BlockstreamResearch / bip-frost-dkg

49 stars 14 forks source link

RecPedPop: use ECDH between hostkeys to drop the enckeys round #15

Closed jonasnick closed 9 months ago

jonasnick commented 9 months ago

This would save a round in RecPedPop but uses the static host keys for ECDH instead of ephemeral "enckeys".

Will adjust the names of the rounds, etc. accordingly later.

real-or-random commented 9 months ago

We should perhaps add a paragraph or a footnote that explains why a static-static ECDH is okay here. People's first impression may be that static DH is scary and from the 90s. The usual suspects are replay attacks, lack of forward security, and key compromise impersonation. Hm... now that I've listed all of these, let's maybe wait another day and think about it.

real-or-random commented 9 months ago

Okay, so key compromise impersonation (KCI) deserves some thoughts.

What's a KCI attack? Say Alice and Barbara perform a key exchange. If the attacker has Alice's secret key a, it's not surprising that he can impersonate Alice to Barbara. But in the case of static DH, he can also impersonate every Barbara to Alice: since he knows a, he can derive the shared secret aB for any other public key B.

In our setting, this would be a rather devastating attack. Alice may have checked all other public keys out of band, but the attacker can impersonate every other participant in the DKG, pairing her only with malicious sock puppets.

Note that the (perhaps) surprising part here is only authenticity. The attacker can send messages that look like they came from Barbara. Confidentiality is not specially affected by KCI attacks. While it's true that the attacker can also eavesdrop on every connection between Alice and honest Barbaras, that seems impossible to avoid if the attacker has a (and if we want to avoid ephemeral keys to facilitate backups.)

One way to prevent this attack is to add signatures that bind the public key to some unique session ID. (That's why signed ephemeral DH is, in general, not vulnerable to KCI: the ephemeral keys act as a session ID) In the case of RecPedPop, this means that the attacker can impersonate everyone to Alice and complete the key exchanges. But at the end of the protocol, he simply won't be able to sign the transcript as any Barbara.

We don't have the signatures in pure EncPedPop. But even here, the equality check protocol should detect if the attacker tampered with the messages sent to Alice. (And confidentiality is anyway lost, as mentioned above.) This is what meant when we wrote earlier in the document that EncPedPop is authenticated via the equality check.

jonasnick commented 9 months ago

A KCI attack does seem like a problem indeed for DKG. Or the other way around, it is a really desirable property that if the adversary only compromises the seed (and not the machine the DKG is running on), they can not compromise future setups, i.e., any coins sent to an address that is output of a DKG is still protected by a t-of-n (although one signer is already compromised).

The applicability of the KCI attack seems to not be affected by this PR because an attacker compromising a seed would be able to derive the secret my_deckey allowing just the same impersonation attack on master.

However, I'm not quite sure if you suggest that KCI is a real problem on master or in this PR: the attacker can decrypt shares sent by the victim and inject valid shares, but they won't be able to produce a signature for the impersonated participants in certifying_eq which prevents the victims from accepting the outputs of the DKG.

real-or-random commented 9 months ago

The applicability of the KCI attack seems to not be affected by this PR because an attacker compromising a seed would be able to derive the secret my_deckey allowing just the same impersonation attack on master.

Indeed, the same occurred to me after I had written my previous comment.

However, I'm not quite sure if you suggest that KCI is a real problem on master or in this PR: the attacker can decrypt shares sent by the victim and inject valid shares, but they won't be able to produce a signature for the impersonated participants in certifying_eq which prevents the victims from accepting the outputs of the DKG.

What I was trying to say is that the signature in certifying_eq definitively exclude KCI attacks against RecPedPop. (As any "end-to-end" Eq should exclude them for EncPedPop.)