Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms

"David W. Kravitz" <> Wed, 19 September 2012 22:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7129721E804E for <>; Wed, 19 Sep 2012 15:40:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Tw0501FFuvtn for <>; Wed, 19 Sep 2012 15:40:35 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 92ACC21E8048 for <>; Wed, 19 Sep 2012 15:40:35 -0700 (PDT)
Received: from hatemtlaptop ([unknown] []) by (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <> for; Wed, 19 Sep 2012 17:40:09 -0500 (CDT)
From: "David W. Kravitz" <>
References: <> <>
In-reply-to: <>
Date: Wed, 19 Sep 2012 18:40:01 -0400
Message-id: <002801cd96b7$b7c38c80$274aa580$>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="----=_NextPart_000_0029_01CD9696.30B4F9C0"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQJZjD1WbN3mB22kfgMwgvHZe2e5lAHYBuGklmuTzgA=
Content-language: en-us
Subject: Re: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA Digital Signature Algorithms
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Sep 2012 22:40:38 -0000

Hi all,


Comments below.



Jon Callas, David W. Kravitz, and Phil Zimmermann


The required security attributes for the safe use of HMAC in this draft are
more nuanced than the description currently conveys.  Consider the following
two excerpts of the draft from the Security Considerations (section 5):
"Security relies on whether the generation of 'k' is indistinguishable from
the output of a Random Oracle.  Roughly speaking, HMAC_DRBG is secure in
that role as long as HMAC behaves as a PRF (Pseudo-Random Function)."   "One
remaining issue with deterministic (EC)DSA, as presented in this document,
is the "double use" of the private key 'x', both as private key in the
signature generation algorithm itself, and as input to the HMAC_DRBG-based
pseudo-random oracle for producing the 'k' value.  This requires HMAC_DRBG
to keep on being a random oracle, even when the public key (which is
computed from 'x') is also known.  Given the lack of common structure
between HMAC and discrete logarithm, this seems a reasonable assumption."
Any discussion in the literature of "random oracle" is typically with
respect to "a publicly accessible random function" (as, for example, in
"Indifferentiability, Impossibility Results on Reductions, and Applications
to the Random Oracle Methodology," by U. Maurer, R. Renner, and C.
Holenstein, But
as HMAC_DRBG is specified in the draft document (with null internal state
per "Note that we instantiate a new HMAC_DRBG instance for each signature
generation process," and "double use" of the private key 'x'), given any
single output of HMAC_DRBG, all other outputs are completely distinguishable
from the output of an arbitrary truly random function. In other words, given
a single 'k' value that was generated using HMAC_DRBG as specified, any
other 'k' value(s) recovered from 's' by using 'r', 'H(m)' and the
no-longer-private value of 'x' can be determined as having been generated
using HMAC_DRBG as specified. Note that even if no values of 'k' are
disclosed, the use of null internal state would be problematic in an
application relying on a DRBG where repeated outputs are unacceptable.


So, given that neither (pseudo-)random oracle nor the
next-output-bits-given-previous-output-bits- uncertainty property of DRBG is
achieved within the context of the actual (EC)DSA application, we can use a
simpler formulation here. An example of such is HMAC('x', H(m)||Counter),
where Counter is reinitialized for each signature generation process
instance and potential bias is addressed by deriving 'k' using  a single
Counter value as in [FIPS PUB 186-3] B.2.2 (Per-Message Secret Number
Generation by Testing Candidates), or multiple Counter values are used as in
B.2.1 (Per-Message Secret Number Generation Using Extra Random Bits).


Note that in the case where multiple entities have knowledge of 'x' (which
may complicate non-repudiation), deterministic generation of 'k' has the
effect that the potential subliminal/covert channel is replaced by a MAC
property. That is, any entity with knowledge of 'x' can verify the integrity
of 'm' using 's' while ignoring both the transmitted value of 'r', and 'y'
or 'U' (where y = g^x mod p in DSA or U = xG in ECDSA). 


It might also be prudent to indicate in the Security Considerations section
that the use of wholly deterministic generation of 'k', while not adversely
affecting the security of (EC)DSA itself and enabling an implementation to
be safely tested using dummy values of 'x', may have a deleterious effect
against resistance to side-channel attacks such as DPA (as opposed to
"masking" using a true RNG).



From: "David McGrew (mcgrew)" <>

Subject: [Cfrg] call for review: Deterministic Usage of DSA and ECDSA
Digital Signature Algorithms

Date: September 13, 2012 7:40:41 AM PDT

To: "" <>




Thomas has updated his individual submission on deterministic [EC]DSA.   I
think this is useful work that deserves to move forward to RFC, and that the
research group should support it (based on my own opinion and the positive
feedback on the list regarding version -00).   Please take a look at the
draft if you have an opinion on digital signatures, and let Thomas know if
you have constructive criticism.   Verification of the test cases, and
review of the security considerations, would be especially helpful.







Cfrg mailing list