Thanks Greg for the feedback. Weâre aware of the proposals for delinearization mechanisms to increase robustness to related-key attacks such as key cancellation, and weâre completely open to refinements like these in an eventual standard for collective signatures. I seem to recall that refinements like this were discussed on the CFRG list back in the work leading up to RFC 8032, but weren't adopted in that context for reasons I can't remember well - perhaps simply because the focus then was on individual rather than collective signatures. So perhaps then wasnât the right time to discuss such enhancements, but maybe now is the right time. Can anyone else remember exactly when that discussion occurred or find the relevant messages in the CFRG list archive?
At any rate, our Internet-Draft is intended to be just a first draft, not by any means a final specification. Our immediate goal is to get a critical mass of support within CFRG to adopt collective signing as a working group item. Once we get to that point, then we can begin the process of (collectively) figuring out exactly what that signing scheme should look like, including which particular hardening refinements (such as delinearization mechanisms) it should include.
So if you and/or others on this list are interested in seeing collective signing in some form move toward standardization, what would be ideal at the moment is if you could post to the CFRG mailing list an E-mail stating (a) that you support the CFRG adopting collective signing as a working group item, and (b) a list of issues or changes such as the above that you'd like to see considered in the context of that work, of which delinearization should certainly be a high-priority topic.
Post by Gregory Maxwell
The lack of delinearization makes this rather fragile: if someone
fails to check a key signature their key can be canceled. Having to
carry around those signatures also makes this approach unsuitable for
some applications e.g. where keys are used once and the group is
formed by the verifier instead of the signers, in that case the
additional signatures plus the collective signature require more
bandwidth and computation than normal single party signatures.
Post by Nicolas Gailly
We recently published an Internet-Draft about âCollective Edwards-Curve Digital Signature Algorithmsâ based on Ed25519 and Ed448: https://datatracker.ietf.org/doc/draft-ford-cfrg-cosi/
We already submitted it to the CFRG mailing list (follow-up discussions in ), and and since we thought that this community might also be interested, we wanted to reach out to this mailing list, too.
FWIW, we plan to give a short presentation on that topic at the next CFRG meeting in Prague (18th of July).
Any feedback is more than welcome. Thanks!
All the best,
Curves mailing list