Skip to content

Blind Schnorr Signatures#98

Open
nickfarrow wants to merge 2 commits into
LLFourn:masterfrom
nickfarrow:blind-sig-pr
Open

Blind Schnorr Signatures#98
nickfarrow wants to merge 2 commits into
LLFourn:masterfrom
nickfarrow:blind-sig-pr

Conversation

@nickfarrow
Copy link
Copy Markdown
Collaborator

@nickfarrow nickfarrow commented Jun 23, 2022
edited
Loading

Blind schnorr signatures

Todo:

  • proptest
  • docs & synopsis
  • fn BlindingTweaks::from_values(alpha, beta)
  • Improved method for needs_negations?
  • Move frost and musig nonce.rs stuff to binonce and introduce a singular nonce that generates with even-Y (don't have to manually negate in tests & everywhere) Just derive_nonce!() for now
  • wrapper. Instead follow: Blind Schnorr Signatures and Signed ElGamal Encryption
    in the Algebraic Group Model     .
  • A better wrapper that stores some basic ID / context for maximum N sessions, returning None when sessions are maxed out. Do not give out any signatures until all N sessions are connected.
  • Do not also tweak public key (t)
  • Check whether nonce belongs to current signing session at start of sign()
  • Decide whether max_sessions can be 1 and whether to immediately sign (never concurrent)
  • Decide whether already_signed is appropriate.
  • BlindSigner::drain_sign or something to sign remaining

maybe insecure -- do not use

@nickfarrow
Copy link
Copy Markdown
Collaborator Author

nickfarrow commented Jul 4, 2022
edited
Loading

227b6f2 is an attempt to make this secure (still almost certainly insecure -- do not use).

To safely sign, the signing server should use safe_blind_sign_multiple for N SignRequests where 1 of N requests are dropped. From my reading this makes parallel signing attacks too difficult as you are unable to rely on all sessions (is 1 of N always sufficient?).

I doubt this API is ideal (particularly if async), but it's somewhere to start

LLFourn
LLFourn reviewed Jul 4, 2022
View reviewed changes
Comment thread schnorr_fun/Cargo.toml Outdated
LLFourn
LLFourn requested changes Jul 4, 2022
View reviewed changes
Copy link
Copy Markdown
Owner

@LLFourn LLFourn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work. Left some comments. The big picture comment I have is whether we can via the API prevent a user from opening more parallel sessions than they should be allowed to given the difficultly of the modified ROS problem. e.g. if you try and open one when you already have too many open you get an None back.

Comment thread schnorr_fun/src/blind.rs
Comment thread schnorr_fun/src/blind.rs Outdated
Comment thread schnorr_fun/src/blind.rs Outdated
Comment thread schnorr_fun/src/blind.rs Outdated
Comment thread schnorr_fun/src/blind.rs Outdated
Comment thread schnorr_fun/src/blind.rs Outdated
Comment thread schnorr_fun/src/blind.rs Outdated
@nickfarrow nickfarrow force-pushed the blind-sig-pr branch 2 times, most recently from 1bb2f18 to 48a0e28 Compare July 6, 2022 07:19
@nickfarrow nickfarrow force-pushed the blind-sig-pr branch 2 times, most recently from 6151810 to f5c6f45 Compare July 29, 2022 06:38
@nickfarrow
Copy link
Copy Markdown
Collaborator Author

nickfarrow commented Aug 11, 2022

I'd like to clean up the multiple uses of "blinded" and "tweaked". The struct Blinder is a bit confusing as to what is disguised and what is not.

@nickfarrow nickfarrow mentioned this pull request Oct 10, 2022
Merged
@nickfarrow nickfarrow force-pushed the blind-sig-pr branch 3 times, most recently from 4ead9f4 to a06a8d1 Compare February 1, 2023 07:42
@nickfarrow
Copy link
Copy Markdown
Collaborator Author

nickfarrow commented Feb 1, 2023

These changes have introduced a BlindSigner to manage the state of a signing server in order to be secure against an adversary trying to forge a signature by solving the ROS problem.

The BlindSigner uses its internal schnorr nonce_gen() and a sid to generate nonces.

Users' requests are processed with sequential calls to sign on SignatureRequests, returning nothing until the BlindSigner receives max_sessions requests. Then it will sign all-but-one of the signature requests (in order to avoid concurrent singing attacks) and forget all the nonces

I have made it so that you can set max_sessions to 1, resulting in instant signing and never "disconnecting". I have also exposed BlindSigner::sign_single which should never be called in parallel (documented).

@nickfarrow nickfarrow marked this pull request as ready for review February 1, 2023 07:51
@nickfarrow nickfarrow force-pushed the blind-sig-pr branch 4 times, most recently from 4274181 to e2e47e5 Compare February 2, 2023 02:09
@nickfarrow
Copy link
Copy Markdown
Collaborator Author

nickfarrow commented Feb 2, 2023

Latest commits make steps to more safely handle state and a clearer distinction between parallel and single-call execution. There is now a sign_all_but_one to drain all signature requests that were loaded into sign, can be called whenever instead of waiting for max_sessions number of signatures.

@nickfarrow nickfarrow force-pushed the blind-sig-pr branch 4 times, most recently from ff9edc9 to 1aec1c0 Compare February 16, 2023 12:37
@nickfarrow
Parallel Blind Signing Sessions
28e4458 
* Disconnect on 1 of N sessions, unless N=1
* Use up nonces when signing.
* Expire sessions when we have given out too many nonces
* Store already signed signatures for polling
* Store already_signed as None for closed sessions
* serde_json Serialize, Deserialize
* Separate sign_all_but_one function for immediate signing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LLFourn LLFourn LLFourn requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nickfarrow @LLFourn