[messaging] Multiple devices and key synchronization: some thoughts
themax at gmail.com
Mon Dec 29 18:52:54 PST 2014
I mentioned to David off-list that we considered but didn't pursue another
multi-device option for signatures. It would be to use a protocol such as
2-Schnorr . Every user has:
- one Schnorr keypair: call it (x,g^x)
- one "home server", be it a home machine or an openID-style "identity
- n devices
For each of the n devices, the device gets a random r_i, and the server
gets (x - r_i). When a signature is needed, the server and device follow a
three-round protocol to cooperatively compute it. If an adversary
compromises the server or the client (but not both), he can't make new
signatures. So when a user loses a device, she can "resplit" the secret
key without changing her public key.
For better or worse (I think better), the server retains an auditable log
of all signatures computed.
Of course a lot of details remain to be worked out, and given that it's
~2015 and not 2003, you'd probably want to use an EC rather than the DLP
over Z_p. But it might be another approach to investigate.
PS: We (at Keybase) are currently pursuing something akin to the "separate
keypairs" option described above. Work is in progress, so nothing to share
with the world yet.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging