IETF Logo Mail Archive

Re: [Cfrg] A downside of deterministic DL signatures?

Michael Hamburg <mike@shiftleft.org> Tue, 29 July 2014 21:19 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61CDC1A0178 for <cfrg@ietfa.amsl.com>; Tue, 29 Jul 2014 14:19:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JqnKV9FJi3ia for <cfrg@ietfa.amsl.com>; Tue, 29 Jul 2014 14:19:03 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306DF1A020B for <cfrg@irtf.org>; Tue, 29 Jul 2014 14:19:03 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 96DDE3AA27; Tue, 29 Jul 2014 14:18:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1406668729; bh=qTWr2Gmqmmk0DrZJTfPLxe4+dNAQ5MNw/G/UneVFTT8=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=BjwCnRbMblPSMZPb1d/OJZiBkr1nIG8XRXb9uqjrmmvEl8l+IJ8ZdxBIXOfzQH79k 0dq//SnaPVDG/+AypN4cfjCi1RDG8FNYpeu1cNJ+lwijlNyspf4RFAOWWlxtFNYJb0 kTPzSvuyfdfyS5F/gs/X/mRgpLIitJNFnPLbxyN8=
Content-Type: multipart/alternative; boundary="Apple-Mail=_3F0623B6-C005-416C-9047-EDE0EFCB1E5E"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <20140729205846.6639765.71649.17355@certicom.com>
Date: Tue, 29 Jul 2014 14:19:01 -0700
Message-Id: <A40B70DC-4916-42CD-A27B-A48699E91897@shiftleft.org>
References: <20140729205846.6639765.71649.17355@certicom.com>
To: Dan Brown <dbrown@certicom.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Xts2PR6DAG8IX97JLDERUNDMXxU
Cc: IRTF Crypto Forum Research Group <cfrg@irtf.org>
Subject: Re: [Cfrg] A downside of deterministic DL signatures?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2014 21:19:04 -0000

On Jul 29, 2014, at 1:58 PM, Dan Brown <dbrown@certicom.com> wrote:

> ‎In ECDSA or Schnorr, if the ephemeral private key k depends on the message bring signed, precomputation of kG, an efficiency advantage (reduced latency?), and possibly effective side channel countermeasure (harder to time precomputation), seems precluded. Not being an efficiency or side channel expert, I ask: Does this downside sound right?
> 
> If so, deterministic signatures ought to be a SHOULD or MAY, not a MUST (or none of the above, since thus is not an interoperability issue).
> 
> Best regards, 
> 
> — Dan

Sound right to me.

-- Mike

v2.30.2 | Report a Bug | By Email | System Status