Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

John Mattsson <john.mattsson@ericsson.com> Wed, 11 March 2020 15:15 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F89F3A08B9 for <cfrg@ietfa.amsl.com>; Wed, 11 Mar 2020 08:15:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n1poJam0z2iA for <cfrg@ietfa.amsl.com>; Wed, 11 Mar 2020 08:15:37 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80071.outbound.protection.outlook.com [40.107.8.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C2333A08EF for <cfrg@irtf.org>; Wed, 11 Mar 2020 08:15:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DOdLr3EituMlXXOjcAJjydaHuRfBjEmIkpkG1MZVZ6tkTZ36nYn6AyqFkHflEa?= =?utf-8?q?8RJUH4mBCwuUzXTE7F36xy/GCw0DjNV8hyi87bFpFh205BwrSwjN31753hYPW01L8?= =?utf-8?q?1m8RKL5HFoL1Mn8vIeg+4hgTx7ZJhUrTSmipcH0CvHKTXz1SzCHqbEL7XtdiAwbLQ?= =?utf-8?q?08w/Gk/RWnzDjfV2OylA3mQYmarL1cI4oodrUDSPins/qDS5X3hz5zsiu+hCSp+sq?= =?utf-8?q?46Stv9I3zcEf00RK+/hgf8Jn2p9546HZDnRgE5/7O9PaTfQ6P8DJZzFgmVzoVyHqS?= =?utf-8?q?GNKgRs1GlvAdgz9YHHkYQ=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DmUmylXSAgt+NNVz54gC6HhANpS3kzYFRfC0W5MTrZ0U=3D=3B_b=3Dn0q/nX?= =?utf-8?q?BufK92Mj13hphiLGIoLarZT3eltHqgreihpXX51w/dIJ3FZLpFIuEX0A+0UNLPgO4?= =?utf-8?q?mUuBte27E89hutBRrr731EkSHWDyQtRlTxylZC+M2VUPNFDxRxP7DOI0hoq3hY2+O?= =?utf-8?q?A/+GF2HQy/rAoJw8T/pYaTGR5TEHWOLPsXnHuVGVfVfZjx0fDsyfjLEb331NaViUZ?= =?utf-8?q?wG8SEL6BkjUyyE3Tdf4YeQhQErHOxlvFOlEX5E30ZJwiydtc6qBqawxjeb8T23Ah+?= =?utf-8?q?0s9M/q/aisAKbuTZWZmnvZoHcZe9nYNRN+3Dm2mh4ZSfIS5stNUjbcUkDFXAsjAIz?= =?utf-8?q?Po6Y+PzqlZA=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3AContent-Typ?= =?utf-8?q?e=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DmUmylXSAgt+NNVz54gC6HhANpS3kzYFRfC0W5MTrZ0U=3D=3B_b=3DaykLLW?= =?utf-8?q?crDyE2plctiwH192WtQjt06ITpRfVzqdkn2EuO/EQLU8W/Dise5+rHV0WODLrqIoX?= =?utf-8?q?SWIPfZENMowlZsTYIWPenV/uFQll+x8QJ0O+QBT3tilwsqX1xyrMQZYiYxtmyNniC?= =?utf-8?q?TxuL1L7I+9rCx2qFPVGBlgYKXN2hltnr/Uo=3D?=
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com (52.134.114.155) by AM6PR07MB5542.eurprd07.prod.outlook.com (20.178.89.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.9; Wed, 11 Mar 2020 15:15:33 +0000
Received: from AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::501f:822f:f9b5:eb71]) by AM6PR07MB4134.eurprd07.prod.outlook.com ([fe80::501f:822f:f9b5:eb71%7]) with mapi id 15.20.2814.007; Wed, 11 Mar 2020 15:15:33 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
CC: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "Dang, Quynh H. (Fed)" <quynh.dang@nist.gov>, Tony Arcieri <bascule@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
Thread-Index: =?utf-8?q?AQHVtO9lOZJrcNc7J0+AzBoiSFtzNKe+m+GA///5fgCAeRb1ZIAJ?= =?utf-8?q?r5qA///xkICAAJd2gIAATI6AgAHlM4A=3D?=
Date: Wed, 11 Mar 2020 15:15:33 +0000
Message-ID: <CFC7B4F7-1D22-4B07-9C61-ACED03556F2E@ericsson.com>
References: <157659682819.26470.8755515351900237330.idtracker@ietfa.amsl.com> <E6D46D5C-2BDA-466D-A2BF-46FC39605B8E@ericsson.com> <CAHOTMVJbpSUureq6V4pdZbHS2otF6CkchFYdTvCjB_CxxANijA@mail.gmail.com> =?utf-8?q?=3CCH2PR09MB422045123171EBCAD949FDFEF3E40=40CH2PR09MB4220=2Enampr?= =?utf-8?q?d09=2Eprod=2Eoutlook=2Ecom=3E?= <D401E76A-1613-4602-8BF4-4329901203D2@ericsson.com> <69D111EF-EF28-4A4C-A3C8-AF9676821299@ll.mit.edu> <1DA3C97B-6FF3-4338-8CEF-D5D743AF6F0E@ericsson.com> <CAMm+LwhrbiUmjMZE3ngDaFEKBqXhXN07w3-kNL74WxmxzGeUhA@mail.gmail.com>
In-Reply-To: <CAMm+LwhrbiUmjMZE3ngDaFEKBqXhXN07w3-kNL74WxmxzGeUhA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.85]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 13fe2d01-9e1f-47f3-8774-08d7c5cf0b6d
x-ms-traffictypediagnostic: AM6PR07MB5542:
x-microsoft-antispam-prvs: =?utf-8?q?=3CAM6PR07MB55420D9C01554682DFAD667389F?= =?utf-8?q?C0=40AM6PR07MB5542=2Eeurprd07=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 0339F89554
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzOTYwMDMpKDM3NjAwMikoMzk4NjA0MDAwMDIpKDM2NjAwNCkoMTM2?= =?utf-8?b?MDAzKSgzNDYwMDIpKDE5OTAwNCkoODY3NjAwMikoNjQ4NjAwMikoNDUwODA0?= =?utf-8?b?MDAwMDIpKDQ0ODMyMDExKSg4NjM2MjAwMSkoMTg2MDAzKSg2NjQ3NjAwNyko?= =?utf-8?q?66556008=29=2876116006=29=2866946007=29=2866446008=29=284326008?= =?utf-8?b?KSg4MTE1NjAxNCkoNTY2MDMwMDAwMikoNjUxMjAwNykoOTE5NTYwMTcpKDgx?= =?utf-8?q?166006=29=2864756008=29=286506007=29=2853546011=29=288936002=29?= =?utf-8?q?=286916009=29=282906002=29=28478600001=29=2815650500001=29=283086?= =?utf-8?q?4003=29=28316002=29=284001150100001=29=2871200400001=29=282616005?= =?utf-8?b?KSg1NDkwNjAwMykoOTY2MDA1KSgyNjAwNSkoMzM2NTYwMDIpKDM2NzU2MDAzKSg2?= =?utf-8?q?6574012=29=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB5542; H:AM6PR07MB4134.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?ubn3P3GhYH5HjAm8fxrkTc2ihDI7/OE?= =?utf-8?q?kTmKMZB2ysy3j1luE0sSbnK//OM4mgDghjgKauXk5x7+K8BYFMcDrAEKSofyQTi15?= =?utf-8?q?LUtdOUPITTGYs3qVhuMbVHoGZa+5Pgcpp5kI/eGQnxsfxggdOLRvuOIFZZwesNHiD?= =?utf-8?q?OpX7g072jmpDKRGD6TLFOQKQgFkKEHIFltW/vAIHYjM/1zMvab2bHaJ6AJls2SUAo?= =?utf-8?q?ecOa5T8k3T9wasDGMvcmIJCKDR3TMbAdEg5SyBEj80504FnEgpLksM7+L+NPhTQ1l?= =?utf-8?q?qAVxudytpYU03GGxtvJMpVfRUYSPiswvCRxIu0OBYcOfDyu6sklYECUlD320Yo4Kz?= =?utf-8?q?A+P1E0n0M5yqlgP81lweR9j1jbhW7Z8bkyQ6DiUl09SwGbV37XI1MwN9DWUUrw0Oo?= =?utf-8?q?kI1EYxbPgOD7pLDx4XbS1LYT46ezdvL798dF+AULhJbJyT1VUfezw7oxF3lP6fpUL?= =?utf-8?q?e849yw9dOvmvDULf26aTyoAZk2QSHGlnLiTEnA9qHezWwQqQ=3D=3D?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?JT9aHGUQ/NETSyYVSrPonPdFf8FgE5?= =?utf-8?q?3sE4Oj6G9tUnQAVk2nDVTqTuSzCE078GAUv7YJrTwXOtQAdoMOFL3YzrqXkpTnrKV?= =?utf-8?q?TbOszg3C2T4BwYYglpGYK3X+WchEq9ErUBeRLCREUqCqqgmU9pH1+Ig=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <5FD8BC79F9CC3B489C6B9274BFE590E2@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 13fe2d01-9e1f-47f3-8774-08d7c5cf0b6d
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2020 15:15:33.5844 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?hgx0mQEVgCa7wgH26bel3?= =?utf-8?q?NY9CflszyOscC4F1kOtxvzBWQHgys6ZcfV7G0ur2G7ZZsXsQRPXg68PSek9YPe/q0?= =?utf-8?q?dOMUFvP3yJOiOsr9Ree3Q=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5542
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cTjH5zlNWVW2C8_7Y3QfUsG8jgM>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 15:15:40 -0000

Hi Philip,

I think the current discussions (NISTIR 8214A and your drafts) to standardize different threshold schemes are very interesting and I think they will be practical in a lot situations. 

However, I don't think draft-hallambaker-threshold-sigs-02.html and draft-mattsson-cfrg-det-sigs-with-noise-02 should or need to be aligned. I think they are quite independent. The mechanisms in draft-hallambaker-threshold-sigs-02.html do not seem suitable to deploy today in constrained IoT devices as:

- The schemes are relatively heavy (for constrained IoT) as they increase the number of Elliptic curve point multiplications.
- The schemes require significant modifications to the implementation.
- The schemes are not for ECDSA
- The protection against fault attacks (active side-channel attacks) is to my understanding not well studied while the construction suggested in draft-mattsson-cfrg-det-sigs-with-noise-02 is analyzed and recommended in a lot of recent papers.
- The work to standardize threshold signatures will probably take some time.

Today, we have a situation where a lot of IoT devices have are or planning to implement deterministic ECC signatures. Most IoT deployments today use ECDSA, but EdDSA is getting some footprint in new deployments. IoT devices are often vulnerable to side-channel and fault injection attacks and my current view is that such IoT devices should not use purely deterministic ECC signatures. For this reasons, there is a strong need to as soon as possible standardize a very lightweight solution for both ECDSA and EdDSA that does not require substantial changes to the implementation.

Cheers,
John

From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tuesday, 10 March 2020 at 12:19
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>du>, "Dang, Quynh H. (Fed)" <quynh.dang@nist.gov>ov>, Tony Arcieri <bascule@gmail.com>om>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt

This should probably be aligned with the Threshold signature proposal if accepted. Threshold signatures require either an additional commitment round or random construction of all but the last the signature contribution r_i values:

https://www.ietf.org/id/draft-hallambaker-threshold-sigs-02.html

Another related technique is Kocher side channel resistance through random blinding now that Paul's original patent has expired (there may be others of course).



On Tue, Mar 10, 2020 at 1:45 AM John Mattsson <john.mattsson=mailto:40ericsson.com@dmarc.ietf.org> wrote:
Thanks Uri,
 
I’ll change the constructions in the next version to:
 
dom2(F, C) || Z || prefix || 000... || PH(M)
V || 0x00 || Z || int2octets(x) ||  000... || bits2octets(h1)
 
where
 
Z is chosen to be the same length as prefix / int2octets(x)
 
and
 
the number of zeroes 000... is chosen so that the length of 
 
dom2(F, C) || Z || prefix || 000...
V || 0x00 || Z || int2octets(x) ||  000...
 
is equal to the block length of the hash function.
 
Other choices for the length of Z would also be possible, like a fixed length of 32 or 64 bytes.
 
Cheers,
John
 
From: "Blumenthal, Uri - 0553 - MITLL" <mailto:uri@ll.mit.edu>
Date: Monday, 9 March 2020 at 22:43
To: John Mattsson <mailto:john.mattsson@ericsson.com>, "Dang, Quynh H. (Fed)" <mailto:quynh.dang@nist.gov>, Tony Arcieri <mailto:bascule@gmail.com>
Cc: "mailto:cfrg@irtf..org" <mailto:cfrg@irtf.org>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
 
I too prefer
 
( Z || prefix || 000... || PH(M) )
 
over
 
( (prefix XOR Z) || PH(M) ) 
 
Yes there is a reason for those zeroes.
 
From: Cfrg <mailto:cfrg-bounces@irtf.org> on behalf of John Mattsson <john.mattsson=mailto:40ericsson.com@dmarc.ietf.org>
Date: Monday, March 9, 2020 at 5:37 PM
To: "Dang, Quynh H. (Fed)" <quynh.dang=mailto:40nist.gov@dmarc.ietf.org>, Tony Arcieri <mailto:bascule@gmail.com>
Cc: CFRG <mailto:cfrg@irtf.org>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
 
Thanks for the review Quynh!
 
I agree that there are compelling reasons to do as you suggests. We never considered
 
( Z || prefix || PH(M) ).
 
We chose
 
( (prefix XOR Z) || PH(M) ) over the XEdDSA construction ( prefix || PH(M) || Z )
 
as https://eprint.iacr.org/2017/985.pdf states the the XEdDSA construction did not protect against all of their attacks due to insufficient mixing of the hashed private key with the additional randomness. Do you see any need to insert zeroes like
 
( Z || prefix || 000... || PH(M) )
 
as suggested by https://eprint.iacr..org/2017/985.pdf so that the first 1024-bit block of SHA-512 is composed only of the hashed private key and the random value, but not the message?
 
I agree with you that the cost of hashing operations are not really worth optimizing as their cost is negligible compared to the cost of the Elliptic curve point multiplications. We have not looked into how much additional security the zeroes gives in practice.
 
PS. We would also be very happy if NIST just went ahead and standardized some variant of  deterministic signatures with additional randomness in FIPS 186-5 :)
 
Cheers,
John
 
From: "Dang, Quynh H. (Fed)" <quynh.dang=mailto:40nist.gov@dmarc.ietf.org>
Date: Tuesday, 3 March 2020 at 20:36
To: Tony Arcieri <mailto:bascule@gmail.com>, John Mattsson <mailto:john.mattsson@ericsson.com>
Cc: "mailto:cfrg@irtf.org" <mailto:cfrg@irtf.org>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt
 
Hi John,
 
I think there are people who would like some noisy deterministic ECDSA/EdDSA options. 
 
I would prefer (Z ||int2octets(x) ) over (int2octets(x) XOR Z) , and   (Z || prefix) over (prefix XOR Z)  for the following reasons.
 
1) For randomized hashing, the random value should get hashed first before the message for a SHA2 hash function ( even thought it is not the same thing here since a secret value is a part of the message).
 
2) Z1 and Z2 both are Z bits long and have Z bits of entropy.  (Z1 Xor Z2) have only Z bits of entropy, but Z1||Z2 have 2Z bits of entropy (if Z1 and Z2 are generated from 2 different seeds/entropy sources). 
 
An extra Z bits long would cost at most 1 compression function for SHA-512 and it would likely not cost anything for SHAKE256.  So, the cost is minimal. 
 
Regards,
Quynh. 

From: Cfrg <mailto:cfrg-bounces@irtf.org> on behalf of Tony Arcieri <mailto:bascule@gmail.com>
Sent: Tuesday, December 17, 2019 12:30 PM
To: John Mattsson <john.mattsson=mailto:40ericsson.com@dmarc.ietf.org>
Cc: mailto:cfrg@irtf.org <mailto:cfrg@irtf.org>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt 
 
This looks like a good document (so far you've managed to cover every nit I had to pick with it), however I think it might be a bad idea to describe your construction as "with Noise", in order to prevent confusion with the Noise Protocol, which among other things supports an Ed25519 signatures extension (which can, if one so desires, be used with XEdDSA): 



https://protect2.fireeye.com/v1/url?k=beccca08-e24600cb-becc8a93-86e1ed4002b1-b100179dffe9824e&q=1&e=9ab9ccab-2de7-4dee-bbec-0a0da2647812&u=https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnoiseprotocol.org%2F&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648727502&sdata=yrPQ7K0144eU1d9x0IG%2F66Xjnr4BkZs%2FNzbXDELfrSU%3D&reserved=0


 
Perhaps "with Added/Additional Entropy" instead?
 
On Tue, Dec 17, 2019 at 8:53 AM John Mattsson <john.mattsson=mailto:40ericsson.com@dmarc.ietf.org> wrote:
Hi,

I read up a lot more on recent research on side-channel and fault injection attacks on deterministic ECC signatures. This has increased my understanding that deterministic ECC signatures should not be recommended in environments where side-channel and fault injection attacks are a concern. One such environment is IoT deployments where the adversary can be assumed to have access to devices to induce faults and measure side-channels.

As many such embedded devices also lacks a good RNG, none of the currently standardized fully-randomized or fully-deterministic ECC signature algorithms seems like a good choice. I therefore think there is a need to specify deterministic ECC signatures with noise.

My colleagues and I started to write a draft specifying how a random noise can be added to the otherwise deterministic calculation of the per-message secret number. We ended up not proposing the solution chosen in XEdDSA as at least one research paper claims that XEdDSA does prevent their attack due to insufficient mixing of the hashed private key with the random noise.

The current document aims to give a quite broad overview with many references, suggests one possible construction for deterministic ECDSA and EdDSA, and lists several issues and TODOs. It should be discussed what the best construction is for achieving protection against fault and side-channel attacks, simplicity and ease of implementation, as well as efficiency. Comments are very welcome!

Cheers,
John

-----Original Message-----
From: "mailto:internet-drafts@ietf.org" <mailto:internet-drafts@ietf.org>
Date: Tuesday, 17 December 2019 at 16:33
To: John Mattsson <mailto:john.mattsson@ericsson.com>, John Mattsson <mailto:john.mattsson@ericsson.com>, Sini Ruohomaa <mailto:sini.ruohomaa@ericsson.com>, Erik Thormarker <mailto:erik.thormarker@ericsson.com>
Subject: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-00.txt


    A new version of I-D, draft-mattsson-cfrg-det-sigs-with-noise-00.txt
    has been successfully submitted by John Preuß Mattsson and posted to the
    IETF repository.

    Name:               draft-mattsson-cfrg-det-sigs-with-noise
    Revision:   00
    Title:              Deterministic ECDSA and EdDSA Signatures with Noise
    Document date:      2019-12-17
    Group:              Individual Submission
    Pages:              14
    URL:            https://protect2.fireeye.com/v1/url?k=117c199e-4df6d35d-117c5905-86e1ed4002b1-9fbf838aa5b9f48f&q=1&e=9ab9ccab-2de7-4dee-bbec-0a0da2647812&u=https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Finternet-drafts%2Fdraft-mattsson-cfrg-det-sigs-with-noise-00..txt&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648737458&sdata=vk3J7iuIr1R0K0clMK4zE1j0Y72usGW21l3WWQ%2BpNEw%3D&reserved=0
    Status:         https://protect2.fireeye.com/v1/url?k=ddee9146-81645b85-ddeed1dd-86e1ed4002b1-204a929da59f550b&q=1&e=9ab9ccab-2de7-4dee-bbec-0a0da2647812&u=https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-mattsson-cfrg-det-sigs-with-noise%2F&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648737458&sdata=Ztk7IuH0rNpiiJzz%2FzAscqior31KGMX0PNCOQD0vaa8%3D&reserved=0
    Htmlized:       https://protect2.fireeye.com/v1/url?k=090d6bef-5587a12c-090d2b74-86e1ed4002b1-65823b9a478f65ed&q=1&e=9ab9ccab-2de7-4dee-bbec-0a0da2647812&u=https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-mattsson-cfrg-det-sigs-with-noise-00&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648747401&sdata=GIW%2BfSFKyMR3cuxyJ9g5vWpN0gwBFXhkZlWLvfC%2Fqn8%3D&reserved=0
    Htmlized:       https://protect2.fireeye.com/v1/url?k=f37e8530-aff44ff3-f37ec5ab-86e1ed4002b1-6deb93e44c241ca2&q=1&e=9ab9ccab-2de7-4dee-bbec-0a0da2647812&u=https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-mattsson-cfrg-det-sigs-with-noise&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648747401&sdata=RuBFhWEGgpGQlQLekhUd0%2FV9%2BGVMOg680fgERm1YWx8%3D&reserved=0


    Abstract:
       Deterministic elliptic-curve signatures such as deterministic ECDSA
       and EdDSA have gained popularity over randomized ECDSA as their
       security do not depend on a source of high-quality randomness.
       Recent research has however found that implementations of these
       signature algorithms may be vulnerable to certain side-channel and
       fault injection attacks due to their determinism...  One countermeasure
       to such attacks is to add noise to the otherwise deterministic
       calculation of the per-message secret number.  This document updates
       RFC 6979 and RFC 8032 to recommend constructions with noise for
       deployments where side-channel attacks and fault injection attacks
       are a concern.




    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at https://gcc01.safelinks.protection..outlook.com/?url=http://tools.ietf.org&data=02|01|quynh.dang@nist.gov|cf04b3b1a4264ee89f7108d78316e3dd|2ab5d82fd8fa4797a93e054655c61dec|1|1|637122006648757373&sdata=8wRNbI4K0fp/ToU1LYrlDZJjYZUChULvw1sN1ynd4fA=&reserved=0p;reserved=0.

    The IETF Secretariat



_______________________________________________
Cfrg mailing list
mailto:Cfrg@irtf.org
https://protect2.fireeye.com/v1/url?k=f768d7b6-abe21d75-f768972d-86e1ed4002b1-bfbedd89a6a207ca&q=1&e=9ab9ccab-2de7-4dee-bbec-0a0da2647812&u=https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg&data=02%7C01%7Cquynh.dang%40nist.gov%7Ccf04b3b1a4264ee89f7108d78316e3dd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637122006648757373&sdata=g%2FnCiXGEXtfaRGvv9tRVaz9CAcsVq0gbqmy32xNZE1o%3D&reserved=0


 
-- 
Tony Arcieri
_______________________________________________
Cfrg mailing list
mailto:Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg