Re: [CFRG] I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt

[John Mattsson <john.mattsson@ericsson.com>]

Hi,
We have just uploaded version -03 of Hedged ECDSA and EdDSA Signatures.

- Several of the changes are due to Danny Niu who pointed out that different Zd and Zf are not compatible with HMAC_DRBG and that the output length recommendations for KMAC led to unecesary many iterations. Danny has also promised to provide test vectors. The plan is to provide test vectors on the form

MESSAGE = { }
SECRET KEY = { }
RANDOM DATA = { }
SIGNATURE = { }

which allows testing implementations. This has been requested by several people.

Changes from -02 to -03:

   *  Same randomness Z in step d and f to align with HMAC_DRBG.

   *  Changed Hedged EdDSA order to 0x00 || Z || dom2(F, C) instead of
      dom2(F, C) || Z.  This avoids collisions with RFC 8032 and aligns
      with Bernstein's recommendation to put Z before the context.

   *  Changed KMAC output length recommendations to avoid multiple
      invocations.

   *  Updates some text to align with the hedged signatures/signing
      terminology.

   *  Added more description about the construction.

   *  Editorial changes.

   Changes from -01 to -02:

   *  Different names Zd and Zf for the randomness in ECDSA.

   *  Added empty test vector section as TODO.
Cheers,
John Preuß Mattsson

From: CFRG <cfrg-bounces@irtf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Date: Sunday, 17 March 2024 at 00:23
To: i-d-announce@ietf.org <i-d-announce@ietf.org>
Cc: cfrg@ietf.org <cfrg@ietf.org>
Subject: [CFRG] I-D Action: draft-irtf-cfrg-det-sigs-with-noise-03.txt
Internet-Draft draft-irtf-cfrg-det-sigs-with-noise-03.txt is now available. It
is a work item of the Crypto Forum (CFRG) RG of the IRTF.

   Title:   Hedged ECDSA and EdDSA Signatures
   Authors: John Preuß Mattsson
            Erik Thormarker
            Sini Ruohomaa
   Name:    draft-irtf-cfrg-det-sigs-with-noise-03.txt
   Pages:   17
   Dates:   2024-03-16

Abstract:

   Deterministic elliptic-curve signatures such as deterministic ECDSA
   and EdDSA have gained popularity over randomized ECDSA as their
   security does not depend on a source of high-quality randomness.
   Recent research, however, has found that implementations of these
   signature algorithms may be vulnerable to certain side-channel and
   fault injection attacks due to their deterministic nature.  One
   countermeasure to such attacks is hedged signatures where the
   calculation of the per-message secret number includes both fresh
   randomness and the message.  This document updates RFC 6979 and RFC
   8032 to recommend hedged constructions in deployments where side-
   channel attacks and fault injection attacks are a concern.  The
   updates are invisible to the validator of the signature and
   compatible with existing ECDSA and EdDSA validators.

The IETF datatracker status page for this Internet-Draft is:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-irtf-cfrg-det-sigs-with-noise%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cbb03fcc1644148aee00108dc45c4b5cc%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638461958362723970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=2tEDHm7Hafaxxrtyl8dblJyOGhf6KhtXhpwL5cQVYT8%3D&reserved=0<https://datatracker.ietf.org/doc/draft-irtf-cfrg-det-sigs-with-noise/>

There is also an HTML version available at:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-irtf-cfrg-det-sigs-with-noise-03.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cbb03fcc1644148aee00108dc45c4b5cc%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638461958362730819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=7gqRE%2Bq1rv62472ZbFWNNHkb9%2FYK7kWSLwgN473KzEA%3D&reserved=0<https://www.ietf.org/archive/id/draft-irtf-cfrg-det-sigs-with-noise-03.html>

A diff from the previous version is available at:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-irtf-cfrg-det-sigs-with-noise-03&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cbb03fcc1644148aee00108dc45c4b5cc%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638461958362735971%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iU9Ri9FU4jCWTu60%2BIJLtkrJVGioFI6tZP4%2BrXQSUjE%3D&reserved=0<https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-det-sigs-with-noise-03>

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts


_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.irtf.org%2Fmailman%2Flistinfo%2Fcfrg&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7Cbb03fcc1644148aee00108dc45c4b5cc%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638461958362740362%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Hv88eE2P%2Fbx8PDija6soUYgE%2Ft50POn2Oe3r3DzFpXA%3D&reserved=0<https://mailman.irtf.org/mailman/listinfo/cfrg>