Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise

Natanael <> Tue, 19 May 2020 11:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3BD1A3A08C3 for <>; Tue, 19 May 2020 04:52:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oY1rm6OE5g1R for <>; Tue, 19 May 2020 04:52:32 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 169B83A08C1 for <>; Tue, 19 May 2020 04:52:31 -0700 (PDT)
Received: by with SMTP id c17so4656535uaq.13 for <>; Tue, 19 May 2020 04:52:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CaSndnxmgbxrx8zxZTMKbfDH92g/f7eTzffGG9O86nc=; b=butE6xggv2EA1jCP/xR1Fgx2EHEBjaNI8zG2zXX1/4qtJAxj8Hjh9KgBtt7UBoicDg J9xZ0Pgwpfgj1YAaDiM4DwucbiXTSsQ0dRJBBaIzXwE66b5lrIv//6WhIuBUCXfaSJhN c8dufXRfuiWC/+l6xAZqpWoLIAa81hD2/AdXi+6vnHWYWpIcDh/WXGfosU5WAf39FMYC NiLUqHPKY8FsPJpRKvWqnvvvUyFjN4qRR4jMbcKJgBj49IWQpv81hVGpzWsz9i/FWUZG Kav8gl7jC/m7FjtdEm10Jr4qR9JOExYBteozwm7bYhnXjq/UzW6vZ4Dk14wRb8V1evSl AfkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CaSndnxmgbxrx8zxZTMKbfDH92g/f7eTzffGG9O86nc=; b=P9y5mKh8yrVqw0kU55z14CAD3su/vkJdxrrwBllrYzXuTKMtUAazoVVDHcjl8FMz2z Y5DWUoROPhGmxQor7VTltvpEapKQTaK8ljUtk0OHSy/IAYJcES70DHjzVJaoNTlb5gkI z9SCN8FRJ1dHv7M2Vx6vMjpf+n6Vlm+r3bHjneFRYYD2R4n9rXztwIi5UJJVpHhtvpwY 5SO5OyTf9YyMPUVAkWiCBiO1RoVbGAObTMEI+bNSJIpB2SUkNh2PujNubRGRz3UpXgLt bGpVQPlabjZUbvMxnhJRekOI6Sv7pwhVP0NA4fNf3AKjdI673hbZJ6gYlHNCssfDO8tW ayxQ==
X-Gm-Message-State: AOAM532gFtRv5sYclHITRsqlpACgN5o6N1NJ/hacdfmGYTnrVqDcEQUp onmTL5/Jfvls8vC6tbFjyeYHLMlp0nFu00QZUH0=
X-Google-Smtp-Source: ABdhPJyj41bd9J+yBIJioByS74thwPtXqocXobNeU4Y2Ze41Pk+f7Ih6x1DlVxxk633N41YEpQBBJm6g25jy5d5zfO8=
X-Received: by 2002:ab0:7187:: with SMTP id l7mr10890030uao.37.1589889151073; Tue, 19 May 2020 04:52:31 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Natanael <>
Date: Tue, 19 May 2020 13:52:17 +0200
Message-ID: <>
To: Dan Brown <>
Cc: "Stanislav V. Smyshlyaev" <>, CFRG <>, "" <>
Content-Type: multipart/alternative; boundary="00000000000015065705a5feea47"
Archived-At: <>
Subject: Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 May 2020 11:52:36 -0000

Den tors 7 maj 2020 11:57Natanael <> skrev:

> Should we continue to name these “deterministic” signatures, if the plan
>> is to make them non-deterministic?
>> How about message-dependent signatures, since both components of the
>> signature (R,S) will depend on the message? Or message-keyed, to emphase
>> that R must depend on M, not just S.  (Multi-word phrases have precedents,
>> I am reminded of nonce-misuse resistance, thought does not fit here.)
> I'm reminded of the term "ciphertext stealing" from the XTS cipher mode.
> The signature (it parts of it) always was message dependent, but maybe
> "entropy stealing" or similar phrasing could be used since we take secret
> randomness from additional sources to make the signature algorithm more
> robust.
> Maybe a more neutral term like "entropy combining" would work better.
> "Entropy combining signatures".

Adding one more terminology suggestion - terminology like "whitening" seems
like a good fit, taken from papers on RNG:s and entropy extractors. Those
functions are designed to take potentially biased inputs and produce
uniform outputs.

So perhaps "keyed entropy whitening" would be a suitable name?

So then you'd call it a signature with entropy whitening (I think you can
leave it implied that the whitening function is keyed and deterministic).