IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

Yoav Nir <ynir.ietf@gmail.com> Sun, 03 May 2015 17:54 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B74E1A1DBE for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 10:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WD9PAHpYM76I for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 10:54:32 -0700 (PDT)
Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C35AF1A1BC9 for <cfrg@irtf.org>; Sun, 3 May 2015 10:54:31 -0700 (PDT)
Received: by wgso17 with SMTP id o17so131197982wgs.1 for <cfrg@irtf.org>; Sun, 03 May 2015 10:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=1pXj7hcwtuoUjs5Kh5S8q9WIPTTF5WWqXx5cBIkKdoQ=; b=kMowspyDz7LiGLp6+24vNs59QUnDhhnBqwfemraa3vuyb8A5q0pLAx8iUCqpY+pgsa V6qcLhPvqeqFDSlemp8JXzlt4OpmNUV7s2aRMDximz6T4p5JacvAF0oQrsNSbpDHDpsI sC0p9udbFE/ux1fHvw+R2aKqBy7lE9AsktrBGXaZAbN//wT/G4YJ24kshBLXxs69G6lx rX9s8XZogXSr0Jgx1ugBC0ba0UmBlAnZ0HT3ecnGsQMzyg2VwcEXQMgxZwU5EZaF/g9U rstjjaPWlCHyoZdlaMsEBgs9GmNsQGdKH404dmrA+XubTAc7b7gSmYituCO6LqaKIa+R 9p8g==
X-Received: by 10.180.87.233 with SMTP id bb9mr8521795wib.73.1430675670566; Sun, 03 May 2015 10:54:30 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id ha4sm7555655wib.0.2015.05.03.10.54.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 03 May 2015 10:54:29 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_8D15614D-FB69-4315-A2A2-2BF4FA949FC2"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <5546032D.5070208@isode.com>
Date: Sun, 03 May 2015 20:54:27 +0300
Message-Id: <E051A76A-87BD-4D64-B3D1-EA194A069CF9@gmail.com>
References: <5546032D.5070208@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9I64yUcRR5KhN-21z6eRgDECdEM>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 17:54:34 -0000

> On May 3, 2015, at 2:14 PM, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
> 
> CFRG chairs are starting discussion of the next topic.
> 
> The consensus view of the mailing list was that NIST compliance of our selected
> signature scheme is not necessary, opening up the opportunity for us to
> consider a rich class of signature schemes beyond ECDSA.
> 
> Most if not all signature schemes defined over elliptic curves can be
> de-randomised by generating the "random" value used during signing in a
> pseudorandom manner from the message to be signed. This ameliorates some
> catastrophic failure modes for these schemes. The generation could involve
> using a PRF such as HMAC with a key designed solely for this purpose
> (resulting in an augmented private (signing) key). An alternative could be
> to hash a string consisting of a concatenation of the private (signing)
> key with the message to be signed. There are other possibilities too.
> Several methods are described in detail in RFC 6979
> (http://tools.ietf.org/html/rfc6979 <http://tools.ietf.org/html/rfc6979>).
> 
> To determine the way forward, we are going to conduct a poll to determine
> how we should tackle the question of de-randomisation. Please pick one of the
> options specified below:
> 
> 1. CFRG should stick to randomised signature schemes only.
> 
> 2. CFRG should adopt deterministic signature scheme only.
> 
> 3. De-randomisation should be an optional feature for implementers to
> decide upon (i.e. both choices 1 and 2 allowed).

#2.

Random number generation is one of the weak spots of a lot of cryptographic libraries. Either they get the PRNG/DRBG wrong, or even when they get it right, they rely on a problematic source for seeding. 

Things might work fine on regular servers, then lose their entropy when running in a virtualized environment. Very often the entropy comes from a source that is outside the control of the cryptographic library and may or may not be reliable depending on the running environment. 

Deterministic works for everybody. Randomized works not for everybody. Better go with #2.

Of course de-randomizing doesn’t buy you much if you use the signature as part of a protocol such as TLS that requires random bytes, but removing one thing that relies on the RNG is better than not doing it.

Yoav

v2.23.0 | Report a Bug | By Email