Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
Yoav Nir <ynir.ietf@gmail.com> Sun, 03 May 2015 17:54 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B74E1A1DBE for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 10:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WD9PAHpYM76I for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 10:54:32 -0700 (PDT)
Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C35AF1A1BC9 for <cfrg@irtf.org>; Sun, 3 May 2015 10:54:31 -0700 (PDT)
Received: by wgso17 with SMTP id o17so131197982wgs.1 for <cfrg@irtf.org>; Sun, 03 May 2015 10:54:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=1pXj7hcwtuoUjs5Kh5S8q9WIPTTF5WWqXx5cBIkKdoQ=; b=kMowspyDz7LiGLp6+24vNs59QUnDhhnBqwfemraa3vuyb8A5q0pLAx8iUCqpY+pgsa V6qcLhPvqeqFDSlemp8JXzlt4OpmNUV7s2aRMDximz6T4p5JacvAF0oQrsNSbpDHDpsI sC0p9udbFE/ux1fHvw+R2aKqBy7lE9AsktrBGXaZAbN//wT/G4YJ24kshBLXxs69G6lx rX9s8XZogXSr0Jgx1ugBC0ba0UmBlAnZ0HT3ecnGsQMzyg2VwcEXQMgxZwU5EZaF/g9U rstjjaPWlCHyoZdlaMsEBgs9GmNsQGdKH404dmrA+XubTAc7b7gSmYituCO6LqaKIa+R 9p8g==
X-Received: by 10.180.87.233 with SMTP id bb9mr8521795wib.73.1430675670566; Sun, 03 May 2015 10:54:30 -0700 (PDT)
Received: from [192.168.1.17] ([46.120.13.132]) by mx.google.com with ESMTPSA id ha4sm7555655wib.0.2015.05.03.10.54.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 03 May 2015 10:54:29 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_8D15614D-FB69-4315-A2A2-2BF4FA949FC2"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <5546032D.5070208@isode.com>
Date: Sun, 03 May 2015 20:54:27 +0300
Message-Id: <E051A76A-87BD-4D64-B3D1-EA194A069CF9@gmail.com>
References: <5546032D.5070208@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9I64yUcRR5KhN-21z6eRgDECdEM>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 17:54:34 -0000
> On May 3, 2015, at 2:14 PM, Alexey Melnikov <alexey.melnikov@isode.com> wrote: > > CFRG chairs are starting discussion of the next topic. > > The consensus view of the mailing list was that NIST compliance of our selected > signature scheme is not necessary, opening up the opportunity for us to > consider a rich class of signature schemes beyond ECDSA. > > Most if not all signature schemes defined over elliptic curves can be > de-randomised by generating the "random" value used during signing in a > pseudorandom manner from the message to be signed. This ameliorates some > catastrophic failure modes for these schemes. The generation could involve > using a PRF such as HMAC with a key designed solely for this purpose > (resulting in an augmented private (signing) key). An alternative could be > to hash a string consisting of a concatenation of the private (signing) > key with the message to be signed. There are other possibilities too. > Several methods are described in detail in RFC 6979 > (http://tools.ietf.org/html/rfc6979 <http://tools.ietf.org/html/rfc6979>). > > To determine the way forward, we are going to conduct a poll to determine > how we should tackle the question of de-randomisation. Please pick one of the > options specified below: > > 1. CFRG should stick to randomised signature schemes only. > > 2. CFRG should adopt deterministic signature scheme only. > > 3. De-randomisation should be an optional feature for implementers to > decide upon (i.e. both choices 1 and 2 allowed). #2. Random number generation is one of the weak spots of a lot of cryptographic libraries. Either they get the PRNG/DRBG wrong, or even when they get it right, they rely on a problematic source for seeding. Things might work fine on regular servers, then lose their entropy when running in a virtualized environment. Very often the entropy comes from a source that is outside the control of the cryptographic library and may or may not be reliable depending on the running environment. Deterministic works for everybody. Randomized works not for everybody. Better go with #2. Of course de-randomizing doesn’t buy you much if you use the signature as part of a protocol such as TLS that requires random bytes, but removing one thing that relies on the RNG is better than not doing it. Yoav
- [Cfrg] Elliptic Curves - signature scheme: random… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… James Cloos
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Damien Miller
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Parkinson, Sean
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Lambert
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Russ Housley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Brian Smith
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Sean Turner
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Leon Gil
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov