Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise

Natanael <natanael.l@gmail.com> Tue, 19 May 2020 11:52 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD1A3A08C3 for <cfrg@ietfa.amsl.com>; Tue, 19 May 2020 04:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oY1rm6OE5g1R for <cfrg@ietfa.amsl.com>; Tue, 19 May 2020 04:52:32 -0700 (PDT)
Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 169B83A08C1 for <cfrg@irtf.org>; Tue, 19 May 2020 04:52:31 -0700 (PDT)
Received: by mail-ua1-x936.google.com with SMTP id c17so4656535uaq.13 for <cfrg@irtf.org>; Tue, 19 May 2020 04:52:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CaSndnxmgbxrx8zxZTMKbfDH92g/f7eTzffGG9O86nc=; b=butE6xggv2EA1jCP/xR1Fgx2EHEBjaNI8zG2zXX1/4qtJAxj8Hjh9KgBtt7UBoicDg J9xZ0Pgwpfgj1YAaDiM4DwucbiXTSsQ0dRJBBaIzXwE66b5lrIv//6WhIuBUCXfaSJhN c8dufXRfuiWC/+l6xAZqpWoLIAa81hD2/AdXi+6vnHWYWpIcDh/WXGfosU5WAf39FMYC NiLUqHPKY8FsPJpRKvWqnvvvUyFjN4qRR4jMbcKJgBj49IWQpv81hVGpzWsz9i/FWUZG Kav8gl7jC/m7FjtdEm10Jr4qR9JOExYBteozwm7bYhnXjq/UzW6vZ4Dk14wRb8V1evSl AfkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CaSndnxmgbxrx8zxZTMKbfDH92g/f7eTzffGG9O86nc=; b=P9y5mKh8yrVqw0kU55z14CAD3su/vkJdxrrwBllrYzXuTKMtUAazoVVDHcjl8FMz2z Y5DWUoROPhGmxQor7VTltvpEapKQTaK8ljUtk0OHSy/IAYJcES70DHjzVJaoNTlb5gkI z9SCN8FRJ1dHv7M2Vx6vMjpf+n6Vlm+r3bHjneFRYYD2R4n9rXztwIi5UJJVpHhtvpwY 5SO5OyTf9YyMPUVAkWiCBiO1RoVbGAObTMEI+bNSJIpB2SUkNh2PujNubRGRz3UpXgLt bGpVQPlabjZUbvMxnhJRekOI6Sv7pwhVP0NA4fNf3AKjdI673hbZJ6gYlHNCssfDO8tW ayxQ==
X-Gm-Message-State: AOAM532gFtRv5sYclHITRsqlpACgN5o6N1NJ/hacdfmGYTnrVqDcEQUp onmTL5/Jfvls8vC6tbFjyeYHLMlp0nFu00QZUH0=
X-Google-Smtp-Source: ABdhPJyj41bd9J+yBIJioByS74thwPtXqocXobNeU4Y2Ze41Pk+f7Ih6x1DlVxxk633N41YEpQBBJm6g25jy5d5zfO8=
X-Received: by 2002:ab0:7187:: with SMTP id l7mr10890030uao.37.1589889151073; Tue, 19 May 2020 04:52:31 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6kr18AP2ya5Pn2VXpt6FLO6vWrFQoXrFni28uYgrJXpFA@mail.gmail.com> <e751f285bc814825b42d39d97a0d84aa@blackberry.com> <CAAt2M1_w+0BsP6M_Kw-PZ5atOCb96ut7b5nL_kfe7mgGsyr6LQ@mail.gmail.com>
In-Reply-To: <CAAt2M1_w+0BsP6M_Kw-PZ5atOCb96ut7b5nL_kfe7mgGsyr6LQ@mail.gmail.com>
From: Natanael <natanael.l@gmail.com>
Date: Tue, 19 May 2020 13:52:17 +0200
Message-ID: <CAAt2M19WxPXm8xM42NNHo37MN_77_Mc6pFJq1_2uwMKRVb-8eA@mail.gmail.com>
To: Dan Brown <danibrown@blackberry.com>
Cc: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000015065705a5feea47"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cPp3r0ZXhSNz-2j2hnoMp_JRL9U>
Subject: Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2020 11:52:36 -0000

Den tors 7 maj 2020 11:57Natanael <natanael.l@gmail.com> skrev:

> Should we continue to name these “deterministic” signatures, if the plan
>> is to make them non-deterministic?
>>
>> How about message-dependent signatures, since both components of the
>> signature (R,S) will depend on the message? Or message-keyed, to emphase
>> that R must depend on M, not just S.  (Multi-word phrases have precedents,
>> I am reminded of nonce-misuse resistance, thought does not fit here.)
>>
>
> I'm reminded of the term "ciphertext stealing" from the XTS cipher mode.
> The signature (it parts of it) always was message dependent, but maybe
> "entropy stealing" or similar phrasing could be used since we take secret
> randomness from additional sources to make the signature algorithm more
> robust.
>
> Maybe a more neutral term like "entropy combining" would work better.
> "Entropy combining signatures".
>

Adding one more terminology suggestion - terminology like "whitening" seems
like a good fit, taken from papers on RNG:s and entropy extractors. Those
functions are designed to take potentially biased inputs and produce
uniform outputs.

So perhaps "keyed entropy whitening" would be a suitable name?

So then you'd call it a signature with entropy whitening (I think you can
leave it implied that the whitening function is keyed and deterministic).

>