Standardized sender signature #30
Conversation
cbeck88
requested review from
alanpaulin,
brucek,
davidyhall,
eranrund,
isis-mc,
jcape,
mfaulk and
a team
text/0030-standardized-sender-sig.md
Outdated
| @@ -31,7 +31,7 @@ to secrets involved in the construction of the TxOut. | |||
|
|
|||
| However, these numbers are useless for convincing a third-party who is not a party to the transaction, | |||
| because only the recipient is able to validate these numbers. There is currently no form of receipt that | |||
| can be validated just from the blockchain. | |||
| can be validated by anyone, just from the blockchain. | |||
There was a problem hiding this comment.
Is this an observation about the current state of things, or an indication that this MCIP solves this problem? My understanding is that this MCIP doesn't propose to have on-chain receipts that can be validated by anyone, but that the off-chain store could be, is that correct?
There was a problem hiding this comment.
its not that the receipt lives on chain, but it's that:
- I can prove to you that I sent a particular Tx
- You don't have to even be the recipient of that Tx, and you can validated my proof just from the chain.
The receipts we have only work if you are the recipient of the Tx
Co-authored-by: sugargoat <sara.drakeley@mobilecoin.com>
| Janus attack mitigation. | ||
|
|
||
| We find a secondary use-case to motivate this: it becomes possible for the signer to create | ||
| a Schnorr signature over any payload, which a verifier can validate against the keys appearing |
There was a problem hiding this comment.
To make sure I'm following this: the public key that a sender would sign against is in the encrypted fog hint, so only the recipient's fog server can obtain this key and use it to verify messages signed with it? That doesn't sound right.
There was a problem hiding this comment.
so, the way that mc-crypto-box works is:
- I get your public key (a Ristretto curve point)
- I choose a random scalar (private fog key,
r_fogin Koe's notation in Mechanics of Mobilecoin) - I do key exchange against your public key and
r_fog, and I putr_fog * Gas the first 32 bytes of the e_fog_hint. - I use the key resulting from key exchange to encrypt and mac my payload
- I append 2 versioning bytes.
The recipient is getting those first 32 bytes, making a public key, and doing key exchange using their private key to recover the shared secret, decrypt and check the mac.
So the private key that a sender would sign against is r_fog (which now equals tx_private_key), and the signature can be validated against the public key r_fog * G, which is the first 32 bytes of fog hint.
Koe proposed that instead of having two independent random keys r and r_fog, we should just set r_fog = r, and this enables a Janus mitigation test, without really impacting fog since the r number is a perfectly fine secret key, just as good as r_fog anyways.
So this breaks some encapsulation that's separating the e_fog_hint field from the rest of the Tx math. But, it serves several useful purposes, and it's not that big a deal from the point of cryptobox / fog.
| # Summary | ||
| [summary]: #summary | ||
|
|
||
| Enact MCIP #18 (Janus Mitigation), which sets the ephemeral key in the encrypted fog hint |
There was a problem hiding this comment.
We haven't merged MCIP 18, and it doesn't look like anyone has reviewed it yet. I think that needs to be reviewed and merged before we build on it. For example, I'm having a hard time finding the "fog hint ephemeral key" in the source, so it's hard for me to evaluate what's going on here.
There was a problem hiding this comment.
For sure, we should definitely review that MCIP and merge it separately if we want to accept this MCIP, IMO
|
I'm wondering if the simplest thing to do here is to add a 'sender_signing_key' field to TxOut, which is a unique public key that is unrelated to tx_out.target_key and tx_out.public_key, and is unrelated to the fog hint. I know that would increase the size of the TxOut, but does that size increase really matter? On the flipside, it becomes extremely simple to say "this is the key that a sender should sign related data with", and anyone with access to the ledger can validate such signatures. |
It matters in that, it is a ledger format change, and an enclave change, and so would require a long turn-around time to ship. It is certainly simpler conceptually to just add a new dedicated key field, but I'm not sure it's simpler taking into account the complexity of ledger format changes. |
|
This feels somewhat out of my depth, so this is probably a stupid question, but would the bytes signed include the memo field? I could see that being very useful. |
This signature is mainly about, taking bytes and binding them to "whoever sent that Txout" without revealing who it is. The memo field is already set by that person and it's bound to the TxOut by the blockchain hash, so if I'm understanding right I think signing those bytes would be redundant. But, part of the point of this is to allow signing "additional" memo-like bytes for use in other contexts that don't have to appear on the chain. |
A proposal for a standardized signature for the sender of a TxOut, who may otherwise be anonymous.
Rendered Proposal