Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11
Christopher Patton <cpatton@cloudflare.com> Tue, 15 November 2022 16:18 UTC
Return-Path: <cpatton@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60FAC1524AD for <cfrg@ietfa.amsl.com>; Tue, 15 Nov 2022 08:18:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fL_RWAyU4Duh for <cfrg@ietfa.amsl.com>; Tue, 15 Nov 2022 08:17:59 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7955CC1524AC for <cfrg@irtf.org>; Tue, 15 Nov 2022 08:17:59 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id l12so25191976lfp.6 for <cfrg@irtf.org>; Tue, 15 Nov 2022 08:17:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CCPN6bE16pvQleoewAWm2IIX15occbJii/djQKAHoNw=; b=l20cJFZTLNzfYsxRkkA28e+IyZIkcMUUr5zVhr279ECxKOvN8EK/q4X/xhoax2980A yDrkf+LYnHqfefuUyk0t5o0eBbH6KGOPK88Bq3qRpgSC1wSJ78JL/PAexaC8VKCWyomG YdJDV1b+nFSEFP7Vp1Tg5t9KnlOau5MXYkpaU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CCPN6bE16pvQleoewAWm2IIX15occbJii/djQKAHoNw=; b=462PpbRkRkh39frC5/o3BR+Nr5VfrsMcCbZDuZHcAE20n6QOLHWmMC+XOYayb8Rv4i USv3qg9GTo6XL5h+8vjnrSLFESArpdaS7nxf8/XPsmerEIinsSOfVfZu/KeH6BCt/gMR /mEI/m/0hj/U/WlPEMPK4G7xFMqCQK5zK4m87KpKeUF0YmsHigIaYbMDXSkbi0un2mEB rpReUg/6X7c/FI8XsBbdjrD3FwayucuGnrtML/vPemDR1N0JMbICTNytDu3gMmo6i/ge LR8A70X0m1msge79OPB3lQojGNf2EJ65RO3A3F+BB+GqemXYyndJB7cGZDHRjpKY6k74 BThA==
X-Gm-Message-State: ANoB5pkDW+AcLcqCuO6cWl7BjlipzECZSsqJhuE+HOA8IRNhVAOOWq6x ONwDNSDB9qEPY+gtV/XEzhJteraHjZv3NOCIJIWV7Q==
X-Google-Smtp-Source: AA0mqf6hdb8vu3q3qy7Zvpp131goZZFOd9L1fGW0VL1vjx/pW77uIoBOszes35s+RkBikgl86+8jj5SfqGbe+8YpbTQ=
X-Received: by 2002:ac2:4c08:0:b0:4ab:b2c:75ae with SMTP id t8-20020ac24c08000000b004ab0b2c75aemr5570304lfq.40.1668529076549; Tue, 15 Nov 2022 08:17:56 -0800 (PST)
MIME-Version: 1.0
References: <CAMr0u6==n00GkiVw5yo_L1joDvkCAKByrgSV6VNzYoU6WSWKqA@mail.gmail.com>
In-Reply-To: <CAMr0u6==n00GkiVw5yo_L1joDvkCAKByrgSV6VNzYoU6WSWKqA@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Tue, 15 Nov 2022 08:17:45 -0800
Message-ID: <CAG2Zi21M8HtfinWTs6AXcGobJ4cUvJn=dWYWukELFQA0sKA_mw@mail.gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Cc: CFRG <cfrg@irtf.org>, cfrg-chairs@ietf.org, draft-irtf-cfrg-frost@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e84bca05ed84b2ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wW-lCyIR5_xXoy8y2ik5O0KGlkw>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2022 16:18:03 -0000
Hi chairs and FROST authors,
I am new to FROST and threshold signatures in general. I read the draft to
assess whether I understand the construction and its security goals and
whether sufficient detail is given to make it implementable. The current
draft checks all of these boxes and I think it's ready for publication.
Detailed comments follow.
Thank you for the hard work, this looks to me to be a great product of the
CFRG!
Chris P.
Section 1: "For select ciphersuites, the signatures produced by this draft
are compatible with [RFC8032]." Compatible in what sense? Can a signature
be validated by a plain EdDSA verifier? Or do you mean the signatures look
the same on the wire? I'd clarify this in the introduction.
Section 3.2: nit: "FROST requires the use of a cryptographically secure
hash function, generically written as H, which functions effectively as a
random oracle." I would reword this as "... secure hash function, ...,
which is modeled as a random oracle in current security proofs."
Section 5:
- "Two-Round FROST Signing Protocol": Throughout the draft you refer to
the protocol as a variant of FROST. As an implementer, I think I would find
it helpful if the protocol had a distinguished name. Something like
"FROST2"? Alternatively, you could call your protocol "FROST" and say that
it is a variant of the protocol proposed in [FROST20].
- editorial: "FROST assumes that the Coordinator and the set of signer
participants, are chosen externally to the protocol." Omit the comma.
- commit() in Section 5.1: I might have called the output "nonce" the
"ephmeral_secret" or something, to emphasize that it is secret (nonces
generally aren't) and that it is used only once.
- Section 5.2: "... and MUST use the nonce to generate at most one
signature share": I think a MUST NOT would better emphasize the
requirement: "... MUST NOT use the nonce for more than once".
Section 6:
- Context strings encode the draft version, e.g.,
""FROST-ED25519-SHA512-v11". Do you intend to revise these for RFC?
Section 7:
- You call out that the coordinator needs to be honest-but-curious.
Something that's not made clear here --- this might be obvious to those who
are deeper into threshold signatures than I am --- is whether the
non-coordinator signers are allowed to act maliciously towards forging a
signature.
- Section 7.4: Just, :thumbs_up:. I'm very glad FROST doesn't pre-hash,
but it's helpful to provide some guidance for those who want to do this.
One minor nit here: "One possible example is to construct this pre-hash
over message m as H(contextString \|\| "pre-hash" \|\| m)": Instead of
"pre-hash", I think we ought to recommend adding context here that
identifies the higher-level application, e.g., "my protocol" instead of
"pre-hash".
Editorial: Many of the algorithm specs seem to be too long to fit into the
column limit. Consider wrapping lines so that the reader doesn't have to
scroll.
On Mon, Nov 14, 2022 at 12:22 AM Stanislav V. Smyshlyaev <smyshsv@gmail.com>
wrote:
> Dear CFRG participants,
>
> This message is starting 3 weeks RGLC on
> draft-irtf-cfrg-frost-11 ("Two-Round Threshold Schnorr Signatures with
> FROST") that will end on December 6th 2022. If you've read the document and
> think that it is ready (or not ready) for publication as an RFC, please
> send a message in reply to this email or directly to CFRG chairs (
> cfrg-chairs@ietf.org) If you have detailed comments, these would also be
> very helpful at this point.
>
> Thomas Pornin provided a review of the document on behalf of Crypto Review
> Panel,
> https://mailarchive.ietf.org/arch/msg/crypto-panel/bPyYzwtHlCj00g8YF1tjj-iYP2c/
>
> Thank you,
> Stanislav, for CFRG chairs
>
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
- [CFRG] RGLC on draft-irtf-cfrg-frost-11 Stanislav V. Smyshlyaev
- Re: [CFRG] EXTERNAL: RGLC on draft-irtf-cfrg-fros… Thomas Pornin
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Christopher Patton
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Chelsea Komlo
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Denis Varlakov
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Henry de Valence
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Conrado P. L. Gouvêa
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Orie Steele
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Armando Faz
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Tim Ruffing
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Tim Ruffing
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Chelsea Komlo
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Ben Schwartz
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Christopher Wood
- Re: [CFRG] RGLC on draft-irtf-cfrg-frost-11 Jesse Posner