Re: [Cfrg] Deterministic signatures, revisit?

Ilari Liusvaara <> Mon, 09 October 2017 17:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 87C1E134570 for <>; Mon, 9 Oct 2017 10:49:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Uu2g_trMMf1d for <>; Mon, 9 Oct 2017 10:49:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EEFD71346B0 for <>; Mon, 9 Oct 2017 10:49:44 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 464F8B51AF; Mon, 9 Oct 2017 20:49:43 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id VqYl-SKWZTq7; Mon, 9 Oct 2017 20:49:43 +0300 (EEST)
Received: from LK-Perkele-VII ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 88F0827F; Mon, 9 Oct 2017 20:49:39 +0300 (EEST)
Date: Mon, 09 Oct 2017 20:49:39 +0300
From: Ilari Liusvaara <>
To: Tony Arcieri <>
Cc: Dan Brown <>, Cfrg <>
Message-ID: <20171009174939.uaapnl772ynvjpoq@LK-Perkele-VII>
References: <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <>
Subject: Re: [Cfrg] Deterministic signatures, revisit?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Oct 2017 17:49:54 -0000

On Mon, Oct 09, 2017 at 10:30:19AM -0700, Tony Arcieri wrote:
> This certainly keeps coming up. Beyond those papers see the previous "Side
> channel attack and Edwards curves" thread on this list:
> I think it's definitely a problem that needs to be addressed. I've seen
> various proposals to do so as well, i.e. synthesizing "r" as a combination
> of a random nonce and the message, so that fault attacks would, at the very
> least, require an RNG failure as opposed to always being possible, due to
> repeated "r" values for the same message. This should retain the extant
> defense against RNG failures in general as we saw with ECDSA "k" values,
> since it would still include hashing the message as part of the calculation.

The latter (2017/985) paper in original message seemingly proposed a
countermeasure of that type. The description of countermeasure was not
completely clear, but I _think_ they proposed adding 768 random bits
between prefix and message in calculation of r.

This change would not break compatiblity (the verifier never sees how
r was generated), and if the random bits are bad, the scheme would not
break catastrophically (can not predict r even if all this entropy was

However, it would expose the scheme to additional kleptographic
attacks. An ability to influence the random numbers used would be
enough to compromise the private key.