Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

Tony Arcieri <> Tue, 17 December 2019 17:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 882F5120C23 for <>; Tue, 17 Dec 2019 09:30:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hXxKvZLYKoZK for <>; Tue, 17 Dec 2019 09:30:22 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EC27D120BBE for <>; Tue, 17 Dec 2019 09:30:19 -0800 (PST)
Received: by with SMTP id 77so14587572oty.6 for <>; Tue, 17 Dec 2019 09:30:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mtqSw8KUZlDvqy/KkAtmOOrQ8pQjH6OFHQuDjUvpUMg=; b=s1DQCvfGxwbYQbmO6dMmVMQssbh0ce97vwzfbsm8+PhqVbLHWHOyBDF5ZocVrYc5DT IBVJ2x5bR9RIPF38+mR2Ud1z7d9cdvkegF6KgB3oXiUrWKUz2CX+RuV4RNNSVh7yrU8j WQOixNvdmAKsOE6bjq6STrYzInV8U4eboGf3LfoMBoPLQAj2OrMMR1aKWOfqmMYkXlbo ykcSgymYcqnsHd/ruWV9ynPekWtfoey/F0wqgW/KPaF+cdHXOAYvPTc+iuodVfprJf58 qEVlGIgcrg4IrTF52fhf4lis8xYpEvQlm1Jlnjr5v8mXTQhZhGyH8DIBsp4SRefQ2qSc uU6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mtqSw8KUZlDvqy/KkAtmOOrQ8pQjH6OFHQuDjUvpUMg=; b=tD1baYgBG03YrsdjAQwqrJOS0oaKw4gP41G2saMct29DG8koiHe7LEXlor4K6vMRip PvCKMA++6+A8O0uwecIiM8dzfIh9tYJl5igJPxIZhhE3pl4iva57/quzTbv8RYTmW4lq +wZ2J4RyWKMZfeqFKYCdXhA5TCB0H05fUiKZ/HFEKSUopnbs6ftzh2X6cgRzFmT9g4bF bksvZuNijyl3Pq4jKpaXPQZJ0FpWXHFnwJkAumTHwDT/vgsdbLnwh7C8OZknP2JUQ5V5 cOdLnZjg+PYSg/WT+nXIaaoJSOGuH57cPOH07ojXM2B+5BqF9Hqr5w7mn07mS886JI1l WGXw==
X-Gm-Message-State: APjAAAV3jODsQvq+E5L5zDWLyyDfneCLuIkk9ATi0E1+XKpAaY56bkuN eDpLmFixoFYHbZORdmX1zKqais5nDQIYYIFTeSk=
X-Google-Smtp-Source: APXvYqy6a1z+UgfeqKJVSYvkr4SvFmsnYOrArSTiHzpvdQAxR6gUhlhcTHK6As5VFufX3+xmyWkXMiebl0i/gCd3NH4=
X-Received: by 2002:a05:6830:605:: with SMTP id w5mr36698784oti.298.1576603819171; Tue, 17 Dec 2019 09:30:19 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Tony Arcieri <>
Date: Tue, 17 Dec 2019 09:30:06 -0800
Message-ID: <>
To: John Mattsson <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="00000000000097e3160599e9aeed"
Archived-At: <>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Dec 2019 17:30:25 -0000

This looks like a good document (so far you've managed to cover every nit I
had to pick with it), however I think it might be a bad idea to describe
your construction as "with Noise", in order to prevent confusion with the
Noise Protocol, which among other things supports an Ed25519 signatures
extension (which can, if one so desires, be used with XEdDSA):

Perhaps "with Added/Additional Entropy" instead?

On Tue, Dec 17, 2019 at 8:53 AM John Mattsson <john.mattsson=> wrote:

> Hi,
> I read up a lot more on recent research on side-channel and fault
> injection attacks on deterministic ECC signatures. This has increased my
> understanding that deterministic ECC signatures should not be recommended
> in environments where side-channel and fault injection attacks are a
> concern. One such environment is IoT deployments where the adversary can be
> assumed to have access to devices to induce faults and measure
> side-channels.
> As many such embedded devices also lacks a good RNG, none of the currently
> standardized fully-randomized or fully-deterministic ECC signature
> algorithms seems like a good choice. I therefore think there is a need to
> specify deterministic ECC signatures with noise.
> My colleagues and I started to write a draft specifying how a random noise
> can be added to the otherwise deterministic calculation of the per-message
> secret number. We ended up not proposing the solution chosen in XEdDSA as
> at least one research paper claims that XEdDSA does prevent their attack
> due to insufficient mixing of the hashed private key with the random noise.
> The current document aims to give a quite broad overview with many
> references, suggests one possible construction for deterministic ECDSA and
> EdDSA, and lists several issues and TODOs. It should be discussed what the
> best construction is for achieving protection against fault and
> side-channel attacks, simplicity and ease of implementation, as well as
> efficiency. Comments are very welcome!
> Cheers,
> John
> -----Original Message-----
> From: "" <>
> Date: Tuesday, 17 December 2019 at 16:33
> To: John Mattsson <>om>, John Mattsson <
>>gt;, Sini Ruohomaa <>om>,
> Erik Thormarker <>
> Subject: New Version Notification for
> draft-mattsson-cfrg-det-sigs-with-noise-00.txt
>     A new version of I-D, draft-mattsson-cfrg-det-sigs-with-noise-00.txt
>     has been successfully submitted by John Preuß Mattsson and posted to
> the
>     IETF repository.
>     Name:               draft-mattsson-cfrg-det-sigs-with-noise
>     Revision:   00
>     Title:              Deterministic ECDSA and EdDSA Signatures with Noise
>     Document date:      2019-12-17
>     Group:              Individual Submission
>     Pages:              14
>     URL:
>     Status:
>     Htmlized:
>     Htmlized:
>     Abstract:
>        Deterministic elliptic-curve signatures such as deterministic ECDSA
>        and EdDSA have gained popularity over randomized ECDSA as their
>        security do not depend on a source of high-quality randomness.
>        Recent research has however found that implementations of these
>        signature algorithms may be vulnerable to certain side-channel and
>        fault injection attacks due to their determinism.  One
> countermeasure
>        to such attacks is to add noise to the otherwise deterministic
>        calculation of the per-message secret number.  This document updates
>        RFC 6979 and RFC 8032 to recommend constructions with noise for
>        deployments where side-channel attacks and fault injection attacks
>        are a concern.
>     Please note that it may take a couple of minutes from the time of
> submission
>     until the htmlized version and diff are available at
>     The IETF Secretariat
> _______________________________________________
> Cfrg mailing list

Tony Arcieri