Peter Gutmann wrote:
That's a good start, but it gets a bit more complicated than that in practice
because you've got multiple components, and a basic red light/green light
system doesn't really provide enough feedback on what's going on. What you'd
need in practice is (at least) some sort of counter to indicate how many
shares are still outstanding to recreate the secret ("We still need two more
shares, I guess we'll have to call Bob in from Bratislava after all"). Also
the UI for recreating shares if one gets lost gets tricky, depending on how
much metadata you can assume if a share is lost (e.g. "We've lost share 5 of
7" vs. "We've lost one of the seven shares"), and suddenly you get a bit
beyond what the UI of an HSM is capable of dealing with.
There is more than the UI at stake here, i.e. the basic functionality of
the scheme. Say you distribute shares in a 4 out of 7 scheme (ABCDEF)
and share A is published on the web. How do you recover from the
remaining 3 out of 6 scheme into a 4 out of 6 scheme without having a
key ceremony? In an ad-hoc multi-party scheme, you request 4 of the
remaining compliant parties to destroy key material allowing them to
participate in a group with the traitor A, but no other key material. No
system UI, but admittedly a coordination nightmare!
--
- Thierry Moreau
With a two-share XOR it's much simpler, two red LEDs that turn green when the
share is added, and you're done. One share is denoted 'A' and the other is
denoted 'B', that should be enough for the shareholder to remember.
If you really wanted to be rigorous about this you could apply the same sort
of analysis that was used for weak/stronglinks and unique signal generators to
see where your possible failure points lie. I'm not sure if anyone's ever
done this [0], or whether it's just "build in enough redundancy that we should
be OK".
Peter.
[0] OK, I can imagine scenarios where it's quite probably been done, but
anyone involved in the work is unlikely to be allowed to talk about it.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]
