IETF Logo Mail Archive

Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise

Phillip Hallam-Baker <phill@hallambaker.com> Fri, 15 May 2020 04:48 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A9D93A0912 for <cfrg@ietfa.amsl.com>; Thu, 14 May 2020 21:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67_u_Q6TZjft for <cfrg@ietfa.amsl.com>; Thu, 14 May 2020 21:48:26 -0700 (PDT)
Received: from mail-oi1-f196.google.com (mail-oi1-f196.google.com [209.85.167.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCE6D3A090D for <cfrg@irtf.org>; Thu, 14 May 2020 21:48:26 -0700 (PDT)
Received: by mail-oi1-f196.google.com with SMTP id 19so1131956oiy.8 for <cfrg@irtf.org>; Thu, 14 May 2020 21:48:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OEfJUxW0fWTNmoxF7YGX+988lY/Vt+vSaQXDLvlu0/o=; b=uUrwY2bpOqJnzp+o3HBsiBbfMckgWNT0eG61oiVy8qck6qcOwnBEKu9qZfPUESPpKO k1pVP2y5DaZhTIrShu6nkV76Bu3peIP2HwZL4ym/I/32fXeKx1nVvxqLe7mPodKPmXiZ /3G0RQeFNMuXH0LVztzg0Uy7JvQ7sMHdBbw0LfXnibdTfQUcdwYrSaC6euubNDcUMS/c RTAsrw/qSz6j2zg3AV98Nxo/iet0wdBhpfSVKYGgOikqA0wRAbDqRzPDFTxQCsOR2948 D11Slf7JcWEwW0zxHyPZhs72kgDnr8HgRu353gUwcsJ52SUwkYDSea0LsZTP39byYDpE 2y/Q==
X-Gm-Message-State: AOAM5319oa5astj6xaKN7ojx/XMMzKI887FRnyJu/i+NBGwgw9z/cRKD gHJXJhAqFFT7c6Q5jWv9xhtecZr5Qidgp/ZgSo8=
X-Google-Smtp-Source: ABdhPJw6cAy3HjEICSh7Iny58XBNN+C1kEkYNIfCJtAN78Jo52vtHrCzmHQtmjfUUqeVY9wxrqAcDUfMZu68TofseMU=
X-Received: by 2002:aca:b6c2:: with SMTP id g185mr940309oif.166.1589518105849; Thu, 14 May 2020 21:48:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6kr18AP2ya5Pn2VXpt6FLO6vWrFQoXrFni28uYgrJXpFA@mail.gmail.com>
In-Reply-To: <CAMr0u6kr18AP2ya5Pn2VXpt6FLO6vWrFQoXrFni28uYgrJXpFA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 15 May 2020 00:48:15 -0400
Message-ID: <CAMm+Lwh5E+v61M98QRH0n5K0Neoot4wuqjauO_0V+dFtHjBNMQ@mail.gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Cc: CFRG <cfrg@irtf.org>, cfrg-chairs@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001032a505a5a886e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gGbSGBIEsenwCkSzBv1s-QSrFjQ>
Subject: Re: [Cfrg] Call for adoption draft-mattsson-cfrg-det-sigs-with-noise
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2020 04:48:30 -0000

I support this work and I am willing to review.

There are advantages to a deterministic approach but also some drawbacks
beyond the side channel attack mitigation.

The big downside to a non deterministic scheme is that once the sig scheme
is non deterministic, it becomes impossible to audit a sealed HSM. But I
still think it is useful to describe a process for determining k from a set
of inputs that include a random nonce value, a secret value and some value
that depends on the public key pair that is used.


This is about closing the unintended side channel from the HSM and that is
important. But there is also the intentional side channel attack in which
the HSM vendor intends to leak the key. If the attacker knows the messages
that are signed and their signatures, they can leak the key one bit at a
time by generating multiple values for k and picking an R value that has
particular properties.

So if you want belt and braces, you also want a threshold signature scheme.
But not (alas) the single pass version I am currently using. You need to
get a commitment on R before the HSM sees the message digest to be signed.



On Tue, Apr 28, 2020 at 7:23 AM Stanislav V. Smyshlyaev <smyshsv@gmail.com>
wrote:

> Dear CFRG participants,
> This email commences a 2-week call for adoption for draft-mattsson-cfrg-det-sigs-with-noise-02
> that will end on May 12th 2020:
>
> https://datatracker.ietf.org/doc/draft-mattsson-cfrg-det-sigs-with-noise/
>
>
> Please give your views on whether this document should be adopted as a
> CFRG draft, and if so, whether you'd be willing to help work on it/review
> it. Please reply to this email (or in exceptional circumstances you can
> email CFRG chairs directly at cfrg-chairs@ietf.org).
>
> Thank you,
> Stanislav (for the chairs)
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email