Comments (6)
We noticed a nicer trick: Initially set X_0 to be random and compute Z_0 = a X_0 + b X_0 for some random a,b with a+b=s. In signing, set X_{i+1} = H(m) - X_i and compute Z_{i+1} = aX_{i+1} + bX_{i+1} so our signature is z_{i+1} + Z_i. And resplit
remains the same. Amortized, this costs zero additional scalar multiplications, just the tow in setup.
You can make this work with distinct X and Y too, but now replit requires an extra scalar multiplication. In Polkadot's GRANDPA, we always signing several messages simultaneously, so our key spiting could maybe exploit this too somehow.
from bls.
I've implemented this last idea in c8db373 because it's basically free. I'll leave this open since we might still consider more radical approaches..
from bls.
Thomas Pornin cautions against viewing key splitting as an alternative to constant-time implementations. We expect librustzcash to eventually become constant-time, so I'm not eger to duplicate their efforts, but maybe worth considering.
Thomas Pornin suggests viewing key splitting more as a defense against attackers in physical proximity, like power analysis and fault attacks. I'd wanted to pull out the key splitting whenever librustzcash becomes constant-time, but maybe we cannot do so due to the broader lack of experience with pairing based protocols. Oh well..
from bls.
I also do not think that key-splitting makes the arithmetic constant time. I'm not too familiar with "physical proximity, like power analysis and fault attacks" but it would be cool if this idea was backed with some empirical evidence of some sense (maybe there is? at least I'm not aware of that).
from bls.
There are many papers on roughly this topic for RSA, including some theoretical models, since people like the CRT optimization which causes big problems. It's hard to have satisfactory answers though because side channel attackers are so diverse, including some from which no crypto sounds safe.
Yes, it definitely does not make arithmetic constant-time per se, but the question is how much the threats overlap. If overlap is large, then key splitting helps avoids duplicating effort with zcash, who rarely take pull requests even for trivial things. If the overlap is small, then we should prioritize constant-time signing, maybe by using specialization to call amcl for signing only, or maybe abstracting EngineBLS
further from pairing::Engine
and implementing it for some constant-time implementation, which mostly means reimplementing methods those lack.
from bls.
There is recent work on making the zcash libraries constant time in https://github.com/zkcrypto/bls12_381 so I'm inclined to wait for now.
In any case, we're likely stuck with key splitting now due to worries about validators being run on cloud service providers, so..
I picked an additive split here for speed, but a multiplicative split ab=s with sigma = a(b*H(m)) would not be much slower. Do we gain anything from a multiplicative split? I suspect yes maybe.
from bls.
Related Issues (20)
- Improve serialization of Publickey and Signature HOT 2
- Improve serialization of Publickey and Signature HOT 1
- clean up the depenedancy so they are compatible with substrate HOT 2
- Implement Canonical De/Serialize for SecretKey HOT 1
- Alter the BEEFY structure to have only one aggergated BLS signature HOT 1
- Implement bls signature related functions for (substrate) host API
- Enable BEEFY Keystore to produce BLS signature HOT 2
- Reverse beefy messages to only support unaggregated BLS signatures in Beefy HOT 2
- Implement missing bls function for LocalKeystore HOT 1
- modify `client/beefy/src/worker.rs` to use either ECDSA or BLSnECDSA keystores
- How is `context` meant to be used when creating a new `Message`?
- Make ValidatorSet generic over public key type HOT 3
- Update BLS library to Pairing and Serialization changes HOT 3
- make thread_rng optional on std feature HOT 1
- Write test for BeefyECDSAandBLSKeystore HOT 1
- Implement Chaum Pederson Signature for Keypair HOT 2
- Make `keystore_vs_validator_set` test generic over the keystore HOT 4
- Clean up hash to curve branch and merge it with master HOT 1
- Expose Double Public Key scheme HOT 2
- Implement Serialization for `Double` Schemes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bls.