[messaging] Multiple devices and key synchronization: some thoughts

[Maxwell Krohn]

I mentioned to David off-list that we considered but didn't pursue another
multi-device option for signatures.  It would be to use a protocol such as
2-Schnorr [1].  Every user has:

  - one Schnorr keypair: call it (x,g^x)
  - one "home server", be it a home machine or an openID-style "identity
service"
  - n devices

For each of the n devices, the device gets a random r_i, and the server
gets (x - r_i).  When a signature is needed, the server and device follow a
three-round protocol to cooperatively compute it.  If an adversary
compromises the server or the client (but not both), he can't make new
signatures.  So when a user loses a device, she can "resplit" the secret
key without changing her public key.

For better or worse (I think better), the server retains an auditable log
of all signatures computed.

Of course a lot of details remain to be worked out, and given that it's
~2015 and not 2003, you'd probably want to use an EC rather than the DLP
over Z_p.  But it might be another approach to investigate.

[1] http://cs1.cs.nyu.edu/~nicolosi/papers/ndss03.ps

PS: We (at Keybase) are currently pursuing something akin to the "separate
keypairs" option described above. Work is in progress, so nothing to share
with the world yet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141229/b923404b/attachment.html>