Re: [Cfrg] A downside of deterministic DL signatures?

Robert Ransom <rransom.8774@gmail.com> Wed, 30 July 2014 19:30 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E390C1A040A for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 12:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMxXA57i_2UC for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 12:30:27 -0700 (PDT)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73B9A1A02F5 for <cfrg@irtf.org>; Wed, 30 Jul 2014 12:30:27 -0700 (PDT)
Received: by mail-qg0-f50.google.com with SMTP id q108so2501604qgd.9 for <cfrg@irtf.org>; Wed, 30 Jul 2014 12:30:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=u/I81tlz6/ozJT80I1YMOi3EcU594KR+hu3x4mnNZTc=; b=tZoh9yTWo+mJB9HZS279gVWgwm+4UyCsruSXPDML2oLthpZUR5C03/wBWQMSJwVF9s PqmRCB0Puwlgi+Iq+b5Z4nQNN4w9fB2web5mzB1z4eFGBoDz/oZBNvfcC9TPmbMjIMUU a2CeEghOWJiDVlNVNn77O971lHDnewXITe4v94y0CQP6vBvxO9fbXcyQbqgoJjHHbZnS G1LOak039MeMDZwBPNO8YRkFrX049t7CYM+LQakCr004rnydgAr4tcpvTY6suznf2fbQ XgqYhWa2Oo+eJS52rPWssG4cyNrgdRYRrQPjNKzRHwKRdN8FCLCOlGRkLBWAWjWRqvP2 hODQ==
MIME-Version: 1.0
X-Received: by 10.140.26.110 with SMTP id 101mr9686927qgu.1.1406748626606; Wed, 30 Jul 2014 12:30:26 -0700 (PDT)
Received: by 10.140.86.135 with HTTP; Wed, 30 Jul 2014 12:30:26 -0700 (PDT)
In-Reply-To: <258124fc-3f8b-4ea3-9f61-20395e7916c9@email.android.com>
References: <20140729205846.6639765.71649.17355@certicom.com> <258124fc-3f8b-4ea3-9f61-20395e7916c9@email.android.com>
Date: Wed, 30 Jul 2014 12:30:26 -0700
Message-ID: <CABqy+sr9keX8q8Rw+=MbtVQ0VNejevYiM146Q8KCZHbQTmbo2g@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/PG04_gNkbSG0OM0iMIuT0BFPdyM
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] A downside of deterministic DL signatures?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 19:30:29 -0000

On 7/29/14, Alyssa Rowan <akr@akr.io> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 29 July 2014 21:58:47 BST, Dan Brown <dbrown@certicom.com> wrote:
>>‎In ECDSA or Schnorr, if the ephemeral private key k depends on the
>>message bring signed, precomputation of kG, an efficiency advantage
>>(reduced latency?), and possibly effective side channel countermeasure
>>(harder to time precomputation), seems precluded. Not being an
>>efficiency or side channel expert, I ask: Does this downside sound
>>right?
>
> On the other hand, deterministic signatures can have test vectors - a big
> win - and they don't need an RNG. Less baggage, less worry about
> implementation fingerprinting or even potential kleptography (although
> obviously you should always avoid black boxes too where that last one could
> be a risk!).

Exactly.  I would make deterministic signatures a MUST for any
interoperable long-term signing key, and make an interoperable
deterministic signature generation specification and interoperable
storage/transport format for the associated secret key material a must
for any signature scheme specification.

For *short-term* signing keys which will never be written to disk, it
may make sense to store a counter along with the secret key, and use
that to precompute ephemeral keys for non-deterministic signature
generation.  (I've considered this as part of a key-agreement
protocol.)  But I can't support this approach for any key which may be
written to disk, or which may need to be used in more than one
signature-generation implementation.


Robert Ransom