Score:1

Signature delegation without secret keys

ky flag

Scenario: have an entity A that cannot hold any secret keys. A concrete example would be: an application that needs to be open sourced and cannot be modified. In order to send any signed messages, it uses a proxy signer P. P holds the secret key and signs on behalf of A.

The issue: how does the message recipient verify that A actually initiated the message via P, and P did not generate/send the message without A's knowledge?

I came across some papers that discuss proxy signer's deviation, but could not find anything concrete. Could zk proofs be used in some ways to address this problem?

Thanks.

JAAAY avatar
us flag
In order for your question to be answered completely I think you have to define first your communication and thread model. Some questions that will help you complete your question : Let's consider $C$ the client, $A$ the application and $S$ the signer (which is $P$ in your case).
JAAAY avatar
us flag
1. Does $S$ have a direct communication channel with $C$ or it just replies to $A$ with the signed message and $A$ forwards it to $C$? 2. Is the party $S$ trusted? 3. Are there any preestablished (bidirectional?) secure communication channels, if yes which of the following $\{A,S\}$, $\{A, C\}$, $\{C, P\}$? 4. Does $S$ have whitebox access to $A$? Will a corrupted $S$ will have full control of both $A$ and $S$? If the last question is true, of course this problem cannot be solved.
rusty avatar
ky flag
1. S can be thought of as mail box between A and C. A <-> C don't talk to each other directly, but only via S 2. S can be trusted, but from point of view of C, we still want to make sure it is not creating/signing messages on its own. This can be thought of as a selling point for this scheme, where C can somehow verify the message originated from A 3. No pre-created channels 4. S does not have any control over A and C
poncho avatar
my flag
How do you distinguish A from A' (the identical application running on the adversary's machine, or possibly a tweaked version of the application)? Unless you have a way to do that, I don't believe this is possible...
JAAAY avatar
us flag
Totally agree with @poncho.
rusty avatar
ky flag
Given the constraint that A cannot hold any secrets, keeping anything like a TLS key/cert, etc is not feasible. I can't think of a way to distinguish between A and A' to be honest.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.