Re: [saag] [Cfrg] Recommendations Regarding Deterministic Signatures
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 20 December 2019 18:09 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F1CF12087A for <saag@ietfa.amsl.com>; Fri, 20 Dec 2019 10:09:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXTCed-8lRoV for <saag@ietfa.amsl.com>; Fri, 20 Dec 2019 10:09:16 -0800 (PST)
Received: from mail-oi1-f180.google.com (mail-oi1-f180.google.com [209.85.167.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BAC012084D for <saag@ietf.org>; Fri, 20 Dec 2019 10:09:16 -0800 (PST)
Received: by mail-oi1-f180.google.com with SMTP id l9so2365295oii.5 for <saag@ietf.org>; Fri, 20 Dec 2019 10:09:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=31TcMeZ77YxuxkmTovzh42BsEoRQOh+lV+z5lLCvNSw=; b=swgAujgt8KqdqqLtzo9kUCde6ZGa1vL0RPB78v9EOdlhIzPN1HRmEM/bvH95aVrwXX kegpHTHamRf++BHD0K/yP6GnxVbAkTemUtbkZtlDZxcJsMtVcdGI3KHCk4aXPeuDq7Jd RedrKsHrfG5qMR7RHm0zZT2Llpsjrt4y3L4hh706NosHQS5zeuY7bU3OpW4Vo98Vk7ix Wu/EGrONvh58OxqXQDM4HiZdDU2dJYgKtYoNvAjawkdMw6KUG2UYfuTcRID9b8O9gn7k XwEChyYXtMOkKIDF78aqsBdBIQ04YmjqtthwwlP6eIqvNZL6eetDXq/jMUqdPFwwKjwu Sd0w==
X-Gm-Message-State: APjAAAVdS8RV3+JL/pct4MEeFK8j1gsniCERnHFyaJM78Wbi9l6yrrcf uhk/hzLa94Wi+leplAxD/pq9lQUTFxK0jqbVwBg=
X-Google-Smtp-Source: APXvYqw0Qa//IK5Fw3KkuGWEQFhhQSnvhDtHC4k79Y2ybtyNJ2tiBAxxAFqFDWdG21Nfqh0NEGbcWzNdjVQ5Kge5lq4=
X-Received: by 2002:aca:cdd6:: with SMTP id d205mr4319310oig.90.1576865355675; Fri, 20 Dec 2019 10:09:15 -0800 (PST)
MIME-Version: 1.0
References: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
In-Reply-To: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 20 Dec 2019 13:09:04 -0500
Message-ID: <CAMm+LwhzejJSWqHUpisLuyuoqhQbum5qN-P09xeWdSN3A_-o_A@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000623f9f059a2693c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/BKvn6EwjTG3oV93-8zbrOIa9nVQ>
Subject: Re: [saag] [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 18:09:17 -0000
The objections to the deterministic signature approach raised in that NIST
paper could be avoided by applying the Kocher blinding approach whose
patent has recently expired as I point out in another message.
However, there is also NIST interest in threshold cryptography and while
{Ed/X}{25519/448} support threshold key generation and threshold decryption
and threshold key agreement, RFC8032 does not appear to be viable as a good
threshold signature scheme. (It is possible to do multi-signatures of
course and I have a defective threshold scheme that might make sense in a
TPM environment)
I will be submitting an Internet Draft describing threshold key generation
and threshold decryption by the end of the year (the code runs) and I
should have a threshold key agreement draft shortly after. It would be
really nice if we had a threshold signature scheme to complete the set (get
that 20% matched set armor rating).
In particular, I believe that we need a threshold signature scheme that is
non-interactive. This is because I need to be able to explain the scheme to
a layperson who does not understand the signature scheme. For example: The
Alice+Bob aggregate signature is secure because it is constructed a
signature contribution from Alice and a signature contribution from Bob,
both of which are secure signatures in their own right and both of which
have the same exact construction with respect to Alice and Bob's public key
as the aggregate signature does to the aggregate key.
- [saag] Recommendations Regarding Deterministic Si… John Mattsson
- Re: [saag] [Cfrg] Recommendations Regarding Deter… Tony Arcieri
- Re: [saag] Recommendations Regarding Deterministi… Benjamin Kaduk
- Re: [saag] [Cfrg] Recommendations Regarding Deter… Akira Takahashi
- Re: [saag] [Cfrg] Recommendations Regarding Deter… Phillip Hallam-Baker
- Re: [saag] [Cfrg] Recommendations Regarding Deter… Tony Arcieri
- Re: [saag] [Cfrg] Recommendations Regarding Deter… Phillip Hallam-Baker
- Re: [saag] [Cfrg] Recommendations Regarding Deter… Tony Arcieri
- Re: [saag] [Cfrg] Recommendations Regarding Deter… Tony Arcieri