The master key for the IC is 48 bytes. Isn't that insecure?

I’ve heard that the “master public key” which can be used to verify any IC transaction is 48 bytes, or 384 bits.

However, SSH keys (which are RSA) should have a minimum of 1096 bits, which is almost 3x as many. Am I missing something? Is it not easier to brute force the IC’s master key than a developer’s SSH key?

2 Likes

It depends what of encryption algorithm it’s used with. Do you have a link?

Asymmetric encryption (like SSH keys) generally needs much longer keys to get equivalent security. AES symmetric encryption is ok at 256 bits.

Last time I looked, there was barely any public documentation of Dfinitys architecture…

1 Like

You can’t easily compare the security of different cryptographic schemes by just their key length.

According to Wikipedia (which cites a NIST publication) 3048-bit RSA keys provide security equivalent to 128-bit symmetric keys, which is equivalent to 48 byte BLS keys .

5 Likes

I’m not worried about people brute forcing a 384 bit key.

I am… curious where this key is held, who has access to it, and why any master key exists in a putative trustless decentralized system…?

The private key to this BLS public key does not exist physically, but replicas hold key shares to generate a threshold signature in a multi-party computation. When you read from the state tree of the IC you get a certificate (chain) with such a signature. The fact that a dynamic set of replicas can create threshold signatures that can be verified with a single public key is one of the core innovations behind the Internet Computer.

You can read more about it in the Whitepaper for Geeks, and more about certification in the Interface Specification.

As a note, BLS is only used to sign/authenticate the state by the IC. Users sign their messages to the IC using Ed25519 or ECDSA.

9 Likes

Interesting! So BLS is not a classically asymmetric key? i.e. there is not one single private key?

This is what the chain-key cryptography system is, correct?

Splitting a private key into shares is an example of threshold signatures.

Chain key cryptography is something built on top of that. It’s a set of cryptographic protocols that ensures that the Internet Computer has a single public key, even though new nodes are being added to new subnets, faulty nodes are replaced, faulty subnets are revived, and ICP protocol software is continually updated. Threshold signatures are a necessary but not sufficient condition for chain key cryptography, IIUC.

5 Likes

RSA keys are much longer than keys for crypto systems based on elliptic curves. RSA keys are typically at least 2048 bits (1024 bits would be considered insecure nowadays). Elliptic curve keys are typically 256 bits. That’s a big advantage of elliptic curve cryptography to have shorter key length compared to RSA.

On elliptic curves with pairings they are typically longer than that, at least 384 bits. That gives the same security as 256 bits on a curve without pairings.

BLS is a signature scheme based on elliptic curves with pairings, hence the key length of 384 bits.

The fact that the key is shared among many nodes and does not exist in a single place is not inherent to BLS. You can use BLS with a key in one place. It just how the IC does it to achieve decentralization.

5 Likes

This seems to give the illusion that different nodes have the same key(which i hasten to add, they DO NOT). I wish that there was a different way of describing this.

Something like : different nodes have a key-share of the key; with no two key-shares being the same?

1 Like

Yes, sorry, “shared among” was an ambiguous phrase to describe this. Nodes only have key-shares, not the full key. Moreover, the key shares are generated in a distributed way (distributed key generation). It is not that the key once existed in one place, was then split into shares and those shares distributed. The key never existed in one place.

4 Likes