IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

Michael Hamburg <mike@shiftleft.org> Sun, 03 May 2015 17:39 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 802551A702B for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 10:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.556
X-Spam-Level: *
X-Spam-Status: No, score=1.556 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QLMkqWmEk3wy for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 10:39:11 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D9FF1A87A9 for <cfrg@irtf.org>; Sun, 3 May 2015 10:39:10 -0700 (PDT)
Received: from [192.168.1.142] (unknown [192.168.1.1]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 1B3BC3AA3D; Sun, 3 May 2015 10:38:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1430674738; bh=5Ov8IBd96b3yDscmcTeo7F4nZPTq2GBagO7JswancmQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=bO1t9QjkTD4Nl2oizKmgr3VH+N/2Bk6tLcVf+J0MnsNyBn/1rR7gX/dhSWOMXewxj 0rw7wiueADirRpHPpUs3UVOZEHTo9SRQ/XIUW4Pc98SNcB7I7ShlVw5O4UC4Y8jfr/ qU0C1TPbkIbsXNN8e/BIx8Lxn0yxf7m0vygN8430=
Content-Type: multipart/alternative; boundary="Apple-Mail=_9E76FC37-E3F9-4E03-BED9-6A069E71FFC5"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <5546032D.5070208@isode.com>
Date: Sun, 03 May 2015 10:39:06 -0700
Message-Id: <EE0F9CDF-7B62-4950-A708-EAC071FCAE4F@shiftleft.org>
References: <5546032D.5070208@isode.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/flJga9E1IvF0ZoE0CNDivN-2K8Q>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 17:39:12 -0000

3.  Implementations SHOULD use whatever specific deterministic construction CFRG decides on.  But using a randomized construction for technical reasons (side channel protection, threshold signatures, low-latency coupons or whatever) should not be forbidden by the spec, especially since the other party can’t tell how you signed it.

PS Sorry Alexey, I accidentally replied only to you before.

> On May 3, 2015, at 4:14 AM, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
> 
> CFRG chairs are starting discussion of the next topic.
> 
> The consensus view of the mailing list was that NIST compliance of our selected
> signature scheme is not necessary, opening up the opportunity for us to
> consider a rich class of signature schemes beyond ECDSA.
> 
> Most if not all signature schemes defined over elliptic curves can be
> de-randomised by generating the "random" value used during signing in a
> pseudorandom manner from the message to be signed. This ameliorates some
> catastrophic failure modes for these schemes. The generation could involve
> using a PRF such as HMAC with a key designed solely for this purpose
> (resulting in an augmented private (signing) key). An alternative could be
> to hash a string consisting of a concatenation of the private (signing)
> key with the message to be signed. There are other possibilities too.
> Several methods are described in detail in RFC 6979
> (http://tools.ietf.org/html/rfc6979 <http://tools.ietf.org/html/rfc6979>).
> 
> To determine the way forward, we are going to conduct a poll to determine
> how we should tackle the question of de-randomisation. Please pick one of the
> options specified below:
> 
> 1. CFRG should stick to randomised signature schemes only.
> 
> 2. CFRG should adopt deterministic signature scheme only.
> 
> 3. De-randomisation should be an optional feature for implementers to
> decide upon (i.e. both choices 1 and 2 allowed).
> 
> Please address only this specific topic of de-randomisation at this time.
> Further topics will follow.
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email