IETF Logo Mail Archive

Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

John Mattsson <john.mattsson@ericsson.com> Mon, 09 March 2020 21:34 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55F1B3A17F7 for <cfrg@ietfa.amsl.com>; Mon, 9 Mar 2020 14:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uVxWUANCCNy for <cfrg@ietfa.amsl.com>; Mon, 9 Mar 2020 14:34:35 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2082.outbound.protection.outlook.com [40.107.22.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5F743A180B for <cfrg@irtf.org>; Mon, 9 Mar 2020 14:34:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dbzk1Io72fOby9vajYUmPaTrF1+iYgljwv2upT8L55PJtTi6+BTDFT1zlBTGhEIeg4Vd9wvUuzbHRR2gtMdgKj6Q+w4tecrR2Lsi9Ht3kKXB7HgRqDBHSa7fx+OaGkzuEerGMLvrmICrGEKEnLVsiop+sCYr+CXpsFUO5qhslW56NrwPvtjzLHEmLt/1YcpWZzrqRH0KCVxI9ue6SNYeviDTZu02t7wCpveEqYJFOlkgY5zGstY3bUl/GWEXKatS/MqN6ncxAW6Is5vaVHiktw1ICbDWH/KYyKwY69FCSDmRURuwX4YIr1yZ1TX+34NveZBLK/w9bfrjuPfnKrMqTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=FF7dqhS7aXQPtawcTTkXt/NJ/+f+kT/6rsfhmCpAtms=; b=b0c68VwJVQ/hiehUaBltdhS9BmMZFyGLlprQU6WIxubN20ZEVdujx6X9ktP1KnYsSq4h57KeVPMDVuNyqlerc+m5JQ5cAimkYveIljnxDzKK13ueEKXEMPCOAPXa4rLIotLLYFUQPbG7eDRMKrBB4SzXUrQsx9aMYUruMy+ATw3Yqym8PLYE3uqcl00O2MCsuOdt3T20+2xLSI1iH4L6xnOLQPa5DanBbJhKptFZyQvQNKzN5T/dN8kYe9Of5kdMfpRx8R85cUxyogL0SWYM8+KEXDnlciZBf7Ecqv1wloB9w0iDg6iUC4p6PTD5dBsLVrCH27pHzB6OfcfMFeId8A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=FF7dqhS7aXQPtawcTTkXt/NJ/+f+kT/6rsfhmCpAtms=; b=VLDTlde/pTa7YPhc+QXyfaeimGRI/OlVrntoJy9kUfix7zcgHxV2ja7IwBbgumI/5QA5lsWBsjEfk+GZXOQcbozivfzTHXrecqlm2Nedg0IF37GQaW8uVFrkUqvIuCN5pnfmOiggMFeGjZ/GTf1VnXKpZ+g2ftyWtdJroYkLJ/k=
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com (52.134.114.155) by AM6PR07MB4775.eurprd07.prod.outlook.com (20.176.242.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.11; Mon, 9 Mar 2020 21:34:32 +0000
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::501f:822f:f9b5:eb71]) by AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::501f:822f:f9b5:eb71%7]) with mapi id 15.20.2814.007; Mon, 9 Mar 2020 21:34:32 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Dang, Quynh H. (Fed)" <quynh.dang=40nist.gov@dmarc.ietf.org>, Tony Arcieri <bascule@gmail.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
Thread-Index: AQHVtO9lOZJrcNc7J0+AzBoiSFtzNKe+m+GA///5fgCAeRb1ZIAJr5qA
Date: Mon, 09 Mar 2020 21:34:32 +0000
Message-ID: <D401E76A-1613-4602-8BF4-4329901203D2@ericsson.com>
References: <157659682819.26470.8755515351900237330.idtracker@ietfa.amsl.com> <E6D46D5C-2BDA-466D-A2BF-46FC39605B8E@ericsson.com> <CAHOTMVJbpSUureq6V4pdZbHS2otF6CkchFYdTvCjB_CxxANijA@mail.gmail.com> <CH2PR09MB422045123171EBCAD949FDFEF3E40@CH2PR09MB4220.namprd09.prod.outlook.com>
In-Reply-To: <CH2PR09MB422045123171EBCAD949FDFEF3E40@CH2PR09MB4220.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 184c184d-e7bb-494b-343e-08d7c471a7c2
x-ms-traffictypediagnostic: AM6PR07MB4775:
x-microsoft-antispam-prvs: <AM6PR07MB4775EBD88162166B37C2EF7789FE0@AM6PR07MB4775.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0337AFFE9A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(346002)(366004)(39860400002)(396003)(199004)(189003)(8936002)(8676002)(15650500001)(81166006)(316002)(6486002)(81156014)(33656002)(478600001)(2616005)(5660300002)(966005)(66476007)(76116006)(66446008)(66946007)(44832011)(186003)(66556008)(26005)(91956017)(2906002)(86362001)(64756008)(6512007)(6506007)(4326008)(53546011)(110136005)(36756003)(71200400001)(4001150100001)(66574012); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB4775; H:AM6PR07MB4134.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sXneeXQ3JCmb8Uwxy4jfJQi+nTORP4irQbqjLIy8BCqLtUtvJ0ZAuWXVm9PI9lgf0BVt1Hy4zYt73goVDmgxbKbrGisXAso+A+AeY6nKj4ZwtQTYqEkmZFb30f2tQiOQSHw+UYWdYMtx/MCzxa63LX5yfxVsN59MrlaU0GkATzyu/kvi7EBCmn4U54BWB196GRcmq2w72IpX7Zs+iry4cJ4si1Ck6iCoTI0ilD4LRahxMLxrRO3D3r1nYwf9hBMT9GW8u+wfZ5XEovWQtDXVsVcs8JVZnXqtX6KJW9DRplncIPDNzCNAg6SSoqVbUMonlZjG246uNWxrTcs/Zs4LRr0HhqP/NK4o34qRE4crKEhAmWCWI1IoiFB8PiuijFx00Nqmv3INaBMQB6mq7GfjTCUIC0UalKr0NYwYiVwPju84AOSPYl1IrvXm5DSOKBUqXjrImoxNKjYUwYuOwcj3SShIOIPGueI5X+IZ1b8ja7teswmf6OcCGGgRmnUH12vEGoQXzN53HLJKqNKEm71boA==
x-ms-exchange-antispam-messagedata: ZmAjRRjixA5ri9lBiaBzbHn75MoL3ZnnYWVbliWzj3fAmLV59g+51KNDwzD7cVQ6TxDnWFzo8Xmko6ib6ScVL38m8r7Ce0w6mVNdZt1eYQLtGpknZjBQdjbN4mJirIe5qfBm2SOwa2B6UXJkjsXwvQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D401E76A161346028BF44329901203D2ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 184c184d-e7bb-494b-343e-08d7c471a7c2
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2020 21:34:32.0215 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aAZCfrxWv4sf9QMtAqgUlLPpkRN9cxjDKUISzPj/9nciPkYuFziR6AvLhht+LhvIIc9dvuj62JHdlXQA2+dYfsJUSWrNILc/q2iNY/Qylxs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4775
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8KfbOHTPBanrIe4PmUq5gnELZn8>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 21:34:45 -0000

Thanks for the review Quynh!

I agree that there are compelling reasons to do as you suggests. We never considered

( Z || prefix || PH(M) ).

We chose

( (prefix XOR Z) || PH(M) ) over the XEdDSA construction ( prefix || PH(M) || Z )

as https://eprint.iacr.org/2017/985.pdf states the the XEdDSA construction did not protect against all of their attacks due to insufficient mixing of the hashed private key with the additional randomness. Do you see any need to insert zeroes like

( Z || prefix || 000... || PH(M) )

as suggested by https://eprint.iacr.org/2017/985.pdf so that the first 1024-bit block of SHA-512 is composed only of the hashed private key and the random value, but not the message?

I agree with you that the cost of hashing operations are not really worth optimizing as their cost is negligible compared to the cost of the Elliptic curve point multiplications. We have not looked into how much additional security the zeroes gives in practice.

PS. We would also be very happy if NIST just went ahead and standardized some variant of  deterministic signatures with additional randomness in FIPS 186-5 :)

Cheers,
John

From: "Dang, Quynh H. (Fed)" <quynh.dang=40nist.gov@dmarc.ietf.org>
Date: Tuesday, 3 March 2020 at 20:36
To: Tony Arcieri <bascule@gmail.com>, John Mattsson <john.mattsson@ericsson.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

Hi John,

I think there are people who would like some noisy deterministic ECDSA/EdDSA options.

I would prefer (Z ||int2octets(x) ) over (int2octets(x) XOR Z) , and   (Z || prefix) over (prefix XOR Z)  for the following reasons.

1) For randomized hashing, the random value should get hashed first before the message for a SHA2 hash function ( even thought it is not the same thing here since a secret value is a part of the message).

2) Z1 and Z2 both are Z bits long and have Z bits of entropy.  (Z1 Xor Z2) have only Z bits of entropy, but Z1||Z2 have 2Z bits of entropy (if Z1 and Z2 are generated from 2 different seeds/entropy sources).

An extra Z bits long would cost at most 1 compression function for SHA-512 and it would likely not cost anything for SHAKE256.  So, the cost is minimal.

Regards,
Quynh.
________________________________
From: Cfrg <cfrg-bounces@irtf.org> on behalf of Tony Arcieri <bascule@gmail.com>
Sent: Tuesday, December 17, 2019 12:30 PM
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: cfrg@irtf.org <cfrg@irtf.org>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

This looks like a good document (so far you've managed to cover every nit I had to pick with it), however I think it might be a bad idea to describe your construction as "with Noise", in order to prevent confusion with the Noise Protocol, which among other things supports an Ed25519 signatures extension (which can, if one so desires, be used with XEdDSA):


https://noiseprotocol.org/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnoiseprotocol.org%2F&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648727502&sdata=yrPQ7K0144eU1d9x0IG%2F66Xjnr4BkZs%2FNzbXDELfrSU%3D&reserved=0>


Perhaps "with Added/Additional Entropy" instead?

On Tue, Dec 17, 2019 at 8:53 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi,

I read up a lot more on recent research on side-channel and fault injection attacks on deterministic ECC signatures. This has increased my understanding that deterministic ECC signatures should not be recommended in environments where side-channel and fault injection attacks are a concern. One such environment is IoT deployments where the adversary can be assumed to have access to devices to induce faults and measure side-channels.

As many such embedded devices also lacks a good RNG, none of the currently standardized fully-randomized or fully-deterministic ECC signature algorithms seems like a good choice. I therefore think there is a need to specify deterministic ECC signatures with noise.

My colleagues and I started to write a draft specifying how a random noise can be added to the otherwise deterministic calculation of the per-message secret number. We ended up not proposing the solution chosen in XEdDSA as at least one research paper claims that XEdDSA does prevent their attack due to insufficient mixing of the hashed private key with the random noise.

The current document aims to give a quite broad overview with many references, suggests one possible construction for deterministic ECDSA and EdDSA, and lists several issues and TODOs. It should be discussed what the best construction is for achieving protection against fault and side-channel attacks, simplicity and ease of implementation, as well as efficiency. Comments are very welcome!

Cheers,
John

-----Original Message-----
From: "internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>" <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Tuesday, 17 December 2019 at 16:33
To: John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>>, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>>, Sini Ruohomaa <sini.ruohomaa@ericsson.com<mailto:sini.ruohomaa@ericsson.com>>, Erik Thormarker <erik.thormarker@ericsson.com<mailto:erik.thormarker@ericsson.com>>
Subject: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt


    A new version of I-D, draft-mattsson-cfrg-det-sigs-with-noise-00.txt
    has been successfully submitted by John Preuß Mattsson and posted to the
    IETF repository.

    Name:               draft-mattsson-cfrg-det-sigs-with-noise
    Revision:   00
    Title:              Deterministic ECDSA and EdDSA Signatures with Noise
    Document date:      2019-12-17
    Group:              Individual Submission
    Pages:              14
    URL:            https://www.ietf.org/internet-drafts/draft-mattsson-cfrg-det-sigs-with-noise-00.txt<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Finternet-drafts%2Fdraft-mattsson-cfrg-det-sigs-with-noise-00..txt&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648737458&sdata=vk3J7iuIr1R0K0clMK4zE1j0Y72usGW21l3WWQ%2BpNEw%3D&reserved=0>
    Status:         https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-mattsson-cfrg-det-sigs-with-noise%2F&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648737458&sdata=Ztk7IuH0rNpiiJzz%2FzAscqior31KGMX0PNCOQD0vaa8%3D&reserved=0>
    Htmlized:       https://tools.ietf.org/html/draft-mattsson-cfrg-det-sigs-with-noise-00<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-mattsson-cfrg-det-sigs-with-noise-00&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648747401&sdata=GIW%2BfSFKyMR3cuxyJ9g5vWpN0gwBFXhkZlWLvfC%2Fqn8%3D&reserved=0>
    Htmlized:       https://datatracker.ietf.org/doc/html/draft-mattsson-cfrg-det-sigs-with-noise<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-mattsson-cfrg-det-sigs-with-noise&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648747401&sdata=RuBFhWEGgpGQlQLekhUd0%2FV9%2BGVMOg680fgERm1YWx8%3D&reserved=0>


    Abstract:
       Deterministic elliptic-curve signatures such as deterministic ECDSA
       and EdDSA have gained popularity over randomized ECDSA as their
       security do not depend on a source of high-quality randomness.
       Recent research has however found that implementations of these
       signature algorithms may be vulnerable to certain side-channel and
       fault injection attacks due to their determinism..  One countermeasure
       to such attacks is to add noise to the otherwise deterministic
       calculation of the per-message secret number.  This document updates
       RFC 6979 and RFC 8032 to recommend constructions with noise for
       deployments where side-channel attacks and fault injection attacks
       are a concern.




    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648757373&sdata=8wRNbI4K0fp%2FToU1LYrlDZJjYZUChULvw1sN1ynd4fA%3D&reserved=0>.

    The IETF Secretariat



_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648757373&sdata=g%2FnCiXGEXtfaRGvv9tRVaz9CAcsVq0gbqmy32xNZE1o%3D&reserved=0>


--
Tony Arcieri

v2.23.0 | Report a Bug | By Email