Signature delegation without secret keys

rusty

9/27/23, 7:18 AM

Scenario: have an entity A that cannot hold any secret keys. A concrete example would be: an application that needs to be open sourced and cannot be modified. In order to send any signed messages, it uses a proxy signer P. P holds the secret key and signs on behalf of A.

The issue: how does the message recipient verify that A actually initiated the message via P, and P did not generate/send the message without A's knowledge?

I came across some papers that discuss proxy signer's deviation, but could not find anything concrete. Could zk proofs be used in some ways to address this problem?

Thanks.

0 + 0

public-key

signature

zero-knowledge-proofs

proxy-re-encryption

JAAAY

9/27/23, 11:45 AM

In order for your question to be answered completely I think you have to define first your communication and thread model. Some questions that will help you complete your question : Let's consider $C$ the client, $A$ the application and $S$ the signer (which is $P$ in your case).

JAAAY

9/27/23, 11:45 AM

1. Does $S$ have a direct communication channel with $C$ or it just replies to $A$ with the signed message and $A$ forwards it to $C$? 2. Is the party $S$ trusted? 3. Are there any preestablished (bidirectional?) secure communication channels, if yes which of the following $\{A,S\}$, $\{A, C\}$, $\{C, P\}$? 4. Does $S$ have whitebox access to $A$? Will a corrupted $S$ will have full control of both $A$ and $S$? If the last question is true, of course this problem cannot be solved.

rusty

9/27/23, 12:12 PM

1. S can be thought of as mail box between A and C. A <-> C don't talk to each other directly, but only via S 2. S can be trusted, but from point of view of C, we still want to make sure it is not creating/signing messages on its own. This can be thought of as a selling point for this scheme, where C can somehow verify the message originated from A 3. No pre-created channels 4. S does not have any control over A and C

poncho

9/27/23, 1:06 PM

How do you distinguish A from A' (the identical application running on the adversary's machine, or possibly a tweaked version of the application)? Unless you have a way to do that, I don't believe this is possible...

JAAAY

9/27/23, 1:46 PM

Totally agree with @poncho.

rusty

9/28/23, 2:41 PM

Given the constraint that A cannot hold any secrets, keeping anything like a TLS key/cert, etc is not feasible. I can't think of a way to distinguish between A and A' to be honest.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Signature delegation without secret keys

TH: การมอบหมายลายเซ็นโดยไม่มีรหัสลับ

RO: Delegarea semnăturii fără chei secrete

RU: Делегирование подписи без секретных ключей

VI: Ủy quyền chữ ký không có khóa bí mật

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.