Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 13 May 2020 13:15 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1188D3A0B21 for <cfrg@ietfa.amsl.com>; Wed, 13 May 2020 06:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=Md4Z7t2T; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=Md4Z7t2T
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-DJu1vOW4rD for <cfrg@ietfa.amsl.com>; Wed, 13 May 2020 06:15:10 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130083.outbound.protection.outlook.com [40.107.13.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F7553A0803 for <cfrg@irtf.org>; Wed, 13 May 2020 06:15:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iRB7OgW7ynx5LSSFQRyTBmr/BtLzk0bkZaJCpBe/95o=; b=Md4Z7t2TQsPRerK21kFOK4/Kww3cIAJTgQzHnsNi0SFzjoUfzyd8bcV9oLk58Qyv5iWWFgFZMCc8Bhk8gdjh29PmJrz6wjmHX5eYAWTwXfDbyuBr/Lx7heaEfXZrN+9ZPPwqxPI/60bqxPA7WSzbZo8D0tcJgD1sBekbgEkz560=
Received: from DB6PR0501CA0022.eurprd05.prod.outlook.com (2603:10a6:4:8f::32) by AM4PR08MB2834.eurprd08.prod.outlook.com (2603:10a6:205:5::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.33; Wed, 13 May 2020 13:15:06 +0000
Received: from DB5EUR03FT007.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:8f:cafe::32) by DB6PR0501CA0022.outlook.office365.com (2603:10a6:4:8f::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.20 via Frontend Transport; Wed, 13 May 2020 13:15:06 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; irtf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;irtf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT007.mail.protection.outlook.com (10.152.20.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.19 via Frontend Transport; Wed, 13 May 2020 13:15:06 +0000
Received: ("Tessian outbound e88319d7ccd0:v54"); Wed, 13 May 2020 13:15:06 +0000
X-CR-MTA-TID: 64aa7808
Received: from c2fb279096fb.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 11EE91A7-19CF-4A50-A992-03462DAAF11B.1; Wed, 13 May 2020 13:15:01 +0000
Received: from EUR02-AM5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id c2fb279096fb.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 13 May 2020 13:15:01 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fNeSCKLGDRSq4aOHmthfI5z+NPY+RoSXSRqOSCD3AU7IawreqZvGT2PyykJJRBC0gMTOdR98aaOL+tHrtOGKVFedLLTQk04m5CPkpGdAtLcFx/qp/e82pGAAbdGTvmj+9QSTg/HDve4Z+P+AP8CKLaVaqomj1gYSfYW0QZMVjludMSIWgNDXA5HvVXk+NtG6gcG02s7O9ElYLCM/LWs1YW31wkF2QTBFWxdJ5UN08n9yJQZsjjXKArjT8/1pJeheP2FCPN0FLGvtdc/wcQsF8NQf7b4KqDvcQSY7fJFZViwcCfP9kyWpIZKP3LsVJB+NE0CELYfqjhOIZ6dsmH4/mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iRB7OgW7ynx5LSSFQRyTBmr/BtLzk0bkZaJCpBe/95o=; b=mYDWdOoOpVOOBtSs6fN9GxxvySgQN6OUQplus+sPJSa+iK7oT8Dnqt2lHl2l6ZH1B70FH9tktwtwo1miY03zxjTcgOnnyQQ6EHk+TUINM/piyOi6ZHMWi4LPs+hErTZt3itryaT3D3lfyuEXhF1yKuf/qHR+1syOYYG+oV0gtu4y+atATlFDFiAqyMXdsBpKl2MkVMfn8kj6PpgODrrrTpj8LmVDdnBJegoUjrXlHEj57F7H7yAgDyCogyzCpTAVW19dw5IdyLEOpSwCKkMKlx+u6hrfI8j34EC6IsFMsGx/rIk9wvqGUrolYg+0DlET9S2M58ivHMIaLDeRSPx6GQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iRB7OgW7ynx5LSSFQRyTBmr/BtLzk0bkZaJCpBe/95o=; b=Md4Z7t2TQsPRerK21kFOK4/Kww3cIAJTgQzHnsNi0SFzjoUfzyd8bcV9oLk58Qyv5iWWFgFZMCc8Bhk8gdjh29PmJrz6wjmHX5eYAWTwXfDbyuBr/Lx7heaEfXZrN+9ZPPwqxPI/60bqxPA7WSzbZo8D0tcJgD1sBekbgEkz560=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB3170.eurprd08.prod.outlook.com (2603:10a6:208:65::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.24; Wed, 13 May 2020 13:14:59 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::f501:c93e:1c20:8bee]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::f501:c93e:1c20:8bee%6]) with mapi id 15.20.2979.033; Wed, 13 May 2020 13:14:59 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Eric Rescorla <ekr@rtfm.com>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
CC: CFRG <cfrg@irtf.org>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Thread-Topic: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise
Thread-Index: AQHWHU+GD+d/hbdbyECHVH4dE8NWRailNR2AgADceSA=
Date: Wed, 13 May 2020 13:14:59 +0000
Message-ID: <AM0PR08MB3716CFFDBBB5F44BC8C9883DFABF0@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <CAMr0u6kr18AP2ya5Pn2VXpt6FLO6vWrFQoXrFni28uYgrJXpFA@mail.gmail.com> <CABcZeBO7HehS=fNA5A2GW727AnhNfUp-3LP92=8VLXPTownd3Q@mail.gmail.com>
In-Reply-To: <CABcZeBO7HehS=fNA5A2GW727AnhNfUp-3LP92=8VLXPTownd3Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: c3bb2726-d836-4ce2-a532-423cd4069378.1
x-checkrecipientchecked: true
Authentication-Results-Original: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.122.242]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 94c0eb21-1155-46e0-f054-08d7f73fa792
x-ms-traffictypediagnostic: AM0PR08MB3170:|AM4PR08MB2834:
X-Microsoft-Antispam-PRVS: <AM4PR08MB2834BFF86C19E441F6376238FABF0@AM4PR08MB2834.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0402872DA1
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: BfM39q1ggb+2cCoIrnZUNiAz7Yi3vADTjxzA3eR8PG36CMfUnHiKEAiFbf5hLOi/AEBP43DzczKKoofPweZbulorZrfywR93Y9sfoIIAvDt25RZbRbW0ezApti8VRcRGyUjVqrD5LdQ9N5mUbrVX5WD21H0IbhqNoR+6GlHBsTzOts/gddMNuZDKbJGx1hHeK0oJCkeVgFxH80XX05xN2Nggk1ySN5rBFkQvVauHe2HX2VvcNgCoXKIFUqbG4M6Wki4hrtdKejqu4c3X12HBDp6hbvOKBuMH7fmbpZOcEJ/EN9+d6mtLr+JwrddV+73242wBuHswckK/EId2MENcEyGIH2H+UN+P6LHUrLE07iHyCvR1MDGMhvtk0VpFrBLZdwEp+5J6zME1R32qI0TISrMaepw5JEGhIlDDXpxljqG6JnCtXIwkgbAP972zG8utgso0HPtI2PFNb0fgd3aWkfdTpxxxx8WCfRz/8hw9kqWb8do6chVsrr+bZn3W26gRzjjiqamQVSdvzLriglBeBw3ii/zqfEYEb3SLWxdH1EtfIbIv6QEG/MvF3c9won3zOCmHGJhJtrrTZZR1d9zhlq27bzcMQ5KlmW87hJ0rzJo=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(396003)(376002)(366004)(136003)(39860400002)(33430700001)(33656002)(7696005)(76116006)(8676002)(52536014)(53546011)(6506007)(26005)(186003)(55016002)(66946007)(66476007)(66446008)(966005)(478600001)(64756008)(86362001)(8936002)(66556008)(9686003)(4326008)(2906002)(71200400001)(33440700001)(166002)(5660300002)(316002)(110136005)(54906003)(66574014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 6XOiUOgu4ytHQEpkxnsO3DwRA2glS9xyaDgJRfjivpAXa6FOBEs6e21IdHNo/TWXpnfpj26+8gdSveG2z0hEduntng9zuwiUMWe6IlRJbWuSJQqvwPhEgdsfgnihG5zAnCYroQbSa/r+5rFgxvxI1aWa/RpLKe95nuctTlJaCR+WIPne1UKTk8EGVweizNP4V8A/jGb5gPdW7DnpRfTKuN3PX2xpuTs4XPhbeAEoTVRlX3Wu68vkI2BSJUk+t7L3+T7n9UTh8lPxaEe93QoInppY7vlJ7rjJJ6pXi3kLQMIo6gowXl3dmhscEsCtxMS3rLC6Trst551/GZYMnCClWf7W/j4CItv9RMBc68Lezp+YhqIZrZtrJj5CwGLxv4T3M/dckgyDJ3N819FsbNClvKqY4pGdqkziEpzvPawkFwnAQphu6N6AzmSDtMJX0TmxS5TQFZ1zi/rCA4WaTmMvYtGNyEtFcJdvpGJFWn6b7QCD3eesyIZUW5hk59v/kH3b
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB3716CFFDBBB5F44BC8C9883DFABF0AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3170
Original-Authentication-Results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT007.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(4636009)(396003)(39860400002)(376002)(346002)(136003)(46966005)(33430700001)(52536014)(8676002)(336012)(33964004)(6506007)(53546011)(4326008)(186003)(33656002)(26005)(7696005)(5660300002)(9686003)(55016002)(70586007)(966005)(70206006)(478600001)(8936002)(81166007)(356005)(107886003)(316002)(86362001)(166002)(82310400002)(33440700001)(66574014)(47076004)(82740400003)(110136005)(54906003)(2906002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 2236831f-b8e2-400f-de1a-08d7f73fa387
X-Forefront-PRVS: 0402872DA1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: j3jK/xo+kUnNUzKWJgOrV3O/hTZA0HaPfl46QUV1oS/U4btZH6R5+TNz7OTuOcy81XYcGDmgybShDv0xg/B6S1VK1dZo/c/OcenuVMbSIA1FC+EDDfjmlfbi0gWal+8vr3gI1A+6QWoHmfHEnh/x99IV/ivt8Luriw/c3z9nGehviWDkXd5TOaZB92UQBClC6jBzBZvZvqyXLQ0Z/2uzCPhHmISFWVa4WZNm+g0BMC+ogzjS1xb6xC1RH7ROQa7kbEKdAYh0MIgeqMT+V41/5E7Kp/AxZtUuCABXmAt4udvM67hJkDCSQV7T5OOil7jgN3s9DdPviRzGU6pnPS5Ot/YkqHDbu7rx1RhcDucqoGzeALJpMLsnao1JjQc/Ng7j7oKhuMxXE95zEmSihga0wDm4MsoR7FZCRsHtvIGS11+fVuGq3nP9ChYyUt1gfSzfWqIb7JoDKAIKT/L3X7vT28iggZA5mde8L1KG/401b2dwm+P0qgdKV2iLTp8ObkSsOKXw17Ggf2Hj6eZtcQePGUOTpKXVdG38a+Fs0HVK9pysaRs0PyTg3XzlSjKRS3hyiTN1hEOA/CBO5X8hO3EFMhbYgAQISYfNSkv5pcxcR+Y1GfMTX6t2PL5AakTnlPYGhe2q3Fmg0HnGSTsRwPNU6Q==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 May 2020 13:15:06.2569 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 94c0eb21-1155-46e0-f054-08d7f73fa792
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR08MB2834
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oawr_YWVlN5VWL3DNH0K8G40G78>
Subject: Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 13:15:13 -0000

I have asked my co-workers to review the draft and Janos Follath responded. He thinks that this idea to add randomness makes perfect sense.

Here is his response on the discussion points listed in the draft:

  *   One of the goals of the document is to provide the same security level against side channel attacks as a randomised scheme. Using 16 bytes of randomness with Ed25519 fails to achieve this: Ed25519 has 128 bit security, using 128 bits of random data results in collisions after 2^64 signatures (the attack we are defending against already assumes that the attacker can trick the device into signing the same message repeatedly) and every collision reduces the noise in the attacker’s measurements. The overhead is minimal, this is a standard that should recommend good practices, I don’t think this is the right place trying to gain performance improvements.
  *   This question seems to be rather off-topic for this RFC. Nevertheless my thoughts: Whether we use HMAC or KMAC, the schemes are secure, the difference is a minor performance gain. Both variants generate valid signatures, the verifier does not need to know which was used to generate the signature, thus there is no compatibility issue between the two variants. Including both in the IETF standard would allow implementors to choose between NIST compliance and a slight performance gain. (Of course if NIST can be convinced to approve a KMAC-DRBG in SP 800-90-A or diverge from that construction in FIPS 186-5, then everybody can just use KMAC.) That being said, if I had to decide, I would stick with HMAC: the performance gain of KMAC is minimal and SHA2 is still around, I wouldn’t want to risk implementors accidentally trying to use SHA2 with KMAC under any circumstances.

Here are my personal thoughts on this entire topic:


Classical ECDSA required a random value for signature creation.

Then, RFC 6979 was written because there was a concern about environments that do not have access to a source of high-quality randomness. This concern has often been stated in context of Internet of Things devices. You can read about these concerns even in recent IETF documents, such as https://tools.ietf.org/html/draft-ietf-ace-coap-est-18. In that document the authors added a technique to have server-generated keys that are then sent to IoT devices to deal with the lack of a good source of high-quality randomness.



Now, with draft-mattsson-cfrg-det-sigs-with-noise we are adding randomness back into RFC 6979.



Are we now back to where we started?

Ciao
Hannes


From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Eric Rescorla
Sent: Wednesday, May 13, 2020 1:49 AM
To: Stanislav V. Smyshlyaev <smyshsv@gmail.com>
Cc: CFRG <cfrg@irtf.org>rg>; cfrg-chairs@ietf.org
Subject: Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise

I didn't study the algorithms in detail, but this seems generally sensible and worth adopting. I agree with others that we probably should change the title to avoid confusion.

-Ekr


On Tue, Apr 28, 2020 at 4:23 AM Stanislav V. Smyshlyaev <smyshsv@gmail.com<mailto:smyshsv@gmail.com>> wrote:
Dear CFRG participants,
This email commences a 2-week call for adoption for draft-mattsson-cfrg-det-sigs-with-noise-02 that will end on May 12th 2020:

https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/

Please give your views on whether this document should be adopted as a CFRG draft, and if so, whether you'd be willing to help work on it/review it. Please reply to this email (or in exceptional circumstances you can email CFRG chairs directly at cfrg-chairs@ietf.org<mailto:cfrg-chairs@ietf.org>).

Thank you,
Stanislav (for the chairs)
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.