Is this the first ever practically-deployed use of a threshold scheme?
Thierry Moreau
thierry.moreau at connotech.com
Tue Aug 3 11:45:16 EDT 2010
Peter Gutmann wrote:
>
> That's a good start, but it gets a bit more complicated than that in practice
> because you've got multiple components, and a basic red light/green light
> system doesn't really provide enough feedback on what's going on. What you'd
> need in practice is (at least) some sort of counter to indicate how many
> shares are still outstanding to recreate the secret ("We still need two more
> shares, I guess we'll have to call Bob in from Bratislava after all"). Also
> the UI for recreating shares if one gets lost gets tricky, depending on how
> much metadata you can assume if a share is lost (e.g. "We've lost share 5 of
> 7" vs. "We've lost one of the seven shares"), and suddenly you get a bit
> beyond what the UI of an HSM is capable of dealing with.
>
There is more than the UI at stake here, i.e. the basic functionality of
the scheme. Say you distribute shares in a 4 out of 7 scheme (ABCDEF)
and share A is published on the web. How do you recover from the
remaining 3 out of 6 scheme into a 4 out of 6 scheme without having a
key ceremony? In an ad-hoc multi-party scheme, you request 4 of the
remaining compliant parties to destroy key material allowing them to
participate in a group with the traitor A, but no other key material. No
system UI, but admittedly a coordination nightmare!
--
- Thierry Moreau
> With a two-share XOR it's much simpler, two red LEDs that turn green when the
> share is added, and you're done. One share is denoted 'A' and the other is
> denoted 'B', that should be enough for the shareholder to remember.
>
> If you really wanted to be rigorous about this you could apply the same sort
> of analysis that was used for weak/stronglinks and unique signal generators to
> see where your possible failure points lie. I'm not sure if anyone's ever
> done this [0], or whether it's just "build in enough redundancy that we should
> be OK".
>
> Peter.
>
> [0] OK, I can imagine scenarios where it's quite probably been done, but
> anyone involved in the work is unlikely to be allowed to talk about it.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list