[Cfrg] Threshold Noise/Wireguard

Denis Kolegov <d.n.kolegov@gmail.com> Fri, 29 May 2020 03:26 UTC

Return-Path: <d.n.kolegov@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6BD33A09A2 for <cfrg@ietfa.amsl.com>; Thu, 28 May 2020 20:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id le5H5DzEFFju for <cfrg@ietfa.amsl.com>; Thu, 28 May 2020 20:26:46 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B04B3A09AA for <cfrg@irtf.org>; Thu, 28 May 2020 20:26:46 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id y1so845149qtv.12 for <cfrg@irtf.org>; Thu, 28 May 2020 20:26:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=sJfqrFDyap+DZHBXIRngEhj7bR8rnkKqSKRqrcYp23c=; b=dNfZ1kpxutpE4VER90HcePmzMU6TNTz2sygDNOODkv4Wa2qUEuIFCDGB/d4/1kQIFI APbbqvKUYV9iTB0Vx8gno/bmtEQLHsQA9EZzp6VDrIJJdiWmkB+05DmnT+UQZdwMWYpa tZuwMYjMCH5m6LKQQldjNb+/cw9sA1qDucRJ5HibVJVVrZCT2twa5e9WLe+CVG48Hpc9 lj6VADpG8miIIMyMBdFHbxROWAGX6xnXl92htou2GVjeD/OTYLbk6KPVWX8eGsuSf0VF 4O+TPaGbNUYKxs82bB8IlOqKNma1+iX+oluxFP/TJFotupJ/LJ/5U2XbEFKljO9OXo/Q hxGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=sJfqrFDyap+DZHBXIRngEhj7bR8rnkKqSKRqrcYp23c=; b=NgN0aLX9VCkqJkWSNk28Gex0TIhOSdmFRuT41yQg2iCaF5bUR6a8V9YmJ3lrn+Rd7n Fx4wcKsP0CwaYLIxvgOQ6XylvaLYVhw/YouuzKpRW0D1uF53nVwukqWXuLwyUv7qjb3T osh2ig31TUK67WpEVBCBjuvS4nn1QHKhW33yv/D+Yif9w+u9rT3/8KDKvlvO00l2XOuT L4wdnSiUyeqfOlKLyw0H38KxAo/kwONnqDuStY8kUl2CRrYNzMTnWv/7ops8ZqXN+Nhs o/geDz9tHrSXaHSTpa/xnBDIRAxtdxRxd0VaE5T3dyiXUsWyP2WTcy2mVVr1UDCBViI3 AKBw==
X-Gm-Message-State: AOAM531xzfHDX6O/cuT4szYlZE3pVoQJGbA3J3uj2NSsQcUy3caVUOZc 2X6t+5gVhPwViE8VZv/wpH2fk3aMTFj0y+NeZfLPKw2Y5hE=
X-Google-Smtp-Source: ABdhPJw9vsGy9jz5we2EIJoKP32Dxd+SFA/9ZODYKsBBD9a0xhuIBgKSTIOviARzlwZjJbRxMMeWR/txeL7UAunrnow=
X-Received: by 2002:ac8:66c3:: with SMTP id m3mr6703252qtp.262.1590722804807; Thu, 28 May 2020 20:26:44 -0700 (PDT)
MIME-Version: 1.0
From: Denis Kolegov <d.n.kolegov@gmail.com>
Date: Fri, 29 May 2020 10:26:34 +0700
Message-ID: <CACoviyPDjnWSWan9Co5Ju64kW4RXZsqcL5CXbTOPuJsKgWQf4g@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000b77a4a05a6c10308"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wMGJTeyK1B3-HgIqVjDFsAuGCec>
Subject: [Cfrg] Threshold Noise/Wireguard
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2020 03:26:48 -0000

Hello Everyone.

Noise Protocol Framework and WireGuard protocol implementing one of the
Noise's patterns have been becoming more popular in recent years.

I think it would be interesting and useful in many cases to apply WireGuard
in a threshold setting. WireGuard is based on Curve25519.

There is a draft "Threshold Modes in Elliptic Curves" (
https://tools.ietf.org/html/draft-hallambaker-threshold-02) that considers
threshold Diffie-Hellman. The basic idea that also can be used in WireGuard
is described in the sections 3/3.1 of the draft.

There are N parties and the basic threshold scheme is (N, N).
Let x1, ..., xN be the secret keys (shares) of p1, ..., pN parties working
on Bob side.
Let Y be the public key of Alice.

The initial idea was pretty straightforward:  xY = (x1 + ... + xN)Y = x1Y +
... + xnY.

The main problem is the distributed key generation without a dealer. Other
problems like point addition and encoding were considered in the draft.

WireGuard uses Curve25519. It is known that Curve25519's private key (the
first and the last bytes) must be masked:
     private[0] &= 248;
     private[31] &= 127;
     private[31] |= 64;

So Curve25519 private key must belong to S = {0, 8, 16, 24, ..., 248} × {0,
1, . . ., 255}^30 × {64, 65, 66, . . ., 127}.

This means that shares x1, ..., xN and the final private key must be from S.

I am very interested in the group working on this.

Is anyone interested to work on this scheme?
-- 
Sincerely,
Denis Kolegov
@dnkolegov