IETF Logo Mail Archive

Re: [Cfrg] Recommendations Regarding Deterministic Signatures

Akira Takahashi <takahashi@cs.au.dk> Fri, 13 December 2019 03:00 UTC

Return-Path: <takahashi@cs.au.dk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19BF8120820 for <cfrg@ietfa.amsl.com>; Thu, 12 Dec 2019 19:00:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.au.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79jL233jU09H for <cfrg@ietfa.amsl.com>; Thu, 12 Dec 2019 19:00:06 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20053.outbound.protection.outlook.com [40.107.2.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1065112010F for <cfrg@irtf.org>; Thu, 12 Dec 2019 19:00:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nwfSAjmycEVGlw3BBTONHCffjKEn/Jo0FzTmJhTydwiSqWtbreGHFnUh4QyI/GjSU0rxtF0VYYSGMEAur5z2BDU24MfSvGCAlbm0vLg01I9bY+OzlSaVCQpgwgMQOn+8pO/Izbt9OA7Rz5hWVrJpfsrtwz1Y6f85MHqihx68I0znCxc5Lk8XvenYywOoWSDVDFtdscuQU0eZOkUmdUaLQOg1tjDrgyJWsAKrCaFFb2V5rDI2MRVHukzB/FcNT1BEKnSv0rLJO6AEBYcnVlRPFoDxIGMTp5UTIpG9cewNEso25mXmCzgUygKHfhhuqLXg2C76F0pPGcFel4qjV+jtsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ps2GneqyI92QrrHDV/eBrRiZjzjMZYY97eau1rEbSo=; b=V6stLA9vwQoEnximxLIwkm2Y/QFB0TjNsEe4OBG6Nl8DvQZYYApGHFWHy9qEE/hUskamYLqgZ6MnhVg52VCpjTUPrvMCYdyl/Vy3i0lKWtgeRHM8oKGxKVcunRuIxj+nJY+c6w/qCvpBO0BaSZFUjD+94zpR7ekXR+iykfkNA+UBA1cbPwdGI2jbP17CY5+7kTIBB7lj03QNeNbZfV0WChor2yVWm7qCsOW364e0CUS9uNzUOC1sp/cB/qpaWc9MjPyNaFvKFQoX57UM/z4BsR8yBorkTQt6i3tjA8PtIXvpgemvaBKCUorQLB8Pr2QnyLCaJa9XWwl9oCsQsNOieA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.au.dk; dmarc=pass action=none header.from=cs.au.dk; dkim=pass header.d=cs.au.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.au.dk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ps2GneqyI92QrrHDV/eBrRiZjzjMZYY97eau1rEbSo=; b=hsBItB3iSZ++kk4q/qFv9Ll087MWbGzu85CuJ8YV0iUKX2eR2UsXduL6gNAfuP6n3/4CpQpRrZ/gjQtEZRkOOGk4rHQSIYj73qpSAnKLEQcY/7g/G7bWdIlfPM28DXUkiY1T8gY0Xb6jFQUeDLKBSq59Cktgslr8Z37oF/VT88w=
Received: from DB6PR0102MB2838.eurprd01.prod.exchangelabs.com (10.170.214.149) by DB6PR0102MB2696.eurprd01.prod.exchangelabs.com (10.170.210.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.17; Fri, 13 Dec 2019 03:00:02 +0000
Received: from DB6PR0102MB2838.eurprd01.prod.exchangelabs.com ([fe80::8886:77a9:c9bf:7b38]) by DB6PR0102MB2838.eurprd01.prod.exchangelabs.com ([fe80::8886:77a9:c9bf:7b38%7]) with mapi id 15.20.2516.019; Fri, 13 Dec 2019 03:00:02 +0000
From: Akira Takahashi <takahashi@cs.au.dk>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>, "Diego F. Aranha" <dfaranha@eng.au.dk>, Claudio Orlandi <orlandi@cs.au.dk>, Greg Zaverucha <gregz@microsoft.com>
Thread-Topic: [Cfrg] Recommendations Regarding Deterministic Signatures
Thread-Index: AQHVsWFoT88TcBJjaEuKXvLQCyOcEQ==
Date: Fri, 13 Dec 2019 03:00:01 +0000
Message-ID: <DB6PR0102MB283861277B9ADF9D1A7551A395540@DB6PR0102MB2838.eurprd01.prod.exchangelabs.com>
References: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=takahashi@cs.au.dk;
x-originating-ip: [210.149.252.44]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a39af628-e422-4183-9599-08d77f788c3b
x-ms-traffictypediagnostic: DB6PR0102MB2696:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DB6PR0102MB2696D642A3C28B3AF2D15A6395540@DB6PR0102MB2696.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 0250B840C1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(346002)(366004)(376002)(396003)(199004)(189003)(53546011)(316002)(5660300002)(52536014)(86362001)(966005)(81166006)(55236004)(6506007)(4744005)(786003)(71200400001)(186003)(66946007)(76116006)(26005)(66556008)(33656002)(2906002)(8676002)(64756008)(55016002)(66476007)(66446008)(7696005)(8936002)(110136005)(9686003)(91956017)(81156014)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0102MB2696; H:DB6PR0102MB2838.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cs.au.dk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BWv7IGFsZrvMkANZtgw9xVuDGMlNiw4yer6N7n/+3uy8OZHXhbnW/yxf08QHU0ohVDFOXB0nncjCwI7AkdzhVxEwWPXBUV8k2hpsh/DknFx2mIR+jEcxRU5UGFWpHinCrTq0ytq7/o1/wMXC4+jL/RDBMccJcKHPjCuqsJ6AaxpH5YdtvE/qLk/XauensHU1sTAAzoKcXCEECQ6cpeeB7PVSxr4jwL1rmG1rC72GNICFZNyPNzTrpZjNECH0bv+GwXSSv68PvZM5Yn/t/kSlfzF9EYgqzy+vLFzDIHSbT5MdMhLnK+NCHAivuilB+Hh0ynYzVlX293LL/4Lk+xGn8k174SVf9s17gzxG7EnUXuImc/K7S2/NkUPrUv3m+wHRW+weBuPcFaKwSR07Z7cjvBXPRDZtaLQxFWn+Cvb/BX+wzzh5JJ/vC/lo5Xobkr2KQwEdtrC+LDndFT4/EDsGzakDYuHfzw0rJXZMDDhIcng=
Content-Type: multipart/alternative; boundary="_000_DB6PR0102MB283861277B9ADF9D1A7551A395540DB6PR0102MB2838_"
MIME-Version: 1.0
X-OriginatorOrg: cs.au.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: a39af628-e422-4183-9599-08d77f788c3b
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2019 03:00:02.0033 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 61fd1d36-fecb-47ca-b7d7-d0df0370a198
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MMAgZ2HNdlzbfKIZqJg5dlbPoEy6a9NBBDUdh1oyJAATxAgB9gjuSsWlYPn6dVzbUiMszUpO5Ugq4aM4+2glkg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0102MB2696
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AlyB0m3oC3hed7YBVQkK21E2VJ0>
Subject: Re: [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 03:00:11 -0000

On 11/27/19 12:13 PM, John Mattsson wrote:

My current view is that best practice seems to be to use deterministic algorithms (deterministic ECDSA or EdDSA) with "additional randomness" / "noise" like in XEdDSA. This also mitigates attacks on theoretical use cases where deterministically signing the same message twice leaks information.


We would like to draw your attention to our recent result related to such "hedged" constructions that derive the randomness by hashing the secret key, message, and a nonce:

    D. F. Aranha, C. Orlandi, A. Takahashi, G. Zaverucha. Security of Hedged Fiat–Shamir Signatures under Fault Attacks. 2019. https://eprint.iacr.org/2019/956.pdf

We analyzed the fault resilience of hedged Fiat-Shamir type signatures within the provable security methodology and formally confirmed that the countermeasure does thwart several recent attacks targeted at the deterministic ones.
Our result also directly applies to XEdDSA.

Best regards,
Diego, Claudio, Akira, and Greg

v2.23.0 | Report a Bug | By Email