Re: [Cfrg] Deterministic signatures, revisit?

Dan Brown <danibrown@blackberry.com> Tue, 10 October 2017 13:52 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2BA61331F2 for <cfrg@ietfa.amsl.com>; Tue, 10 Oct 2017 06:52:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SCylPNa3kViP for <cfrg@ietfa.amsl.com>; Tue, 10 Oct 2017 06:52:02 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4417A134234 for <cfrg@irtf.org>; Tue, 10 Oct 2017 06:52:01 -0700 (PDT)
X-Spoof:
Received: from xct105cnc.rim.net ([10.65.161.205]) by mhs213cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 10 Oct 2017 09:52:00 -0400
Received: from XCT115CNC.rim.net (10.65.161.215) by XCT105CNC.rim.net (10.65.161.205) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 10 Oct 2017 09:52:00 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT115CNC.rim.net ([::1]) with mapi id 14.03.0319.002; Tue, 10 Oct 2017 09:51:59 -0400
From: Dan Brown <danibrown@blackberry.com>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: Cfrg <cfrg@irtf.org>
Thread-Topic: [Cfrg] Deterministic signatures, revisit?
Thread-Index: AQHTQbHSfrJSeH1XP06gGlOqYlV79KLdKaOA///uMwA=
Date: Tue, 10 Oct 2017 13:51:58 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501BD099B@XMB116CNC.rim.net>
References: <20171009165655.8609877.65333.18037@blackberry.com> <20171010102330.8609877.85759.18061@blackberry.com> <20171010104611.b3lwlawku5zh5aun@LK-Perkele-VII>
In-Reply-To: <20171010104611.b3lwlawku5zh5aun@LK-Perkele-VII>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.250]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/8OssL4f_1SHSgCbhtP1T_Z_oLDY>
Subject: Re: [Cfrg] Deterministic signatures, revisit?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 13:52:09 -0000

< Hi, my responses (=questions) below (&sorry about the non-standard indicators) >

-----Original Message-----
From: ilariliusvaara@welho.com [mailto:ilariliusvaara@welho.com] 
Sent: Tuesday, October 10, 2017 6:46 AM

On Tue, Oct 10, 2017 at 10:23:31AM +0000, Dan Brown wrote:
> ‎http://ia.cr/2017/890 gives a theoretical reason to prefer 
> deterministic signatures: some proofs work better. So, my question 
> goes to side channels (and subversion too, but less so) which is 
> better at resisting them, deterministic or one of these tweaks in the 
> 2 eprints below?

I think it depends...

< ... skip ... >

Then there are environments that do care about fault attacks, like smartcards. These environments usually care about side channels such as timing and power analysis too. However, the sensitive parts are elsewhere, needing additional randomization beyond what was proposed in these papers.

< Am I right to interpret your "sensitive ... needing ... beyond ... these papers" as meaning you can attack the proposals in the IACR eprints 2017/{975,985}? Or, is it just a case of we already got other, larger problems than this anyway? >