[Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

John Mattsson <john.mattsson@ericsson.com> Tue, 17 December 2019 16:53 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22368120B83 for <cfrg@ietfa.amsl.com>; Tue, 17 Dec 2019 08:53:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lO2IaM8bF5to for <cfrg@ietfa.amsl.com>; Tue, 17 Dec 2019 08:53:27 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20046.outbound.protection.outlook.com [40.107.2.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F15A120B01 for <cfrg@irtf.org>; Tue, 17 Dec 2019 08:53:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Xq8VtJhDpbLO4PWoVrg7eSwlZDRy+0/giDlzCBF8pmxezvIsQrzNhwer6xg/IwJpTaFMl/p+cOKHb25vuYHHBIzdA7tUK9VucoWY8Li0EwyAUztydEf5rHAI9atRZjKciD2hzGa2rVKZZI1kN09vVMCXRF9huDbpXcKUyePYQeXb6Yf2XQBq75Tr0X1L4QS4ReSmp83r6L9mLmQAq40HHOUDmd9jW0m7jTL7k8hnXTfT3Ac5eHbp5JifXbv7i5I6j2hJG5//kn2jFOkT1qIFyY7qZPGw1U/A3gr2BrxoDGYRx2qnYWI0YWTxd/41M4qam1rcCUkkbUm7NvZuic3q0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=29NvdFdqpJN83Nmf8d75TIe/xRgchGr71dkpGbquLj0=; b=U20kgzS0eyNoV21+liqt6bheYHja9uf+kWq3c/D6rpr9At8pxRDdaZx60PgMlsp85Ar2Bf8vtEHikdNkFAGGc2RsfbP6sOms1+OQRBqHhpC+YDw+Gj0qCxKluVexKEg4odhL2I/sBvUAAkGJ1hCTV+xSrEH9+oYZZws4YHS9qMZ2eY5Ea91xDg7xQL0g7b7AVYjWHUSM9FEDwgixvDBM5x1aODik+47LVfdp+0FXobRoO9kQtgTfZc7QRoRL+4ud5pkukbma0jcfmiuJ3muaap76iH+2YLdLxMFwJ3pO4tmPfRDJMIdQmOMSmvSFTAb8mwyWA/ZrNWeOuAOkoU8rKA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=29NvdFdqpJN83Nmf8d75TIe/xRgchGr71dkpGbquLj0=; b=j7FMHQeA7dQVokyWrj6yVS+V+NuCGIvNOU1X8f4PvqwdQ0hCDuAOq+fIklCBgJ1Wp7B/2zTA1BE2uxElaS8WUgpax0PGI8FAazYDf2pMAXd/obMOE8v4GXACp+Nl4dnMNHzUg2Oh0BPkM8lIZHoJ2w0d/W+FD8Qs4t8rbNSan8g=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3354.eurprd07.prod.outlook.com (10.170.244.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.9; Tue, 17 Dec 2019 16:53:23 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::1986:9afa:b0a0:5636]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::1986:9afa:b0a0:5636%7]) with mapi id 15.20.2559.012; Tue, 17 Dec 2019 16:53:23 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
Thread-Index: AQHVtO9lOZJrcNc7J0+AzBoiSFtzNKe+m+GA
Date: Tue, 17 Dec 2019 16:53:23 +0000
Message-ID: <E6D46D5C-2BDA-466D-A2BF-46FC39605B8E@ericsson.com>
References: <157659682819.26470.8755515351900237330.idtracker@ietfa.amsl.com>
In-Reply-To: <157659682819.26470.8755515351900237330.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 55b1d7fd-5166-4118-9573-08d78311a12d
x-ms-traffictypediagnostic: HE1PR07MB3354:
x-microsoft-antispam-prvs: <HE1PR07MB33545BFA7FE10613974079E389500@HE1PR07MB3354.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02543CD7CD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(136003)(396003)(39860400002)(366004)(13464003)(199004)(189003)(316002)(86362001)(66446008)(4001150100001)(76116006)(33656002)(71200400001)(2616005)(2906002)(6512007)(6916009)(66574012)(6486002)(478600001)(66946007)(66476007)(5660300002)(53546011)(66556008)(8676002)(36756003)(186003)(64756008)(81166006)(81156014)(8936002)(6506007)(15650500001)(91956017)(26005)(44832011)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3354; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: snWTdC+uyKavYqVmrh+zptgYMvSocMHZCF9oF45t7A6u20PxC2GEtp7ISmJMm9HvBFH65EBtNpYnD2eTjFO2oAbnETzfe2Jl+YxpapNJdXo0efDD1W39yvj9ef9UjaOe3zl2oU9Lt22p2m6QOd502DcOzD8UGSIsFdQchHwmGiiyDJdnBDUL7NWcqxBLWam3ucJNfDAW3BI+p+npyBXmC/CLdMvAUnxmSEoJYIV6x4xzjggqDrwo39sX4hSmf2c5X9CNupXbe+Q0sekCXFjJc5XrXqgYmC+jWiVELn9UFXBj03ZYR26O1M4WM81kUwoO6HIp6334APMwhOcvOBarbzAWM4fbaZM0dlXRkUSycExD+v3Xd++6rzkhb+F8MTzcGl8MHvNWrMB8gVr7hrGrFpQG8Fo4lqKKo7gUmFvcc2RkfXcPAJy3qH1neP3wVraIOwo7xr9OTqv0Dt9iDrXEdMBXpMZmEAOrOBBWXonzj0sxVgDh44eZOC9CbdVv98KU/ryUVtv1MP5KrQMRKCN7Ng==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2A07132F6A8C1B4580470DCAFE230515@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 55b1d7fd-5166-4118-9573-08d78311a12d
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2019 16:53:23.6007 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: H1Ic4LTvC5LYIjhsRB3kCNNyealp8BD8638TBTyYVQZMZSP9sQ+z/yaTh/yQkLmxqSjf885oWMZjgCXMgj3p2kf9Q2PfOa91UwDGFJs95Co=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3354
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/OPXYXCBX8hIKsIBqwR76pBev8Ks>
Subject: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Dec 2019 16:53:36 -0000

Hi,

I read up a lot more on recent research on side-channel and fault injection attacks on deterministic ECC signatures. This has increased my understanding that deterministic ECC signatures should not be recommended in environments where side-channel and fault injection attacks are a concern. One such environment is IoT deployments where the adversary can be assumed to have access to devices to induce faults and measure side-channels.

As many such embedded devices also lacks a good RNG, none of the currently standardized fully-randomized or fully-deterministic ECC signature algorithms seems like a good choice. I therefore think there is a need to specify deterministic ECC signatures with noise.

My colleagues and I started to write a draft specifying how a random noise can be added to the otherwise deterministic calculation of the per-message secret number. We ended up not proposing the solution chosen in XEdDSA as at least one research paper claims that XEdDSA does prevent their attack due to insufficient mixing of the hashed private key with the random noise.

The current document aims to give a quite broad overview with many references, suggests one possible construction for deterministic ECDSA and EdDSA, and lists several issues and TODOs. It should be discussed what the best construction is for achieving protection against fault and side-channel attacks, simplicity and ease of implementation, as well as efficiency. Comments are very welcome!

Cheers,
John

-----Original Message-----
From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Date: Tuesday, 17 December 2019 at 16:33
To: John Mattsson <john.mattsson@ericsson.com>om>, John Mattsson <john.mattsson@ericsson.com>om>, Sini Ruohomaa <sini.ruohomaa@ericsson.com>om>, Erik Thormarker <erik.thormarker@ericsson.com>
Subject: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

    
    A new version of I-D, draft-mattsson-cfrg-det-sigs-with-noise-00.txt
    has been successfully submitted by John Preuß Mattsson and posted to the
    IETF repository.
    
    Name:		draft-mattsson-cfrg-det-sigs-with-noise
    Revision:	00
    Title:		Deterministic ECDSA and EdDSA Signatures with Noise
    Document date:	2019-12-17
    Group:		Individual Submission
    Pages:		14
    URL:            https://www.ietf.org/internet-drafts/draft-mattsson-cfrg-det-sigs-with-noise-00.txt
    Status:         https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/
    Htmlized:       https://tools.ietf.org/html/draft-mattsson-cfrg-det-sigs-with-noise-00
    Htmlized:       https://datatracker.ietf.org/doc/html/draft-mattsson-cfrg-det-sigs-with-noise
    
    
    Abstract:
       Deterministic elliptic-curve signatures such as deterministic ECDSA
       and EdDSA have gained popularity over randomized ECDSA as their
       security do not depend on a source of high-quality randomness.
       Recent research has however found that implementations of these
       signature algorithms may be vulnerable to certain side-channel and
       fault injection attacks due to their determinism.  One countermeasure
       to such attacks is to add noise to the otherwise deterministic
       calculation of the per-message secret number.  This document updates
       RFC 6979 and RFC 8032 to recommend constructions with noise for
       deployments where side-channel attacks and fault injection attacks
       are a concern.
    
                                                                                      
    
    
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org.
    
    The IETF Secretariat