Re: [Cfrg] Recommendations Regarding Deterministic Signatures
Tony Arcieri <bascule@gmail.com> Wed, 27 November 2019 17:10 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4CC912097E for <cfrg@ietfa.amsl.com>; Wed, 27 Nov 2019 09:10:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFnkU2NPd-Dy for <cfrg@ietfa.amsl.com>; Wed, 27 Nov 2019 09:10:39 -0800 (PST)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2667E120984 for <cfrg@irtf.org>; Wed, 27 Nov 2019 09:10:38 -0800 (PST)
Received: by mail-oi1-x22e.google.com with SMTP id x21so13655703oic.0 for <cfrg@irtf.org>; Wed, 27 Nov 2019 09:10:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i33esFxqJZqL2ot8DhAC5kMOiJfM9t65gLrn65ATwUI=; b=HbMijUfBVEkHlt0v/kIr0eJe4Itb/lx2gP2bFkaccZkx+NRTVLbO+heOSL2a/NPv0I 1M8WTysQ7Y86ZCLCct0AP5g4M4uULpHpALLaaswz5T99Efvv8/Zv0XDzfUxr6sSg+GUH y99Wx4879/WkKGs8j7/cWdYAhUOXRJ4pWe4oSRHeuFpsSF6SXcBsYIpkw6H5ciPxDRLu M3InjwzmK0JUHl41XtVJkA8shyWvRb72mNMSgB99n/APvOxgYRH0yVMENK1hpWkhL0nj 2dUbegWMcecUpWMQKRzAt+xG34bQ5ZL12UxIGI0W7oa9YTZerau/b85XyfcdzaT/2SyW Mz7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i33esFxqJZqL2ot8DhAC5kMOiJfM9t65gLrn65ATwUI=; b=NhNf1eLtoMiO4vLAMGjD6tz8bwLEmbYz3ntlcGUzLN/ZLSgqdS3cgSIk9Qc0Gy/qj5 o9lshJRMIDw6I++9CS+ptHLOErO6dX6EuEq/Iz0JhgYnpWX3OVimGgsZkYfvxv3NvYW1 EXzKnB2P8t1n5p7tezh/NgwesAZQrqeZi3WuP4Qj1+2mJ9QOVs3lq4HiWP3MCy1u86TU Tr19tVcoiixliUBYBBXBYK3dZvyYkjhqxDu9ku5wUCaDApkTfHAdIdlJ5yZsrR0IeEqZ Aa+HmHdQjmejl8oiLOdPB69NYqhwHKOKAKopVEMlx7b2rrN7KB6iCNyrsNDBvie9kW1s Uxjg==
X-Gm-Message-State: APjAAAVJHIWMQfSWwlrKEpU9n8MkUm034Wx2B54XeKEN4HwBkZEWzqWm i+q4BYKQAFJcAGAR4iTVYnnfVLEKhDDOiNg5ssg=
X-Google-Smtp-Source: APXvYqyYg0QckU6nf4meGqs/p44Iwkc9NC++JD0CQsrtxH41glDYZPBxNX3+w4mmRYGmLYpmPcjalKOtfAvP6EVJeks=
X-Received: by 2002:aca:ded4:: with SMTP id v203mr5176747oig.96.1574874638090; Wed, 27 Nov 2019 09:10:38 -0800 (PST)
MIME-Version: 1.0
References: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
In-Reply-To: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 27 Nov 2019 09:10:27 -0800
Message-ID: <CAHOTMVK5rkFpKE5ijAKw6JY-oJqAsXT=OhCacv=m+-PWQY8EAg@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e89bb05985713c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/B_GExC9hV4ecW8aElfyWZurUtds>
Subject: Re: [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 17:10:41 -0000
On Wed, Nov 27, 2019 at 3:14 AM John Mattsson <john.mattsson= 40ericsson.com@dmarc.ietf.org> wrote: > My current view is that best practice seems to be to use deterministic > algorithms (deterministic ECDSA or EdDSA) with "additional randomness" / > "noise" like in XEdDSA. I'll +1 this, but also noting that for existing deterministic signature algorithms, one potential mitigation for fault injection attacks against these algorithms (depending on whether circumstances / threat models permit it) is verifying generated signatures before releasing them. That doesn't help with the issue of leaking message equivalence, however I'll also note that some applications of deterministic signatures I work on personally benefit from the determinism from a fault-tolerance perspective, as it allows for recomputing a signature on a message which may or may not have been lost in a protocol where inconsistent signature generation in and of itself is considered a fault. -- Tony Arcieri
- [Cfrg] Recommendations Regarding Deterministic Si… John Mattsson
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri
- Re: [Cfrg] [saag] Recommendations Regarding Deter… Benjamin Kaduk
- Re: [Cfrg] Recommendations Regarding Deterministi… Akira Takahashi
- Re: [Cfrg] Recommendations Regarding Deterministi… Phillip Hallam-Baker
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri
- Re: [Cfrg] Recommendations Regarding Deterministi… Phillip Hallam-Baker
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri
- Re: [Cfrg] Recommendations Regarding Deterministi… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Recommendations Regarding Deterministi… Phillip Hallam-Baker
- Re: [Cfrg] Recommendations Regarding Deterministi… Phillip Hallam-Baker
- Re: [Cfrg] Recommendations Regarding Deterministi… Tony Arcieri