frosix

Multiparty signature service (experimental)
Log | Files | Refs | README | LICENSE

introduction.tex (8388B)

      1 In today's digital landscape, signatures play a crucial role in nearly every
      2 aspect of modern informatics. Through the use of signatures, we are able to
      3 validate the authenticity, integrity and non-repudiation of any digital information.
      4 
      5 The private signing key is the most crucial component for creating a signature
      6 and must be kept secret at all costs.
      7 But keeping a private key confidential is a challenging task, often underestimated in the past
      8 \cite{heise:msi-hack} \cite{schneier:leaked-keys} \cite{github:stolen-keys} \cite{malwarebytes:nvidia-keys}.
      9 
     10 A popular security solution is the use of a hardware security module (HSM) \cite{IR8320}.
     11 Even though these modules are considered secure, they are quite expensive
     12 and require trust in a single manufacturer.
     13 
     14 Qualified signatures represent the digital signature in a legally valid form \cite{admin:qes}.
     15 In Switzerland, there are currently three providers \cite{bit:qes} which provide qualified signatures
     16 for the general public. Only one of these providers allows to use an HSM for signing,
     17 with the other two providers always creating the signatures under their sovereignty.
     18 
     19 For signing cryptocurrency transactions, multi-signatures are the preferred way to protect a wallet \cite{bitcoin:multisig}.
     20 With multi-signatures, there are several entities, each possessing its own private and public key.
     21 In order to obtain a valid signature, it is required that a certain number of these entities
     22 must provide a signature on its own.
     23 This is inefficient because the size of the resulting signature increases linearly with
     24 the number of signers and the verification becomes more costly,
     25 because the signature of each signer must be verified individually.
     26 
     27 The field of multiparty threshold signature schemes aims to address these three main problems, namely:
     28 \begin{itemize}
     29   \item keeping a private key confidential,
     30   \item avoiding the need to trust in a single provider or a single device, and
     31   \item being efficient in terms of size and verification cost.
     32 \end{itemize}
     33 
     34 The contribution of this work is the implementation of such a threshold signature scheme,
     35 combined with strong authenticated signing.
     36 
     37 Frosix is mainly based on FROST \cite{cryptoeprint:2020/852},
     38 a promising threshold signature scheme.
     39 Even though FROST proposes an advanced protocol for the distributed creation of signatures,
     40 it lacks any authentication of the central signature aggregator against the signing parties.
     41 Therefore, Frosix extends FROST with an authentication component, inspired by GNU Anastasis
     42 \cite{anastasis}.\footnote{GNU Anastasis is a free software key recovery service and resulted from an earlier bachelor thesis.}
     43 
     44 \section{Principles}
     45 The following design objectives were important during the design and development of Frosix.
     46 Those principles were freely adapted from the Anastasis bachelor thesis. \cite{anastasis-thesis}
     47 
     48 \begin{itemize}
     49   \item Frosix must be Free Software \cite{fsf}. Everyone must
     50   have the right to run the program, study the source code, make modifications
     51   and share their modifications with others.
     52   \item Frosix must not rely on the trustworthiness of individual \Glspl{provider} or devices.
     53   It must be possible to use Frosix safely, even if a subset (\(k - 1\)) of \Glspl{provider}
     54   and devices, respectively their used authentication methods, are malicious.
     55   \newline Furthermore, Frosix must minimize the amount of information exposed to
     56   \Glspl{provider} and the network.
     57   \item Frosix must put the user in control: They get to decide which
     58   \Glspl{provider} and which authentication methods to use.
     59   \item Frosix must be economically viable to operate. This implies usability
     60   and efficiency of the system.
     61   \item Signatures generated with Frosix must support a diverse range of use
     62   cases.
     63 \end{itemize}
     64 
     65 \section{Basics}
     66 \textit{Frosix} is the combination of the word \textit{FROST} and the
     67 abbreviation \textit{six} originating from the word \textit{signature}.
     68 
     69 \subsubsection{Threshold Cryptosystem}
     70 Frosix is based on a threshold cryptosystem with the following basic properties:
     71 
     72 \begin{itemize}
     73   \item \textbf{Distribution of the secret}: In a threshold cryptosystem, the threshold value $k$, or sometimes $t$, states,
     74   how many entities an adversary has to compromise in order to reconstruct a distributed secret.
     75   \item \textbf{Robustness in reconstruction of the secret}: This also implies at the same time that only \(k\) entities have to collaborate in order to reconstruct the secret.
     76 \end{itemize}
     77 
     78 A threshold signature scheme involves the following components, which differ from a single-signer signature or multi-signature scheme.
     79 
     80 \textbf{Distributed Key Generation}
     81 \newline For the generation of a private key, a distributed key generation protocol ensures
     82 that no entity knows more than a fraction of the private key.
     83 \custind Frosix ensures that even the device of the user who initiated the key generation
     84 learns nothing about the private key, except for the public key that is eventually created.
     85 
     86 \textbf{Distributed Signing}
     87 \newline In order to never constitute the private key on a single device,
     88 each entity involved in the signing process generates a partial signature with its fraction of the private key.
     89 \custind A central signature aggregator, the Frosix client, combines those parts to create the final signature.
     90 
     91 \subsubsection{Authentication}
     92 In current threshold signature schemes, the trustworthiness of the issuer of a request is not taken into account for the creation of a signature.
     93 Frosix closes this gap with the offering and enforcing of different authentication methods for each involved \Gls{provider} and each signing request.
     94 This results, depending on the combinations of chosen authentication methods,
     95 in the highest possible security level threshold signing can have.
     96 
     97 \subsubsection{Privacy by Design}
     98 Frosix is designed to minimize the information exposed to the user, the network and to \Glspl{provider}.
     99 Thus, the data persisted at a \Gls{provider} is either encrypted or just a salted hash.
    100 The encryption key and the salt value are only submitted during the key generation or a signing process.
    101 
    102 \section{Use cases}
    103 One of the main advantages of Frosix in comparison to current implementations is the
    104 inclusion of authentication before issuing a signature share.
    105 
    106 \subsubsection{Software Signing}
    107 Modern operating systems rely on signed software as root of trust to
    108 protect users from malicious software.
    109 However, many software development companies do not adequately secure
    110 their software signing keys.
    111 Frosix can significantly enhance security in this context,
    112 and it can also establish trust in software updates and releases from independent
    113 developers to reduce the risk of malicious code being committed to public
    114 registries like GitHub.
    115 
    116 \subsubsection{Document Signing}
    117 Frosix is designed to sign anything that can be processed by a hash function.
    118 This includes documents such as contracts, testaments,
    119 and various media files like pictures, music, and videos.
    120 For contracts and other legally binding documents, Frosix could take on the role of
    121 a qualified signature, provided the legal conditions are met.
    122 
    123 \subsubsection{Cryptocurrency Transactions}
    124 Frosix is particularly well-suited for use in the signing of 
    125 cryptocurrency transactions, as the underlying FROST scheme was originally
    126 designed for this purpose.
    127 With the introduction of the Taproot upgrade in Bitcoin \cite{taproot},
    128 which enables support for Schnorr signatures, Frosix could be customized
    129 to issue valid Bitcoin transaction signatures.
    130 
    131 \subsubsection{E-mail / Communication}
    132 Frosix can also be used for signing written digital communication, such as emails.
    133 However, the requirement for multiple authentications makes Frosix less suitable for everyday
    134 and trivial communications.
    135 Nonetheless, this feature becomes increasingly valuable when considering the
    136 security properties of authenticity, integrity, and non-repudiation 
    137 associated with sensitive communications.
    138 
    139 \subsubsection{Financial Industry}
    140 Another field of application for Frosix lays in the financial industry.
    141 Banks and other financial institutions manage immense assets,
    142 and are therefore obliged to comply with the highest IT security standards.
    143 Threshold signatures could serve as a supporting element to distribute
    144 and thus reduce financial and regulatory risks.