[Cfrg] Recommendations Regarding Deterministic Signatures
John Mattsson <john.mattsson@ericsson.com> Wed, 27 November 2019 11:14 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88961120865 for <cfrg@ietfa.amsl.com>; Wed, 27 Nov 2019 03:14:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4cdFNbZmIb2o for <cfrg@ietfa.amsl.com>; Wed, 27 Nov 2019 03:13:59 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140048.outbound.protection.outlook.com [40.107.14.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C473512085E for <cfrg@irtf.org>; Wed, 27 Nov 2019 03:13:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TwAoxr/S8ReYpxXZq44Sxr9BZ/RXisDNVDcE/tPABEvEF4fyiKTRw6EsHKBJ0s/jv1FEfAcEa3Xr+/yLSKH/4OE8Pb5IVCA/wnVZpj3vC1KMNyQ2x9I5C1vgTx/YDApi98jGtjibgNZb1xCNzYWnTHBDGKoht5hc0iYNbCJ+TqYN3cotpWp/eujZqnRw9xByDVbpK95tEBVsMqHCAXMYUZAdKhHzv210Fv8zv+8iDQ0pCwU49hW6L7plVO/AochdIT8agiyFXISnVCCTtsFwHHTFfWqJLX1aemoi89sLbsWib1QqqVtyptSsit2iofwesfllOk2qbz3Lf9Pf6WxjpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=02DGuFqoUk4kKFLihW/bz81f/sdyJXljhfSnOhRpV6A=; b=K5G6PIE2zkcFRD112lfCh+y/MEzhrRyf0pxYXk5Thevqg4+1H5dJ5bWrOfgjqhxzZcXiEoST0/5Lz2CLx+gP+zElMF0ee9QlPjeyk4ptGSo/SETNjg2DPJfakIzM3lmMGCEMYFen9GYmKlQN7K7lMYELyHdU+oGO+nrjV/GuA5ZmZ33SDoYZ85H6r1mCr+gQYZueyJq/GNxrNYNLk4RogqsuDztUeDpmzar8nyBV5eIQ1pJVA+znNHJkNBxaHKg5CKUMeEicpO2xGfV0gE5IeTDks9Pgcdhv82edDeyBogFC7Yy1M7H/AzMCb01kW58UtoVOhVDID21VaF+Vz8uUsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=02DGuFqoUk4kKFLihW/bz81f/sdyJXljhfSnOhRpV6A=; b=DaUbztDguhB1BxHA6hvGhov7Yoak+8m2eS2gaTbJVvGhGJ+MF4KhSOp68ZkVWrJDRY7d1aifdagWw5Twr+M0q1An+JDPbtBWe4/OHP///BQ6Auw/3xVOZL/hdFtFf2R2LTTsjai7Tbfs20qcjvGPom/P/vyE0sYw6a9b6/qhxLc=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB4348.eurprd07.prod.outlook.com (20.176.167.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.10; Wed, 27 Nov 2019 11:13:56 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::21e5:eaae:99ed:41ac]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::21e5:eaae:99ed:41ac%3]) with mapi id 15.20.2495.014; Wed, 27 Nov 2019 11:13:55 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: Recommendations Regarding Deterministic Signatures
Thread-Index: AQHVpRPCzwhjXo0nk0GZjF6FACZgbw==
Date: Wed, 27 Nov 2019 11:13:55 +0000
Message-ID: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6cd7e587-297b-4b3e-8e16-08d7732ae4b4
x-ms-traffictypediagnostic: HE1PR07MB4348:
x-microsoft-antispam-prvs: <HE1PR07MB434873CE59B8C88A2B4DC9D989440@HE1PR07MB4348.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(136003)(39860400002)(396003)(366004)(189003)(199004)(2501003)(26005)(110136005)(44832011)(66066001)(2616005)(316002)(186003)(966005)(58126008)(102836004)(81166006)(81156014)(66556008)(64756008)(8676002)(66476007)(6506007)(7736002)(66446008)(91956017)(76116006)(66946007)(3846002)(256004)(5660300002)(478600001)(6436002)(6116002)(99286004)(305945005)(8936002)(6512007)(25786009)(6306002)(14454004)(86362001)(71200400001)(2906002)(71190400001)(6486002)(36756003)(33656002)(3480700005)(14444005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4348; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: E+2R9ey4M3GIBEhCmrvDF++6ABDNj0w3Ce20kZtTV4HxbH8waqCBaV6Qfl5wlP0ZbnfJMTdy35v6Zpe3hHFEvTGWDs1UA4zZqF47F8Bku3JdlKYUAdzCdD/mQFUhdfQJl2tMtHh1NBW8ihgEckl2uo2h5z9PA3CIQ4jLxFYirQpKhsmjstivixRDdDIbQ2s1BQclNpSD+8a6gwUi7knrSKS1mcncdKwcJ8DWsVkyE8y9PznszUy/4Cvy8AefeQ4hx+mGQETYz6i9awfiux5D+SrId7UUJf6L39OyUxdAuBzyCCH1lhorI06zWTCS1rjIPm20zr3FnLYXlN2cIVTYQQx4/Irxyj0nJe+ObNhcohKMxWGTYmom4tjRf5lCNcoAiu6onD6CVIfWbnc7VRtbii0LxFoFUfeGbNQUsxfhjMx1Fw8WHiOJe1rUhe6RFyxtgObT/gJhPXTVbPOaIzm5jQV4aKn5Wut2Ye/eMcHuNqA=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3DC9D5C29655174FA3FCA3BD1403588B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6cd7e587-297b-4b3e-8e16-08d7732ae4b4
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 11:13:55.7614 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hIfRMBPn1K5yqw4LFu+szUrHXznIwr1FZDC0oi/dIwsWmy0hDjd6KKxfWZMZjCgbVosdXdV/xG4urqBtUdFkHKQylfPwYo8FgmsysWR8n9M=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4348
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9yqTJuwxeSU3OCjbyyJqAJ-xTy0>
Subject: [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 11:14:01 -0000
IRTF/IETF has the last years heavily promoted purely deterministic signatures:
RFC 8152 (EdDSA):
"EdDSA signatures are deterministic."
RFC 8152 and RFC8152bis (COSE):
"Implementations SHOULD use a deterministic version of ECDSA"
"Note: Use of a deterministic signature technique is a good idea
even when good random number generation exists."
RFC 8446 (TLS 1.3)
"It is RECOMMENDED that implementations implement "deterministic ECDSA""
NIST has just released FIPS 186-5 (Draft) where they plan to include deterministic ECDSA but does not recommend it in general due to side-channel and fault injection attacks:
"recent security research has found that implementations of
these deterministic signature algorithms may be vulnerable
to certain kinds of side-channel or fault injection attacks."
"The use of deterministic ECDSA may be desirable for devices
that do not have a good source of quality random numbers."
https://www.federalregister.gov/documents/2019/10/31/2019-23742/request-for-comments-on-fips-186-5-and-sp-800-186
https://csrc.nist.gov/publications/detail/fips/186/5/draft
Recent research papers on deterministic signatures:
[1] https://eprint.iacr.org/2017/975
[2] https://eprint.iacr.org/2017/1014
[3] https://link.springer.com/chapter/10.1007/978-3-319-44524-3_11
Countermeasures discussed in both [1] and [2] is to add some "additional randomness" / "noise" to the deterministic calculation of 'k'.
My current view is that best practice seems to be to use deterministic algorithms (deterministic ECDSA or EdDSA) with "additional randomness" / "noise" like in XEdDSA. This also mitigates attacks on theoretical use cases where deterministically signing the same message twice leaks information.
https://signal.org/docs/specifications/xeddsa/
The additional randomness (and all other randomness) should be generated with a construction like draft-irtf-cfrg-randomness-improvements that feeds a pseudo random number generator with a random seed, a secret key, a context string, and a nonce.
For global companies like Ericsson that would like to be compliant with both RFCs and NIST publications, it would be good with alignment between IRTF/IETF/NIST.
Cheers,
John
- [Cfrg] Recommendations Regarding Deterministic Si… John Mattsson
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri
- Re: [Cfrg] [saag] Recommendations Regarding Deter… Benjamin Kaduk
- Re: [Cfrg] Recommendations Regarding Deterministi… Akira Takahashi
- Re: [Cfrg] Recommendations Regarding Deterministi… Phillip Hallam-Baker
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri
- Re: [Cfrg] Recommendations Regarding Deterministi… Phillip Hallam-Baker
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri
- Re: [Cfrg] Recommendations Regarding Deterministi… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Recommendations Regarding Deterministi… Phillip Hallam-Baker
- Re: [Cfrg] Recommendations Regarding Deterministi… Phillip Hallam-Baker
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri