[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Post-quantum secure hierachical deterministic key derivation
From: |
Jeff Burdges |
Subject: |
Re: Post-quantum secure hierachical deterministic key derivation |
Date: |
Tue, 22 Dec 2020 19:15:06 +0100 |
> On 21 Dec 2020, at 06:49, Martin Schanzenbach <mschanzenbach@posteo.de> wrote:
> this looks promising for PQ-secure GNS key blinding:
> https://eprint.iacr.org/2020/1149.pdf
It’s cool that lattice-based schemes can do so many nifty things like this, and
tor might want the same functionality, but a priori one expects such tricks
weaken lattice-based schemes.
There is a claim in the second paragraph in section 5.1 page 24 that this
weakening does not occur here, assuming the randomization is honest. I have
not explored this claim under their honest randomness assumption, but it'd
clearly requires proof even there. In fact, I doubt this randomization can be
considered honest in the blockchain or GNS threat models, so I think the
authors do not really understand for what their protocol expects to be used.
In tor’s case, one might consider directory authorities honest. There exist
few directory authorities though regardless, so if tor made directory
authorities propose randomness using a VRF implemented with a hash-based
signature, then you could bound the adversaries influence over the randomness
by the number of signing directory authorities since an honest directory
authority signed. This is almost surely useful.
Assuming section 5.1 fails then one might still use the protocol, but.. There
is strictly more room for debate over the parameter choices here than for a
lattice-based signature without this functionality. Indeed, I seriously doubt
you'd deploy this using exactly the same parameters a lattice-based signature
without this functionality, given the similar threats, lifetime, etc. And
folks do not yet agree about even the regular parameter!
I also think the protocol requires further exploration of linkability between
keys, which maybe matters under some blockchain usages of HDKD like zcash,
definitely matters for Tor, and maybe matters for GNS. It appears the paper
does not explore this.
It’s kinda a problem with our brave new lattice based post-quantium future that
niche crypto becomes more of a second class citizen than with elliptic curves,
but if security levels become established then at least parameterizing the
niche stuff becomes more realistic.
Jeff
signature.asc
Description: Message signed with OpenPGP
- Post-quantum secure hierachical deterministic key derivation, Martin Schanzenbach, 2020/12/21
- Re: Post-quantum secure hierachical deterministic key derivation,
Jeff Burdges <=
- Re: Post-quantum secure hierachical deterministic key derivation, Martin Schanzenbach, 2020/12/22
- Re: Post-quantum secure hierachical deterministic key derivation, Jeff Burdges, 2020/12/23
- Re: Post-quantum secure hierachical deterministic key derivation, Martin Schanzenbach, 2020/12/23
- Re: Post-quantum secure hierachical deterministic key derivation, Jeff Burdges, 2020/12/23
- Re: Post-quantum secure hierachical deterministic key derivation, Martin Schanzenbach, 2020/12/23
- Re: Post-quantum secure hierachical deterministic key derivation, Jeff Burdges, 2020/12/23