I mentioned to David off-list that we considered but didn't pursue another multi-device option for signatures. It would be to use a protocol such as 2-Schnorr [1]. Every user has:
- one Schnorr keypair: call it (x,g^x) - one "home server", be it a home machine or an openID-style "identity service" - n devices For each of the n devices, the device gets a random r_i, and the server gets (x - r_i). When a signature is needed, the server and device follow a three-round protocol to cooperatively compute it. If an adversary compromises the server or the client (but not both), he can't make new signatures. So when a user loses a device, she can "resplit" the secret key without changing her public key. For better or worse (I think better), the server retains an auditable log of all signatures computed. Of course a lot of details remain to be worked out, and given that it's ~2015 and not 2003, you'd probably want to use an EC rather than the DLP over Z_p. But it might be another approach to investigate. [1] http://cs1.cs.nyu.edu/~nicolosi/papers/ndss03.ps PS: We (at Keybase) are currently pursuing something akin to the "separate keypairs" option described above. Work is in progress, so nothing to share with the world yet.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
