Re: [Cfrg] Deterministic signatures, revisit?

Tony Arcieri <bascule@gmail.com> Mon, 09 October 2017 17:30 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59F44133347 for <cfrg@ietfa.amsl.com>; Mon, 9 Oct 2017 10:30:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnt6ECv6j_nk for <cfrg@ietfa.amsl.com>; Mon, 9 Oct 2017 10:30:40 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B405134710 for <cfrg@irtf.org>; Mon, 9 Oct 2017 10:30:40 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id w134so24304344qkb.0 for <cfrg@irtf.org>; Mon, 09 Oct 2017 10:30:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=L8nj255dQLj21YZxVfnwm4c/V7Bwxzx5+bJWFAUZB2A=; b=NKYCIFM+d8jN9AT0TP8Lg7E1IJR4YHCF38ELWoG+q2G8p+pKPujTO0wpwhfdMS3GFO jmpr/WGF7oBeHNmWEw/0Y4Wsx+Cigo3IFVC+K0ft92xQDpy4WSE5bem2G1O+Q3gj4mQ8 BbKQY+3wUwE+2cDSjnve1mci57DQv6UhJCyT/6NlQeHjEEcPGM0yHf2ExVAlSmyFuT8F v617LT8/El//PIpR0RxunijyHfkf2eT821EacxJgmrw4Fdf3jFtT3EyI4LNESieWnbQ2 uoBoRLNOtcvy8auKE3iFp6hctg0Kr6hFcCj2QW+TQbGGe/rqAuEEbi4l8oly8GAEqnqv BAUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=L8nj255dQLj21YZxVfnwm4c/V7Bwxzx5+bJWFAUZB2A=; b=AsQzICNpHxW3LAjsIIArXZIVT3/WcLSMYlQ0cUDtGRPDrAesJ1wWkwqji28vRSAoKc DpaGk8IAiV4uaUnYjQEHi/Qmwti49+jnYt7ut4zFq974LHPL40ru4LsohAmXk7NT0/Ec +KghTsoL+Tumg3VySBmFv1O9biLV/eQ/0JpNS8GlosSH2Odf9yzHLe/D2qc8x8Q7D1br G7doCkGN4cRJXLdOoTsRHvXoupNERWKsmp5RCnnhI93knzqEiaW5RQXB9iH++m6LnPIA wWNFUu6nq1l/4NQKMad41f5Y1jSdQSDAnKCGkP3u39SKDaxHT1ChGdJZGw8xSUTZLXD0 G8ZA==
X-Gm-Message-State: AMCzsaVdr1OxZDjyTIalDV63nzxKJOAe/JPXqKOEgsSso1b/PpkpPsxV m/u5WJNwTDgw5Z2vcspzuGTbLGO62PAi/iTM+7E=
X-Google-Smtp-Source: AOwi7QAK19dzB+vO1jZAXl9/oYPCh7Ef/KgKeX/taxsHVY5JPjSXmxgGWTYpey04U9NUpx5jpa4wMmz8xXvFtDZgX18=
X-Received: by 10.55.44.68 with SMTP id s65mr9618458qkh.202.1507570239728; Mon, 09 Oct 2017 10:30:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.56.11 with HTTP; Mon, 9 Oct 2017 10:30:19 -0700 (PDT)
In-Reply-To: <20171009165655.8609877.65333.18037@blackberry.com>
References: <20171009165655.8609877.65333.18037@blackberry.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 09 Oct 2017 10:30:19 -0700
Message-ID: <CAHOTMVJBDeVYCuLsLQ-KvCFmMNS2uEmB1Bh7208NGtxMpk3hdA@mail.gmail.com>
To: Dan Brown <danibrown@blackberry.com>
Cc: Cfrg <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a114f50a69cfb82055b208c28"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/b6b6VMNqSPrhqlLXnr-ll6tnilo>
Subject: Re: [Cfrg] Deterministic signatures, revisit?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 17:30:42 -0000

This certainly keeps coming up. Beyond those papers see the previous "Side
channel attack and Edwards curves" thread on this list:

https://mailarchive.ietf.org/arch/msg/cfrg/V1JXfnf05uE88huYaQVKi7iZ6mY

I think it's definitely a problem that needs to be addressed. I've seen
various proposals to do so as well, i.e. synthesizing "r" as a combination
of a random nonce and the message, so that fault attacks would, at the very
least, require an RNG failure as opposed to always being possible, due to
repeated "r" values for the same message. This should retain the extant
defense against RNG failures in general as we saw with ECDSA "k" values,
since it would still include hashing the message as part of the calculation.

--
Tony Arcieri