IETF Logo Mail Archive

Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

John Mattsson <john.mattsson@ericsson.com> Mon, 09 March 2020 21:04 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BECCC3A1756 for <cfrg@ietfa.amsl.com>; Mon, 9 Mar 2020 14:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jrUHD92FxBCC for <cfrg@ietfa.amsl.com>; Mon, 9 Mar 2020 14:04:07 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130043.outbound.protection.outlook.com [40.107.13.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9699D3A178D for <cfrg@irtf.org>; Mon, 9 Mar 2020 14:04:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VCOm6611/5ID8zNa2bvLHezaBneUaDmaFatGksD8GQ7YP6tHBFYaP8i0p8fQl/E5R86tyj4W7RIE41KYbEj3kXBLBBG0oYRz/p30XGS6CQ6Jlfd3DKtJCjrnMaKJGrKSuA69QYqJqnTRiKXFAC04q8/WR4XVvWyuhefB3mg+99dCVvUQ9VJu0krrQSfUGCcjX1SmZjo+kTqW7qi7bA4B2tQZMARWujIafoa1AZVBvoy/ZGrJyODum2xoXQ/QMBGWOWHaMUPn8wEjxrkTk5UN6IlVw6JTUlXirwPxrmmkOqK0skjXVgUF6g+e3LQROlWC4lLf/8Ehlckd7xryl6fPEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=fIEbXFvE4uvh+H7S1X2DrwpkVfqd8OTlt6Ux2GqgJ+k=; b=cNguC3egLHswuNFd2q2NMx9CvPjuELxXHK0OYyF/KNFfoVMl8ZDkx87Hf9u2vNB47qn5Ve/P5w/2l+S+SpfIng4+u4nf6z5rmzOad1G/lxNrOfeG/gHUFFymFkqYvzZokjHLBFvYYNeJb/5TJrCaHy+dM7plt1/5+zklAsjRxIK2KxRTn7GkXM8Cdk1heteptLSGol5ByW4Ru3Oa5ts0jLyVePL19B7kt3aCpOTbIlDtBPyvWKA71iPAOyBI9nU1KeGsKyrUoFHZhpHqKdhQm8PEKle6jY++jEnY76F7d7dEE4tHDe11etInQu3FFIfXGb++B7dmy6xght/bda/nqw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=fIEbXFvE4uvh+H7S1X2DrwpkVfqd8OTlt6Ux2GqgJ+k=; b=egk/r5kqPfE2QePhUaEbj5sApioLanowjiGM3bnooyszksBK0uy4RRj961jVnhqvvd1XTduK07U+MGUIB2JgJSllGdSU/vlDiYNJbjt86beYYfQusfYxdd+TFTQ259OfZcxb4LUx2+2I3Qg10AUa691zSl/NBo+N4PYN1uvknPw=
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com (52.134.114.155) by AM6PR07MB4136.eurprd07.prod.outlook.com (52.134.116.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.9; Mon, 9 Mar 2020 21:03:59 +0000
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::501f:822f:f9b5:eb71]) by AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::501f:822f:f9b5:eb71%7]) with mapi id 15.20.2814.007; Mon, 9 Mar 2020 21:03:59 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Tony Arcieri <bascule@gmail.com>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
Thread-Index: AQHVtO9lOZJrcNc7J0+AzBoiSFtzNKe+m+GA///5fgCAgr4FAA==
Date: Mon, 09 Mar 2020 21:03:59 +0000
Message-ID: <0E1DBF2E-28F0-4EFB-8F91-41C2A994F43F@ericsson.com>
References: <157659682819.26470.8755515351900237330.idtracker@ietfa.amsl.com> <E6D46D5C-2BDA-466D-A2BF-46FC39605B8E@ericsson.com> <CAHOTMVJbpSUureq6V4pdZbHS2otF6CkchFYdTvCjB_CxxANijA@mail.gmail.com>
In-Reply-To: <CAHOTMVJbpSUureq6V4pdZbHS2otF6CkchFYdTvCjB_CxxANijA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f9cdadfd-138b-4a32-eed2-08d7c46d639b
x-ms-traffictypediagnostic: AM6PR07MB4136:
x-microsoft-antispam-prvs: <AM6PR07MB4136405C0AC6A97A93B25AD989FE0@AM6PR07MB4136.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0337AFFE9A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(346002)(396003)(136003)(376002)(366004)(199004)(189003)(33656002)(91956017)(478600001)(2906002)(86362001)(966005)(110136005)(4001150100001)(316002)(66574012)(66946007)(53546011)(8936002)(81156014)(71200400001)(36756003)(5660300002)(6506007)(8676002)(76116006)(66446008)(66476007)(64756008)(66556008)(81166006)(6486002)(15650500001)(26005)(186003)(6512007)(44832011)(4326008)(2616005); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB4136; H:AM6PR07MB4134.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mjkl9uQuTTz3eVFc+j53g5NIGhGrGGjubifcxj7eK6bxLOKOMbr5YMicTPJTtlbvu+aYgRTj2BpUMkxK5anq8UF8MtaTIH9I8/UbxktEbzFM72wv+Wyba+whr0GG+7zTyGOEJ+oo6PpnsICARxIjeyWKktjqcDiQARZUu7ZPswaMYUe+jtNmFNeS9kUj/XjQJhi4TEMpgRQzujXa/aFIk9Kw2TXsoYumolFULCCiacr15PlnR6myfLtMBZMB3s1bTUBluiUk9TnoK6TSaoprnadyWR4e5Rt6vviGT4fu2gU428o+ZCcb1VcU6fWJCrNTdX5FP+HKP7PDYAbR2Mh4ggMcjnilsjliC9Slu7PCSCp2Vr1eB5uBOGhaIB/LhJwC0aDYX3gub/wgA3cttwBIMNh6dvT2p12rvIyYvb0UZtLrpSpb+kXtPwjoDlRzKcb5GLRB15Di9htqxrotgxnO6h9x+ikaljqw2k15suwa5D69aWIcILcz0haBcLrDHzs9ww7ktmTDDBAjbGipSm7X9w==
x-ms-exchange-antispam-messagedata: 2Xewe+KbRTLgnnfHB/PhT5QP2kA/+kcUc25vxNGqRLxa4xc3nJpoWb/KA4/p6/6F3Gnqr39OxZR089KBUlzWPlT5QZGhLYvwkLZfceYEs12QdTjEE5/5y70lkg9kscyYYpuOzePH0D18KggzvmTgXw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_0E1DBF2E28F04EFB8F9141C2A994F43Fericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f9cdadfd-138b-4a32-eed2-08d7c46d639b
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2020 21:03:59.6068 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BDH9OtAQ0DKqz7q2Qj9cud93j/ZAe9o7Td1cbQ2guMU5woW7TG8Rg8DtXMufpf8J7bMVK4CzaDCWQUuYnHuJD5Lk8/8rh5Am6yBm4BT3uPk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4136
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/IO54RWFOVBsuEcpV5rf72edTNX8>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2020 21:04:17 -0000

Thanks Tony,

Good suggestion, the name is also confusing for another reason, the side-channel descriptions of the draft use noise when talking to signal-to-noise. I’ll update the document to “Additional randomness” as entropy has precise but different meanings in various fields.

Cheers,
John


From: Cfrg <cfrg-bounces@irtf.org> on behalf of Tony Arcieri <bascule@gmail.com>
Date: Tuesday, 17 December 2019 at 18:30
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

This looks like a good document (so far you've managed to cover every nit I had to pick with it), however I think it might be a bad idea to describe your construction as "with Noise", in order to prevent confusion with the Noise Protocol, which among other things supports an Ed25519 signatures extension (which can, if one so desires, be used with XEdDSA):


https://noiseprotocol.org/<https://protect2.fireeye.com/v1/url?k=33cd4452-6f4766bb-33cd04c9-0cc47ad93e2e-a6467ecaa96f7be5&q=1&e=5b52830d-ee57-4f08-9055-29945f9eaa50&u=https%3A%2F%2Fnoiseprotocol.org%2F>


Perhaps "with Added/Additional Entropy" instead?

On Tue, Dec 17, 2019 at 8:53 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi,

I read up a lot more on recent research on side-channel and fault injection attacks on deterministic ECC signatures. This has increased my understanding that deterministic ECC signatures should not be recommended in environments where side-channel and fault injection attacks are a concern. One such environment is IoT deployments where the adversary can be assumed to have access to devices to induce faults and measure side-channels.

As many such embedded devices also lacks a good RNG, none of the currently standardized fully-randomized or fully-deterministic ECC signature algorithms seems like a good choice. I therefore think there is a need to specify deterministic ECC signatures with noise.

My colleagues and I started to write a draft specifying how a random noise can be added to the otherwise deterministic calculation of the per-message secret number. We ended up not proposing the solution chosen in XEdDSA as at least one research paper claims that XEdDSA does prevent their attack due to insufficient mixing of the hashed private key with the random noise.

The current document aims to give a quite broad overview with many references, suggests one possible construction for deterministic ECDSA and EdDSA, and lists several issues and TODOs. It should be discussed what the best construction is for achieving protection against fault and side-channel attacks, simplicity and ease of implementation, as well as efficiency. Comments are very welcome!

Cheers,
John

-----Original Message-----
From: "internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>" <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Tuesday, 17 December 2019 at 16:33
To: John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>>, John Mattsson <john.mattsson@ericsson.com<mailto:john.mattsson@ericsson.com>>, Sini Ruohomaa <sini.ruohomaa@ericsson.com<mailto:sini.ruohomaa@ericsson.com>>, Erik Thormarker <erik.thormarker@ericsson.com<mailto:erik.thormarker@ericsson.com>>
Subject: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt


    A new version of I-D, draft-mattsson-cfrg-det-sigs-with-noise-00.txt
    has been successfully submitted by John Preuß Mattsson and posted to the
    IETF repository.

    Name:               draft-mattsson-cfrg-det-sigs-with-noise
    Revision:   00
    Title:              Deterministic ECDSA and EdDSA Signatures with Noise
    Document date:      2019-12-17
    Group:              Individual Submission
    Pages:              14
    URL:            https://www.ietf.org/internet-drafts/draft-mattsson-cfrg-det-sigs-with-noise-00.txt<https://www.ietf.org/internet-drafts/draft-mattsson-cfrg-det-sigs-with-noise-00..txt>
    Status:         https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/
    Htmlized:       https://tools.ietf.org/html/draft-mattsson-cfrg-det-sigs-with-noise-00
    Htmlized:       https://datatracker.ietf.org/doc/html/draft-mattsson-cfrg-det-sigs-with-noise


    Abstract:
       Deterministic elliptic-curve signatures such as deterministic ECDSA
       and EdDSA have gained popularity over randomized ECDSA as their
       security do not depend on a source of high-quality randomness.
       Recent research has however found that implementations of these
       signature algorithms may be vulnerable to certain side-channel and
       fault injection attacks due to their determinism..  One countermeasure
       to such attacks is to add noise to the otherwise deterministic
       calculation of the per-message secret number.  This document updates
       RFC 6979 and RFC 8032 to recommend constructions with noise for
       deployments where side-channel attacks and fault injection attacks
       are a concern.




    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

    The IETF Secretariat



_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=54f3cc81-0879ee68-54f38c1a-0cc47ad93e2e-4e1e45c3b2b270c4&q=1&e=5b52830d-ee57-4f08-9055-29945f9eaa50&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>


--
Tony Arcieri

v2.23.0 | Report a Bug | By Email