Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65D2A12008F for ; Fri, 3 Jan 2020 09:08:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7cTea2BiUAC for ; Fri, 3 Jan 2020 09:08:24 -0800 (PST) Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E6E120088 for ; Fri, 3 Jan 2020 09:08:24 -0800 (PST) Received: by mail-pg1-x52b.google.com with SMTP id l24so23696542pgk.2 for ; Fri, 03 Jan 2020 09:08:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=8CbHOlFTZQI+erC2BZg+zEOehXB0XdnjiH/scTiT7rE=; b=ZsHKForWGQ2FJIBCpkCyUjHVCH68hZ1sPwtsWLh4bIYZTzRzdqsXitFjijSrPCBzm2 BetCtk2VJvOPLnoLwg9Iui6Q19AyS25qG5/t5/Fc7oK74odLF/jv9NTipTFKsYmK/1Th gEv1HOSzbqeGWWKWFM3SwnUDROdsy5YTaFkuHipRNTza6KOiywAEIz1CoFKI4H3IHvaO +yg0L1eV/P8XDM/8uoqVyUAeYeGqWQvGWk8dUNCwW0sz16B9IPJE7DB1Mr90qBQwqg0N Y2uGdpTC54OFegDMnZ2y4BkPQva9RYnu0M7G1saWo5J1RIWWMxw/z11tXZGCzYqpP2WY wSaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=8CbHOlFTZQI+erC2BZg+zEOehXB0XdnjiH/scTiT7rE=; b=n1ymzkh6T+w2wL5yR8oyt3bma2tR+E5+HT2ObjzrXZQYvkqA8KA4vjOdYefyHIxNNF k46EqB4p4QY4FOzUbXyMbd/AwszOA1AFxDlckAbYQquCVVdxPwcgC+1MvdEer7EURgAR V+FdFeeyCd6W+9s3NcMBjhR5NsTFqdpRV+STwvl3eZWF9esQgT5iZzBXKN51G9nVgdHb mqT8KBRtB1W/hspbnQPdE+c0lC45elUwhLI+tG/7ZkiZRVnaGUies8qTiP4ehKx86wmj 5+n3/5jYD25CyCdfvn5l5fFx8R63ttB3S97Ny+aKcmzF8ob300xKbxe1/LgjRBmpVu9B J+Ig== X-Gm-Message-State: APjAAAVBgqu5JqFJlW8+AK1p9zwf94GLlr4Rn4l5VGLqtYm4IGn6JZA0 BBzfl9teTRW3fRalrlWml0w= X-Google-Smtp-Source: APXvYqwHK+zeU5EJFYLFWy53oGY9XeVRZGmxCa26Jxe3VuSThYoXN/zjQoj8tiUZrZJY+Ga65hI98w== X-Received: by 2002:a63:5f45:: with SMTP id t66mr94329918pgb.198.1578071304184; Fri, 03 Jan 2020 09:08:24 -0800 (PST) Received: from [192.168.1.53] (47-208-190-34.trckcmtc01.res.dyn.suddenlink.net. [47.208.190.34]) by smtp.gmail.com with ESMTPSA id x197sm70989197pfc.1.2020.01.03.09.08.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Jan 2020 09:08:23 -0800 (PST) From: Dan Wing Message-Id: <0D2BAF97-6A23-4F74-9E20-F56E34ECDF10@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_6B1D5DE9-3ECE-4A03-96AD-D93024C1FBF1" Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\)) Date: Fri, 3 Jan 2020 09:08:22 -0800 In-Reply-To: Cc: IRTF CFRG , Tony Arcieri To: Phillip Hallam-Baker References: <902BF3DD-4515-4A23-B7B7-0C9D8726E56F@gnunet.org> X-Mailer: Apple Mail (2.3608.40.2.2.4) Archived-At: Subject: Re: [Cfrg] Threshold signatures X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jan 2020 17:08:26 -0000 --Apple-Mail=_6B1D5DE9-3ECE-4A03-96AD-D93024C1FBF1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Also, if just need signatures, why not do 3 normal signatures where each = signature says "to be valid, there need to be 2 other valid signatures". = Or are you trying to enforce correctness via crypto (so that if only = one signature, it can't be valid)? If so, that is admirable, but unless = something critical is encrypted, not achievable. -d > On Jan 3, 2020, at 8:42 AM, Tony Arcieri wrote: >=20 > On Fri, Jan 3, 2020 at 10:04 AM Phillip Hallam-Baker = > wrote: > At this point, I think we need to focus on making X25519/448 and = Ed25519/448 the basis for the next gen of security products.. It took = about five years from AES being announced as a winner for it to become = the new normal.=20 >=20 > Given your stated goals of a multisignature which can work for both = developers and things like HSMs and cloud KMS services, and code signing = systems only supporting a single signature as opposed to threshold = signature sets, I think it's worth questioning whether Ed25519 = signatures are the right tool for the job. >=20 > I think draft-boneh-bls-signature might be a better fit as it supports = offline aggregation. This means HSMs/KMS systems do not need to = participate in an interactive protocol to produce a signature. It also = facilitates offline/"airgapped" codesigning (using e.g. hardware = tokens). >=20 > An interactive signing protocol where all of the participants must be = able to reach a central online "broker" in order to produce a = multisignature (and also all be online at the same time) is an onerous = requirement, as opposed to one where each system can produce a signature = and they can be retroactively aggregated. >=20 > --=20 > Tony Arcieri > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg --Apple-Mail=_6B1D5DE9-3ECE-4A03-96AD-D93024C1FBF1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Also,= if just need signatures, why not do 3 normal signatures where each = signature says "to be valid, there need to be 2 other valid signatures". =  Or are you trying to enforce correctness via crypto (so that if = only one signature, it can't be valid)?  If so, that is admirable, = but unless something critical is encrypted, not achievable.

-d


On Jan 3, 2020, at 8:42 AM, Tony Arcieri = <bascule@gmail.com> wrote:

On Fri, Jan 3, 2020 at 10:04 AM = Phillip Hallam-Baker <phill@hallambaker.com> wrote:
At this = point, I think we need to focus on making X25519/448 and = Ed25519/448 the basis for the next gen of security products.. It took = about five years from AES being announced as a winner for it to become = the new normal. 

Given your stated goals of a = multisignature which can work for both developers and things like HSMs = and cloud KMS services, and code signing systems only supporting a = single signature as opposed to threshold signature sets, I think it's = worth questioning whether Ed25519 signatures are the right tool for the = job.

I think draft-boneh-bls-signature might = be a better fit as it supports offline aggregation. This means HSMs/KMS = systems do not need to participate in an interactive protocol to produce = a signature. It also facilitates offline/"airgapped" codesigning (using = e.g. hardware tokens).

An interactive signing protocol where all of the participants = must be able to reach a central online "broker" in order to produce a = multisignature (and also all be online at the same time) is an onerous = requirement, as opposed to one where each system can produce a signature = and they can be retroactively aggregated.

--
Tony Arcieri
_______________________________________________
Cfrg = mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

= --Apple-Mail=_6B1D5DE9-3ECE-4A03-96AD-D93024C1FBF1--