Re: [Cfrg] A downside of deterministic DL signatures?

Robert Ransom <> Wed, 30 July 2014 19:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E390C1A040A for <>; Wed, 30 Jul 2014 12:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aMxXA57i_2UC for <>; Wed, 30 Jul 2014 12:30:27 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 73B9A1A02F5 for <>; Wed, 30 Jul 2014 12:30:27 -0700 (PDT)
Received: by with SMTP id q108so2501604qgd.9 for <>; Wed, 30 Jul 2014 12:30:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=u/I81tlz6/ozJT80I1YMOi3EcU594KR+hu3x4mnNZTc=; b=tZoh9yTWo+mJB9HZS279gVWgwm+4UyCsruSXPDML2oLthpZUR5C03/wBWQMSJwVF9s PqmRCB0Puwlgi+Iq+b5Z4nQNN4w9fB2web5mzB1z4eFGBoDz/oZBNvfcC9TPmbMjIMUU a2CeEghOWJiDVlNVNn77O971lHDnewXITe4v94y0CQP6vBvxO9fbXcyQbqgoJjHHbZnS G1LOak039MeMDZwBPNO8YRkFrX049t7CYM+LQakCr004rnydgAr4tcpvTY6suznf2fbQ XgqYhWa2Oo+eJS52rPWssG4cyNrgdRYRrQPjNKzRHwKRdN8FCLCOlGRkLBWAWjWRqvP2 hODQ==
MIME-Version: 1.0
X-Received: by with SMTP id 101mr9686927qgu.1.1406748626606; Wed, 30 Jul 2014 12:30:26 -0700 (PDT)
Received: by with HTTP; Wed, 30 Jul 2014 12:30:26 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Wed, 30 Jul 2014 12:30:26 -0700
Message-ID: <>
From: Robert Ransom <>
To: Alyssa Rowan <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Cfrg] A downside of deterministic DL signatures?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Jul 2014 19:30:29 -0000

On 7/29/14, Alyssa Rowan <> wrote:
> Hash: SHA512
> On 29 July 2014 21:58:47 BST, Dan Brown <> wrote:
>>‎In ECDSA or Schnorr, if the ephemeral private key k depends on the
>>message bring signed, precomputation of kG, an efficiency advantage
>>(reduced latency?), and possibly effective side channel countermeasure
>>(harder to time precomputation), seems precluded. Not being an
>>efficiency or side channel expert, I ask: Does this downside sound
> On the other hand, deterministic signatures can have test vectors - a big
> win - and they don't need an RNG. Less baggage, less worry about
> implementation fingerprinting or even potential kleptography (although
> obviously you should always avoid black boxes too where that last one could
> be a risk!).

Exactly.  I would make deterministic signatures a MUST for any
interoperable long-term signing key, and make an interoperable
deterministic signature generation specification and interoperable
storage/transport format for the associated secret key material a must
for any signature scheme specification.

For *short-term* signing keys which will never be written to disk, it
may make sense to store a counter along with the secret key, and use
that to precompute ephemeral keys for non-deterministic signature
generation.  (I've considered this as part of a key-agreement
protocol.)  But I can't support this approach for any key which may be
written to disk, or which may need to be used in more than one
signature-generation implementation.

Robert Ransom