IETF Logo Mail Archive

Re: [Trans] Long-term: scalable collective signing (of certs, log-heads, and/or SCTs)

Bryan Ford <brynosaurus@gmail.com> Thu, 22 October 2015 10:08 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057D81B363A for <trans@ietfa.amsl.com>; Thu, 22 Oct 2015 03:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8HRqINPaP-F for <trans@ietfa.amsl.com>; Thu, 22 Oct 2015 03:08:21 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A9371B3604 for <trans@ietf.org>; Thu, 22 Oct 2015 03:08:21 -0700 (PDT)
Received: by wijp11 with SMTP id p11so24072111wij.0 for <trans@ietf.org>; Thu, 22 Oct 2015 03:08:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=6o7VC7rCngSP7iEZmdMowYe4eS+p1A+DheOpRAi7vZ4=; b=LbSzoBssMlF+aN0sbI5XlPSwMPhNApPAxP3IShbtlaVKzetgDYe6blBXtoRcmdI7iZ fOzt0YML1qjMHridSuY/llIbzu3dT+jmeGWHtQEDbgrJyYF7sx4JjYg0CDWMi3z23Gk+ 5SvWfPK+M53/mhVeCRjYVEOR6iehK0SDgngz2N9RluBWCr6Kv3FkgQ76bWQR1rtIJrwm KG1VyNRjgSErANeOz0QtI6JwiuKqUAO3dkoEBa+wcc3WeCxrzPrVaC41N6erAJgaWQlo Yb14PKH4U7elX8CEm71ctLsJsbfk+6JEnsLihSm1lCwsDfE2VwYhhnmxO2kzgpiBK6wm 0lxQ==
X-Received: by 10.194.191.161 with SMTP id gz1mr18165585wjc.0.1445508499909; Thu, 22 Oct 2015 03:08:19 -0700 (PDT)
Received: from icsil1noteb193.epfl.ch (icsil1noteb193.epfl.ch. [128.178.151.41]) by smtp.gmail.com with ESMTPSA id z4sm15869205wjz.29.2015.10.22.03.08.18 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Oct 2015 03:08:18 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_5F158604-B03F-48D9-BDE2-917196DCD2B8"
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <mailman.4.1443639602.18191.trans@ietf.org>
Date: Thu, 22 Oct 2015 12:08:18 +0200
Message-Id: <F367F507-06BD-4BB6-968F-C2791921C53B@gmail.com>
References: <mailman.4.1443639602.18191.trans@ietf.org>
To: Katriel Cohn-Gordon <me@katriel.co.uk>
X-Mailer: Apple Mail (2.3094)
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/5kuvNHii1u5wqfK6WfEhUnM0nfo>
Cc: trans@ietf.org
Subject: Re: [Trans] Long-term: scalable collective signing (of certs, log-heads, and/or SCTs)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 10:08:24 -0000

On 30 Sep 2015, at 21:00,Katriel Cohn-Gordon <me@katriel.co.uk> wrote:
> 
> ​Note that ARPKI <http://dl.acm.org/citation.cfm?id=2660298> (among other academic CT variants) similarly has no need for gossip; roughly, monitors sign that they have seen a cert and then clients just verify the signatures. Multisignatures sound like an elegant way to achieve that; are they more efficient than n individual signatures for smallish cothorities e.g. size <10?

Yes, a bit more efficient but the difference isn’t necessarily a big deal in practice for n ~ 10.  

We now (in just the past few weeks) have some better comparative experimental results on this; see pages 35 and 36 of the following slide deck:

	http://dedis.cs.yale.edu/dissent/pres/151009-stanford-cothorities.pdf

The green line and area is the signing latency of our collective signing protocol, now consistently under 2 seconds while scaling all the way out to 8192 hosts.  

The red line is the performance of the basic approach of simply collecting a lot of individual signatures.  As you can see it works fine for small n (and in this case signing latency is lower until the crossover point of about 128 participants.  But computation costs - most of which is signature checking, which signature-verifying clients would have to do as well - increases much more rapidly even for small numbers of hosts (slide 36).

Finally, the blue line shows the even worse scalability of classic multisignatures based on Joint Verifiable (Shamir) Secret Sharing (JVSS or JVSSS, depending on how much you like S’s).  The key problem there is that to avoid depending on a “trusted dealer”, every signing round requires every participant to deal a polynomial with shares for every other, then everyone must verify and combine these O(N) polynomials each of size O(N) into one master polynomial, etc., producing O(N^2) for everyone on each round.

At the talk above I recently gave at Stanford, Dan Boneh made the helpful observation that this O(N^2) per-signature cost of dealing fresh secrets in every round could probably be avoided through the use of a suitable pairing-based signature scheme such as BLS (https://en.wikipedia.org/wiki/Boneh–Lynn–Shacham).  Thus, after paying the O(N^2) as a one-time cost only on group setup, more traditional threshold crypto methods might become a more viable alternative in terms of per-signature costs.

Using traditional threshold crypto would have somewhat different properties that may be desirable in some situations and undesirable in others.  On the upside, the signatures produced would always be exactly the same size and always verifiable using exactly the same process no matter how many co-signers were actually online and participating in any given round.  On the downside, the signatures produced would not contain information “publicly documenting” which signers actually did or did not participate in each round, a property that seems undesirable in transparency-oriented situations like this.  Also, the threshold would have to be fixed and decided in advance, and a “signing threshold of zero” (ensuring that the primary signer can make progress no matter how many co-signers are missing) would not be an option.

Cheers
Bryan

v2.23.0 | Report a Bug | By Email