Re: [Cfrg] Deterministic signatures, revisit?

Ilari Liusvaara <> Tue, 10 October 2017 10:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CB118134472 for <>; Tue, 10 Oct 2017 03:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tlBVJZSb19Cs for <>; Tue, 10 Oct 2017 03:46:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7F9B9134456 for <>; Tue, 10 Oct 2017 03:46:16 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 243225372F; Tue, 10 Oct 2017 13:46:15 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id vOU7DAY09bGt; Tue, 10 Oct 2017 13:46:14 +0300 (EEST)
Received: from LK-Perkele-VII ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 359982313; Tue, 10 Oct 2017 13:46:12 +0300 (EEST)
Date: Tue, 10 Oct 2017 13:46:11 +0300
From: Ilari Liusvaara <>
To: Dan Brown <>
Cc: Cfrg <>
Message-ID: <20171010104611.b3lwlawku5zh5aun@LK-Perkele-VII>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <>
Subject: Re: [Cfrg] Deterministic signatures, revisit?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Oct 2017 10:46:20 -0000

On Tue, Oct 10, 2017 at 10:23:31AM +0000, Dan Brown wrote:
> ‎ gives a theoretical reason to prefer
> deterministic signatures: some proofs work better. So, my
> question goes to side channels (and subversion too, but less so)
> which is better at resisting them, deterministic or one of these
> tweaks in the 2 eprints below?

I think it depends...

There are environments that do not have to care about fault attacks
as long as the algorithm does not leak the key with random faults
(*cough* RSA-CRT *cough*), e.g. stuff running on general purpose
operating systems. However, such environments might very well care
about other side channels like cache attacks. The value of defenses
proposed by the paper for this are somewhat doubtful, altough those
defenses would prevent trying to repeatedly scan r with the same
message to sign (but proper constant-time algorithm would take care of
that as well).

Then there are environments that do care about fault attacks, like
smartcards. These environments usually care about side channels such as
timing and power analysis too. However, the sensitive parts are
elsewhere, needing additional randomization beyond what was proposed in
these papers.