I’ve heard that the “master public key” which can be used to verify any IC transaction is 48 bytes, or 384 bits.
However, SSH keys (which are RSA) should have a minimum of 1096 bits, which is almost 3x as many. Am I missing something? Is it not easier to brute force the IC’s master key than a developer’s SSH key?
The private key to this BLS public key does not exist physically, but replicas hold key shares to generate a threshold signature in a multi-party computation. When you read from the state tree of the IC you get a certificate (chain) with such a signature. The fact that a dynamic set of replicas can create threshold signatures that can be verified with a single public key is one of the core innovations behind the Internet Computer.
Splitting a private key into shares is an example of threshold signatures.
Chain key cryptography is something built on top of that. It’s a set of cryptographic protocols that ensures that the Internet Computer has a single public key, even though new nodes are being added to new subnets, faulty nodes are replaced, faulty subnets are revived, and ICP protocol software is continually updated. Threshold signatures are a necessary but not sufficient condition for chain key cryptography, IIUC.
RSA keys are much longer than keys for crypto systems based on elliptic curves. RSA keys are typically at least 2048 bits (1024 bits would be considered insecure nowadays). Elliptic curve keys are typically 256 bits. That’s a big advantage of elliptic curve cryptography to have shorter key length compared to RSA.
On elliptic curves with pairings they are typically longer than that, at least 384 bits. That gives the same security as 256 bits on a curve without pairings.
BLS is a signature scheme based on elliptic curves with pairings, hence the key length of 384 bits.
The fact that the key is shared among many nodes and does not exist in a single place is not inherent to BLS. You can use BLS with a key in one place. It just how the IC does it to achieve decentralization.
This seems to give the illusion that different nodes have the same key(which i hasten to add, they DO NOT). I wish that there was a different way of describing this.
Something like : different nodes have a key-share of the key; with no two key-shares being the same?
Yes, sorry, “shared among” was an ambiguous phrase to describe this. Nodes only have key-shares, not the full key. Moreover, the key shares are generated in a distributed way (distributed key generation). It is not that the key once existed in one place, was then split into shares and those shares distributed. The key never existed in one place.