IETF Logo Mail Archive

[Cfrg] A downside of deterministic DL signatures?

Dan Brown <dbrown@certicom.com> Tue, 29 July 2014 20:58 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C41C1A011F for <cfrg@ietfa.amsl.com>; Tue, 29 Jul 2014 13:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DwfY9MvASDn1 for <cfrg@ietfa.amsl.com>; Tue, 29 Jul 2014 13:58:54 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC3B1A024C for <cfrg@irtf.org>; Tue, 29 Jul 2014 13:58:51 -0700 (PDT)
Received: from xct107cnc.rim.net ([10.65.161.207]) by mhs212cnc.rim.net with ESMTP/TLS/AES128-SHA; 29 Jul 2014 16:58:49 -0400
Received: from XCT115CNC.rim.net (10.65.161.215) by XCT107CNC.rim.net (10.65.161.207) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 29 Jul 2014 16:58:48 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT115CNC.rim.net ([::1]) with mapi id 14.03.0174.001; Tue, 29 Jul 2014 16:58:47 -0400
From: Dan Brown <dbrown@certicom.com>
To: IRTF Crypto Forum Research Group <cfrg@irtf.org>
Thread-Topic: A downside of deterministic DL signatures?
Thread-Index: Ac+rb+PUesNdwNFqRVehQhB5J3d3gQ==
Date: Tue, 29 Jul 2014 20:58:47 +0000
Message-ID: <20140729205846.6639765.71649.17355@certicom.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============1217738322=="
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/QhcyQyfWrtUveriQUR9LCMDZ8-w
Subject: [Cfrg] A downside of deterministic DL signatures?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 20:58:55 -0000

‎In ECDSA or Schnorr, if the ephemeral private key k depends on the message bring signed, precomputation of kG, an efficiency advantage (reduced latency?), and possibly effective side channel countermeasure (harder to time precomputation), seems precluded. Not being an efficiency or side channel expert, I ask: Does this downside sound right?

If so, deterministic signatures ought to be a SHOULD or MAY, not a MUST (or none of the above, since thus is not an interoperability issue).

Best regards, 

-- Dan

v2.30.2 | Report a Bug | By Email | System Status