Re: [CFRG] I-D Action: draft-mattsson-cfrg-det-sigs-with-noise-04.txt
Simon Josefsson <simon@josefsson.org> Thu, 07 July 2022 15:39 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26F7FC15C154 for <cfrg@ietfa.amsl.com>; Thu, 7 Jul 2022 08:39:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b=7hkMN6Z/; dkim=pass (2736-bit key) header.d=josefsson.org header.b=Bu4w+teu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0v7mx36RKJUN for <cfrg@ietfa.amsl.com>; Thu, 7 Jul 2022 08:39:14 -0700 (PDT)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71B93C159827 for <cfrg@ietf.org>; Thu, 7 Jul 2022 08:39:13 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2110; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=/WQVMQ4GUE5iUEPyAsbVSusvY2Fom8Sm115PLMm3XzE=; t=1657208353; x=1658417953; b=7hkMN6Z/TrHm2JaNnn8TniTuaXQHN78xWRgFxDZiXbhZTQhg7QlhMVzK+hKcK1ITK6vgh1ajB92 S93tLcv79CQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2110; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=/WQVMQ4GUE5iUEPyAsbVSusvY2Fom8Sm115PLMm3XzE=; t=1657208353; x=1658417953; b=Bu4w+teu/n8wKDVnguNNm5UQMciN8YQbPj1bCsXacEYRj9I4Y5I8tWYOAA5llIywNMIPu65+OEw F36qqd7yjRA4mLDWyLlzKxnBJXbvBMEGhwGz8NaOA8aPgeRnXdJsEY82Ir30d6lWjmClwDCCkDPIw LlrW6IDrKPin8F/50zH6rZVp7XJBKhYZdXyvdI8pIngz/GPvaK/cbjrrG5zm7GIhVEm+hbC+hk7+T QYBtvcWg9ltz3vuRVF6vWufijPyOod8YXYQneBa5/RMzMm1SP+RWCSHuQy2B7w1uj6HB+3VL6lHyZ g3GDkFHTYxM9gPJnUQ8pPkhsEnk3p0rNwk4RnaoGGp8k6GJvR18dSNMGZmvnGkZsjomWx5udNySYm mGob7Xutm9dk/N71DyROL4rsN0EbPOHJwhXR/W5dUUtX1ZRItFLSKg8fY6zkrZXn3OqYiXxxY;
Received: from [2001:9b1:41ac:ff00:9218:4d75:6a90:af95] (port=41466 helo=latte) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <simon@josefsson.org>) id 1o9Tau-005doe-Uv; Thu, 07 Jul 2022 17:39:07 +0200
X-Hashcash: 1:22:220707:john.mattsson@ericsson.com::5nBtK1lDHUelSFZV:CWH3
From: Simon Josefsson <simon@josefsson.org>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
References: <164493324573.22863.15859271870428744396@ietfa.amsl.com> <HE1PR0701MB3050EC9F0B5F3160809AC17289349@HE1PR0701MB3050.eurprd07.prod.outlook.com>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:22:220707:cfrg@ietf.org::yIrFchtRO/QkW0CS:Guf
X-Hashcash: 1:22:220707:john.mattsson=40ericsson.com@dmarc.ietf.org::ER3XAeHT/t55+Si/:00xyR
Date: Thu, 07 Jul 2022 17:39:06 +0200
In-Reply-To: <HE1PR0701MB3050EC9F0B5F3160809AC17289349@HE1PR0701MB3050.eurprd07.prod.outlook.com> (John Mattsson's message of "Tue, 15 Feb 2022 14:00:19 +0000")
Message-ID: <87zghlhqzp.fsf@latte.josefsson.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EuHdNSQf_bsMWemjvbec-hTbWkw>
Subject: Re: [CFRG] I-D Action: draft-mattsson-cfrg-det-sigs-with-noise-04.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2022 15:39:20 -0000
Hi I believe this document should not update/modify the core EdDSA/ECDSA algorithms but instead it should specify new names for the alternative EdDSA/ECDSA variant it is attempting to introduce. It would cause confusion to modify a tiny but security-critical piece of a crypto algorithm, that is only applicable to certain environments, and continue to use the same name for the new algorithm that has different security properties. I suggest using the name 'R* for the variants, e.g., 'REd25519ph', 'REd25519ctx', 'REd25519 etc. Then any IoT specification that wants to use the REd25519 variant can do so clearly, and those specifications/implementations that do not want to use it is not put at risk by using a library that implements 'Ed25519' that happened to have adopted this modification. /Simon John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> writes: > Hi, > > We have updated based on the comments received during the adoption call as well as errata pointed out more recently on the list: > > - Ilari Liusvaara and Ruggero Susella pointed out that the draft mixes up bits and bytes in some places. Carsten Bormann commented on bytes vs. octets. The -04 version used only "octets" to align with RFC 8032. > > - Ilari pointed out that context might be bigger than 128 bytes. Changed to multiple of 128/136 octets. > > - Jim Schaad expressed strong support for the use of KMAC together with SHAKE. Support also from Janos Follath. -04 added a new paragraph stating that HMAC MAY be used but KMAC is RECOMMENDED when SHAKE is used. > > - Added a sententence that detminitic signatures are not secure in multi-sing setting with a reference to FROST. > > - Based on a comment from Phillip Hallam-Baker more text on benefits with deterministic signatures was added "This makes verification of implementations easier." > > - Based on a comment from Jim Schaad it was added clearly early in the document that the updates are "invisible to the validator of the signature.". Makes me sad that this was very likely the last time I added Jim's name to an Acknowledgments section.... > > Comments and issues that have not been addressed yet are summarized in Section 6 of the draft. > > Cheers, > John > > > From: CFRG <cfrg-bounces@irtf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org> > Date: Tuesday, 15 February 2022 at 14:54 > To: i-d-announce@ietf.org <i-d-announce@ietf.org> > Cc: cfrg@ietf.org <cfrg@ietf.org> > Subject: [CFRG] I-D Action: draft-mattsson-cfrg-det-sigs-with-noise-04.txt > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Crypto Forum RG of the IRTF. > > Title : Deterministic ECDSA and EdDSA Signatures with Additional Randomness > Authors : John Preuß Mattsson > Erik Thormarker > Sini Ruohomaa > Filename : draft-mattsson-cfrg-det-sigs-with-noise-04.txt > Pages : 16 > Date : 2022-02-15 > > Abstract: > Deterministic elliptic-curve signatures such as deterministic ECDSA > and EdDSA have gained popularity over randomized ECDSA as their > security do not depend on a source of high-quality randomness. > Recent research has however found that implementations of these > signature algorithms may be vulnerable to certain side-channel and > fault injection attacks due to their determinism. One countermeasure > to such attacks is to re-add randomness to the otherwise > deterministic calculation of the per-message secret number. This > document updates RFC 6979 and RFC 8032 to recommend constructions > with additional randomness for deployments where side-channel attacks > and fault injection attacks are a concern. The updates are invisible > to the validator of the signature and compatible with existing ECDSA > and EdDSA validators. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/ > > There is also an HTML version available at: > https://www.ietf.org/archive/id/draft-mattsson-cfrg-det-sigs-with-noise-04.html > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-mattsson-cfrg-det-sigs-with-noise-04 > > > Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts > > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=6e59d256-d95c-4d1c-8fc5-606ff8918ce3&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] I-D Action: draft-mattsson-cfrg-det-sigs-w… internet-drafts
- Re: [CFRG] I-D Action: draft-mattsson-cfrg-det-si… John Mattsson
- Re: [CFRG] I-D Action: draft-mattsson-cfrg-det-si… Carsten Bormann
- Re: [CFRG] I-D Action: draft-mattsson-cfrg-det-si… Simon Josefsson