Received: by mail-pg1-x52b.google.com with SMTP id l24so23696542pgk.2 for <cfrg@irtf.org>; Fri, 03 Jan 2020 09:08:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=8CbHOlFTZQI+erC2BZg+zEOehXB0XdnjiH/scTiT7rE=; b=ZsHKForWGQ2FJIBCpkCyUjHVCH68hZ1sPwtsWLh4bIYZTzRzdqsXitFjijSrPCBzm2 BetCtk2VJvOPLnoLwg9Iui6Q19AyS25qG5/t5/Fc7oK74odLF/jv9NTipTFKsYmK/1Th gEv1HOSzbqeGWWKWFM3SwnUDROdsy5YTaFkuHipRNTza6KOiywAEIz1CoFKI4H3IHvaO +yg0L1eV/P8XDM/8uoqVyUAeYeGqWQvGWk8dUNCwW0sz16B9IPJE7DB1Mr90qBQwqg0N Y2uGdpTC54OFegDMnZ2y4BkPQva9RYnu0M7G1saWo5J1RIWWMxw/z11tXZGCzYqpP2WY wSaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=8CbHOlFTZQI+erC2BZg+zEOehXB0XdnjiH/scTiT7rE=; b=n1ymzkh6T+w2wL5yR8oyt3bma2tR+E5+HT2ObjzrXZQYvkqA8KA4vjOdYefyHIxNNF k46EqB4p4QY4FOzUbXyMbd/AwszOA1AFxDlckAbYQquCVVdxPwcgC+1MvdEer7EURgAR V+FdFeeyCd6W+9s3NcMBjhR5NsTFqdpRV+STwvl3eZWF9esQgT5iZzBXKN51G9nVgdHb mqT8KBRtB1W/hspbnQPdE+c0lC45elUwhLI+tG/7ZkiZRVnaGUies8qTiP4ehKx86wmj 5+n3/5jYD25CyCdfvn5l5fFx8R63ttB3S97Ny+aKcmzF8ob300xKbxe1/LgjRBmpVu9B J+Ig==
X-Gm-Message-State: APjAAAVBgqu5JqFJlW8+AK1p9zwf94GLlr4Rn4l5VGLqtYm4IGn6JZA0 BBzfl9teTRW3fRalrlWml0w=
X-Google-Smtp-Source: APXvYqwHK+zeU5EJFYLFWy53oGY9XeVRZGmxCa26Jxe3VuSThYoXN/zjQoj8tiUZrZJY+Ga65hI98w==
X-Received: by 2002:a63:5f45:: with SMTP id t66mr94329918pgb.198.1578071304184; Fri, 03 Jan 2020 09:08:24 -0800 (PST)
Received: from [192.168.1.53] (47-208-190-34.trckcmtc01.res.dyn.suddenlink.net. [47.208.190.34]) by smtp.gmail.com with ESMTPSA id x197sm70989197pfc.1.2020.01.03.09.08.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Jan 2020 09:08:23 -0800 (PST)
From: Dan Wing <danwing@gmail.com>
Message-Id: <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6B1D5DE9-3ECE-4A03-96AD-D93024C1FBF1"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Fri, 03 Jan 2020 09:08:22 -0800
In-Reply-To: <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>, Tony Arcieri <bascule@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <CAMm+LwiXTA7UoFwSWE_c-cy_EdtYE5qFAm594UfFkdAVLNhimg@mail.gmail.com> <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> <CAOLP8p5Q=xswL7vkXVpSbVHUZ1dV+1wT3YdViq+1re1=fiSpRA@mail.gmail.com> <CAMm+LwiC5tBCd=fUo9e1tuQFVJ8C6hMXSxRZk2xff1238_9HRA@mail.gmail.com> <CAHOTMVKr_nqDXzAuX29ZN+6MW_vEvbadpEqELdO_RSnhNzr1Fw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wLxb5hk4Qvni2Jmx5njm9Tk2cWc>
Subject: Re: [Cfrg] Threshold signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 17:08:26 -0000

Also, if just need signatures, why not do 3 normal signatures where each signature says "to be valid, there need to be 2 other valid signatures".  Or are you trying to enforce correctness via crypto (so that if only one signature, it can't be valid)?  If so, that is admirable, but unless something critical is encrypted, not achievable.

-d


> On Jan 3, 2020, at 8:42 AM, Tony Arcieri <bascule@gmail.com> wrote:
> 
> On Fri, Jan 3, 2020 at 10:04 AM Phillip Hallam-Baker <phill@hallambaker.com <mailto:phill@hallambaker.com>> wrote:
> At this point, I think we need to focus on making X25519/448 and Ed25519/448 the basis for the next gen of security products.. It took about five years from AES being announced as a winner for it to become the new normal. 
> 
> Given your stated goals of a multisignature which can work for both developers and things like HSMs and cloud KMS services, and code signing systems only supporting a single signature as opposed to threshold signature sets, I think it's worth questioning whether Ed25519 signatures are the right tool for the job.
> 
> I think draft-boneh-bls-signature might be a better fit as it supports offline aggregation. This means HSMs/KMS systems do not need to participate in an interactive protocol to produce a signature. It also facilitates offline/"airgapped" codesigning (using e.g. hardware tokens).
> 
> An interactive signing protocol where all of the participants must be able to reach a central online "broker" in order to produce a multisignature (and also all be online at the same time) is an onerous requirement, as opposed to one where each system can produce a signature and they can be retroactively aggregated.
> 
> -- 
> Tony Arcieri
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email