diff --git a/wsts.tex b/wsts.tex index e905ac44..d6d9a9ad 100644 --- a/wsts.tex +++ b/wsts.tex @@ -232,7 +232,6 @@ \subsubsection{ z_i = d_i + \rho_i \cdot e_i + s_i \cdot c \cdot \lambda_i \end{align} - \subsubsection{ Aggregating the Group Signature } @@ -430,7 +429,6 @@ \section{ \end{tabular} \end{center} - \section{ Robustness } @@ -457,7 +455,6 @@ \subsection{ When running a FIRE round with WSTS vs FROST, the only difference is that we must count the number of keys controlled by each party who responds with a nonce in every session. Only when the sum of keys controlled by the given nonces equals or exceeds $T$ do we form $S_j$ and begin the signing portion of the session. - \subsection{ ROAST } @@ -533,13 +530,165 @@ \section{ Security } -\subsection{ - Correctness -} +In this section we prove the security of WSTS. We demonstrate +security of WSTS against the standard notion of existential unforgeability against chosen message attacks (EUF-CMA) by reducing the security of WSTS to the security of FROST, which in turn reduces to the the difficulty of computing the discrete logarithm problem. + +\subsection{Adversary Powers} + +We take the forger $\mathcal{F}$ to be a routine that with non-negligible probability $\epsilon$ and within a polynomial amount of time $\tau$, can do the following: +\begin{itemize} + \item \textbf{Oracle Access}: \( \mathcal{F} \) can query a signing oracle with messages of their choice and receive valid signatures. + \item \textbf{Protocol Participation}: \( \mathcal{F} \) follows WSTS by being a participant to obtain information useful for forgery. + \item \textbf{Output}: \( \mathcal{F} \) outputs a pair \((m, \sigma)\), where \(m\) is a message not previously signed by the oracle during \( \mathcal{F} \)'s attack, and \(\sigma\) is a valid signature for \(m\). +\end{itemize} + +When performing its forgery attack, we grant $\mathcal{F}$ the role of the signature aggregator. Without loss of generality, we assume $\mathcal{F}$ controls $C$ compromised participants with combined key share equal to $t-1$, and has full power over how these participants behave, what secret and public values they generate, etc. Moreover, we assume the $t$-th participant controls only one share. + +\subsection{From WSTS to FROST} + +As mentioned above, our security proof relies on a reduction of WSTS to FROST. To do so, we map configurations of WSTS to configurations of FROST, where a \textbf{configuration} is the total number of participants, the threshold, the number of key IDs, the number of secret keys, and private nonces among the participants. -In Sections 4.4.1 and 2.7.5, we show how WSTS and FROST reduce to a Schnorr proof. This is sufficient to show correctness. +Before start we introduce a useful definition. Let a \textbf{dummy participant} be a participant where their secret polynomial coefficients and private nonces are all zero. These participants abide by the FROST protocol in every other way. +\begin{lem}[Mapping between WSTS and FROST]\label{lemma:wsts-frost-equivalence} + Suppose we are given a valid configuration for $n$ participants in WSTS and $\kappa$ key IDs. Then we can uniquely identify a configuration of FROST with $\kappa$ participants with the following properties: + \begin{enumerate} + \item the participants have the same secret shares as in the WSTS configuration, + \item the first $n$ participants have the same secret polynomial as in WSTS, + \item the remaining $\kappa - n$ participants are dummy participants, + \item the group private and public keys are the same, + \item the group can produce the same valid signature given the same message. + \end{enumerate} +\end{lem} +\begin{proof} +Let $t$ denote the threshold, $\kappa > n$ denote the number of key IDs, and $\{ f_i \}_{i\in [1,n]}$ denote the private polynomials of the WSTS participants (the WSTS protocol with $\kappa = n$ is the same as the FROST protocol so we skip it). To find the FROST configuration, we will have $\kappa$ participants. Make the first $n$ participants in the FROST configuration have the same private polynomials as those in the WSTS configuration. The remaining $\kappa - n$ participants are all dummy participants where +\begin{align}\label{equation:dummy-participant-polynomial} + f_i(x) \equiv 0, \qquad i \in [n+1, \kappa]. +\end{align} +%% +In the FROST configuration just described, we can compute the group private key as: +\begin{align} + f(0) = \sum_{i=1}^n f_i(0) + \sum_{i = n+1}^\kappa f_i(0) = \sum_{i=1}^n f_i(0), +\end{align} +%% +where we used \eqref{equation:dummy-participant-polynomial} in the final equality. This implies that the public and private key in this FROST configuration is the same as the public and private key in the WSTS configuration. + +These dummy participants still send and receive secret shares during DKG. Specifically, they send $(j, f_i(j)) = (j, 0)$ to participant $j$. This implies that the $i$-th participant has secret share +\begin{align} + s_i = \sum_{k=1}^\kappa f_k(i) = \sum_{k=1}^n f_k(i), +\end{align} +%% +which is the same as the secret key share definition for the $i$-th key in WSTS \eqref{equation:secret-share-definition}. + +When it comes time to sign message $m$, recall that the signature in WSTS would be +\begin{align}\label{equation:signature-wsts-appendix} + z & = \sum_{i \in S}^{} z_{i} + = \sum_{i \in S}^{} d_{i} + \rho_{i} \cdot e_{i} + c \cdot \sum_{k \in K_i}^{} \lambda_{k} \cdot s_{k} +\end{align} +%% +where $S$ is the signing set, $d_i$ and $e_i$ are private nonces, $K_i$ is the key ID set for participant $i$, $\rho_i$ is a hash of the message with identifier $i$ and the nonces \eqref{equation:message-participant-hash}, and $c$ is a hash of the message with the public key \eqref{equation:message-public-key-hash}. Luckily, equation \eqref{equation:signature-wsts-appendix} tells us who to include in the signature on the FROST side to generate the same signature. Specifically, we select the participants in $S$, along with the dummy participants identified by the key IDs in $\bigcup_{i \in S} K_i$. These dummy participants do not contribute to the $\sum_{i \in S}^{} d_{i} + \rho_{i} \cdot e_{i}$ portion of the signature in \eqref{equation:signature-wsts-appendix}, since their private nonces are zero. Thus the FROST signature is: +\begin{align}\label{equation:signature-frost-appendix} + % z & %= \sum_{i \in S_{}}^{} z_{i} + \underbrace{\sum_{i \in S}^{} d_{i} + \rho_{i} \cdot e_{i} + c \cdot \lambda_{i} \cdot s_{i}}_{\text{From normal participants}} + \underbrace{\sum_{k \in K_i - \{i\}}^{} c \cdot \lambda_{k} \cdot s_{k}}_{\text{From dummy participants}}, +\end{align} +%% +where we assumed WLOG that $K_i = \{ i \} \cup K_i^{\prime}$ with $K_i^\prime \subset [n + 1, \kappa]$. Since the signature \eqref{equation:signature-wsts-appendix} is identical to the one generated in WSTS, \eqref{equation:wsts-signature-definition}, the proof is complete. +\end{proof} + +%% +% \begin{figure}[!ht] +% \centering +% \begin{tikzpicture}[remember picture, node distance=3cm, +% inner/.style={circle,solid,draw=blue!50,thick,inner sep=1pt}, +% outer/.style={circle,dashed,thick,draw=black,inner sep=2pt} +% ] +% \node[inner,draw=blue] (E1) at (0.0, 2.0) {}; + +% \node[] (E2) at (1.4, 1.5) { +% \begin{tikzpicture}[node distance=0.5cm] +% \node [inner,draw=blue] (bi) {}; +% \node [inner,draw=blue,below left of=bi] (biii) {}; +% \node [inner,draw=blue,below of=biii] (bii) {}; +% % \draw[inner,red,thick] (bi) -- (bii) -- (biii) -- (bi); +% \end{tikzpicture} +% }; +% \node[outer,draw=black] (E3) at (-0.4, 0.4) { +% \begin{tikzpicture}[node distance=0.25cm] +% \node [inner,draw=blue] (ci) {}; +% \node [inner,draw=gray,below right of=ci] (cii) {}; +% \node [inner,draw=gray,below left of=cii] (ciii) {}; +% \node [inner,draw=gray,left of=ciii] (civ) {}; +% \node [inner,draw=gray,above of=civ] (cv) {}; +% \end{tikzpicture} +% }; +% \node[] (E4) at (-1.5, 1.6) { +% \begin{tikzpicture}[node distance=0.5cm] +% \node [inner,draw=blue] (di) {}; +% \node [inner,draw=blue,below of=di] (dii) {}; +% \node [inner,draw=blue,below left of=dii] (diii) {}; +% % \draw[inner,red,thick] (di) -- (dii) -- (diii) -- (di) -- (diii); +% \end{tikzpicture} +% }; +% % \draw[black,thick] (E1) -- (E2) -- (E3) -- (E4) -- (E1); +% % \draw[black,thick,->] (E2) -- (E4); +% % \draw[black,thick,->] (E1) -- (E3); +% \end{tikzpicture} +% \caption{FROST with Full participants in blue and dummy participants in grey}\label{after clustering} +% \end{figure} +%% + +% \begin{lem}[WSTS information exchange] +% Let $\mathfrak{W}$ be a valid configuration for $n$ participants in WSTS and key IDs $\{ K_i \}_{i \in [1,n]}$ and let $\mathfrak{F}$ be the analogous FROST configuration from Lemma~\ref{lemma:wsts-frost-equivalence}. +% \end{lem} + +% \begin{proof} + +% \end{proof} + +\begin{rem} + We can place further restrictions on our dummy participants. Suppose dummy participants: + \begin{enumerate} + \item Did not send polynomial commitments and secret shares during DKG (since they're all zero anyway). + \item Sent in secret signing shares whenever participants $i$ sent in secret signing shares, for some fixed $i \in [1, n]$. + \end{enumerate} + In this case we would see by Lemma~\ref{lemma:wsts-frost-equivalence} that WSTS with $n$ participants, threshold $t$, and key distribution $\{K_i\}_{i\in [1,n]}$ is really just FROST with $n$ regular participants and $\kappa - n$ dummy participants, where regular participant $i$ controls dummy participants with IDs in $K_i - \{ i\}$. The security of WSTS relies on the fact that FROST is $(\tau, \epsilon)$-unforgeable even if an adversary controlled $\kappa - 1$ participants, assuming the discrete logarithm problem is $(\tau, \epsilon)$-hard. + %A FROST adversary with control over $\kappa - 1$ keys could always simulate WSTS. +\end{rem} + +\subsection{EUF-CMA proof of WSTS} + +We say a problem is $(\tau, \epsilon)$-hard if, with probability $\epsilon$, it takes $\tau$ amount of time to compute. We now give a security proof of WSTS. When we say WSTS or FROST is $(\tau, \epsilon)$-secure, we are saying that with probability $\epsilon$ it takes $\tau$ amount of time to compute a forgery of a signature of a chosen message. + +\begin{thm}[EUF-CMA of WSTS] + Assume the discrete logarithm problem is $(\tau, \epsilon)$-hard. Then WSTS is $(\tau, \epsilon)$-secure if and only if FROST is $(\tau, \epsilon)$-secure. +\end{thm} + +\begin{proof} +Suppose WSTS is $(\tau, \epsilon)$-secure. Then WSTS where the key sets are $K_i = \{i\}$ would be $(\tau, \epsilon)$-secure. Since this protocol is FROST, we see that FROST is $(\tau, \epsilon)$-secure. + +The proof that FROST being $(\tau, \epsilon)$-secure implies WSTS being $(\tau, \epsilon)$-secure is a proof by contradiction. Suppose there exists a forger $\mathcal{F}$ for WSTS where there are $n$ participants and some distribution of key IDs $\{ K_i\}_{i\in [1, n]}$, and threshold $\kappa$, where the forger controlled the participants identified by the set $C$ with a total of $\sum_{i \in C}|K_i| \leq \kappa - 1$ keys. That is, assume $\mathcal{F}$ could construct a forgery $\sigma$ for a public key $Y$ with a chosen message $m$ with probability $\epsilon$ and time $\tau$ but does not control the threshold of secret shares. Furthermore, assume the stipulations in the adversary powers section for the forger. + +\begin{setup}{Step 1} + Setup the FROST topology for $\mathcal{F}^\prime$. +\end{setup} + +Construct $\kappa$ participants in a FROST protocol with threshold $\kappa$ and give an adversary control of $\kappa - 1$ participants. We now define how a forger $\mathcal{F}^\prime$ for a FROST configuration that could generate a forgery with the same effort as the WSTS forger. + +\begin{setup}{Step 2} + Distributed Key Generation (DKG) under $\mathcal{F}^\prime$. +\end{setup} + +The FROST forger $\mathcal{F}^\prime$ is a routine that takes the same inputs as the WSTS forger $\mathcal{F}$, including the particular WSTS setup that $\mathcal{F}$ needs. $\mathcal{F}^\prime$ first supplies these inputs into $\mathcal{F}$ to do WSTS DKG. It then use Lemma~\ref{lemma:wsts-frost-equivalence} to construct a FROST configuration that is analogous to the WSTS forger's configuration. Afterwards, the FROST forger $\mathcal{F}^\prime$ has access to the same secret shares and the same public key as the WSTS forger. + +\begin{setup}{Step 3} + $\mathcal{F}^\prime$ forges a signature. +\end{setup} + +We must detail the routine that generates a forgery of a signature in our chosen FROST configuration. Luckily, we have routine that forges signatures, namely $\mathcal{F}$. It takes as input the private key shares it controls, private nonces, the public key, an oracle producing valid signatures, and can produce a valid signature for message $m$ of it's choice. It does this using the information under it's control and by interacting with the participant(s) not within its control. Since $\mathcal{F}^\prime$ has access to the same information (by Lemma~\ref{lemma:wsts-frost-equivalence}) and interacts with the participant(s) not within its control in the same way (since WSTS is a derivative of FROST), it can carry out the same procedure as $\mathcal{F}$ to forge a signature. + +Thus we have constructed a FROST forger that $(\tau, \epsilon)$-breaks the unforgeability property of FROST. This violates Theorem \cite[\S A.2]{frost:2020}, yielding the desired contradiction. +\end{proof} \end{document}