2

I am planning to use threshold cryptography in a Java application. So far, I have only found ThresSig and a ECDSA implementation used in TwoFactorBtcWallet. However, ThresSig is based on a 15-years old scheme, Shoup's Practical Threshold Signatures, and I can't figure out how to re-use the aforementioned ECDSA implementation for my own needs (I am not even sure if the code supports more than 2 parties).

Are Shoup's Practical Threshold Signatures considered secure nowadays? Are there any well-known pitfalls or recommendation on sizes, etc.? If not, is ECDSA an appropriate building block and how?

otus
  • 32,132
  • 5
  • 70
  • 165
João
  • 21
  • 1
  • please note: Old schemes are not neccessarily bad. They may be indeed really good like the OTP or shamir's secret sharing. – SEJPM Sep 07 '15 at 19:18
  • 1
    Choosing Java libraries is off-topic here. You could ask on [softwarerecs.se], but first you need to choose an algorithm. Deciding which algorithms are suitable is on-topic here, so I've edited your question to match. – Gilles 'SO- stop being evil' Sep 07 '15 at 20:37
  • I am not able to follow and to check all the details on the Shoup's paper, but it has two theorems which prove that the scheme is secure, under the assumtion that the standard RSA signature scheme is secure. So, assuming that the paper is correct and the proofs of these theorems have no flaws, your question "Are Shoup's Practical Threshold Signatures considered secure nowadays?" becomes "Is RSA considered secure nowadays?". It seems that RSA keys of length 2048-bit are considered to be secure for now and for many years in the future. (See: http://crypto.stackexchange.com/q/1978/12164 ) – dashohoxha Nov 11 '15 at 08:47
  • @João Any paper around describing that ECDSA implementation? Please note there's Paillier scheme and "zk proof" inside the sourse. – Vadym Fedyukovych Nov 13 '15 at 22:01

1 Answers1

2

Shoup proved security of his scheme in the random oracle model, which means that it should be "as secure" as RSA itself assuming you use a sufficiently strong hash function, which today should be SHA-2.

More important than the scheme itself, any implementation should be considered with some suspicion given the substantial history of buggy cryptosystems in the world; RSA is at least a tiny bit more forgiving than DSA/ECDSA in this regard.

In any case, I would suspect that threshold schemes, given their relative complexity, have some potential for side channel attacks, e.g., on timing.

Unless you require actual threshold signature capability, in which case one really needs to understand the schemes and implementations in depth, I would suggest using alternative methods that accomplish the same goal.

For example, one can simulate $t$-of-$n$ threshold signatures by issuing $n$ certificates and requiring that any $t$ of them sign a message before accepting that message. This unfortunately sacrifices some properties of threshold signatures (e.g., privacy) but can be more easily implemented using standard libraries.

Joe Bebel
  • 339
  • 1
  • 6