Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
Andrey Jivsov <crypto@brainhub.org> Wed, 06 May 2015 08:35 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BA301A007B for <cfrg@ietfa.amsl.com>; Wed, 6 May 2015 01:35:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0O71va0POpf6 for <cfrg@ietfa.amsl.com>; Wed, 6 May 2015 01:35:13 -0700 (PDT)
Received: from resqmta-po-09v.sys.comcast.net (resqmta-po-09v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:168]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D7051A6FE9 for <cfrg@irtf.org>; Wed, 6 May 2015 01:35:12 -0700 (PDT)
Received: from resomta-po-16v.sys.comcast.net ([96.114.154.240]) by resqmta-po-09v.sys.comcast.net with comcast id QYbC1q0015BUCh401YbCQm; Wed, 06 May 2015 08:35:12 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-po-16v.sys.comcast.net with comcast id QYbB1q0034uhcbK01YbB3M; Wed, 06 May 2015 08:35:12 +0000
Message-ID: <5549D23F.5000107@brainhub.org>
Date: Wed, 06 May 2015 01:35:11 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <5546032D.5070208@isode.com> <EE0F9CDF-7B62-4950-A708-EAC071FCAE4F@shiftleft.org>
In-Reply-To: <EE0F9CDF-7B62-4950-A708-EAC071FCAE4F@shiftleft.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1430901312; bh=gOie4RQiJb7A0Ae3Rjo4xAFzMU1NCcSv4OuKBgUc/aQ=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=qxxxzQKX5aK4g4XH5yEDVEBuUrj0k8satt4gnaCSH0Do22fAqhPGaX4ByQvXuor6a JJ12bvw4Ez9pXq5nnOlWQ5VvBhdWYAfUC+P4m9tBwpXU/7lQU7b2vBT40Knx+AG9fW 4qaxm5ECR8tjrfIlSmrFLM99+yYDv87vuyLpRRNpujoIh2G/MVSTU48wzII9DiOsNE i+xLLtPHL7KQONpCdby1XN8rtx873Vt7ZakxtCoJ69pIQk4lpsDhs8oAoUQgf7rfIb PnGYTy8rPU/kEUrPplJN0WKaf8mbND1ZeqdwqMuG3bmJUlMzDbrCoSC/oD0TnVPm8Y +85iFM2GKgyPA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/j07fud8N6ySLAuH5ae-sV26yk1g>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2015 08:35:15 -0000
On 05/03/2015 10:39 AM, Michael Hamburg wrote: > 3. Implementations SHOULD use whatever specific deterministic > construction CFRG decides on. But using a randomized construction for > technical reasons (side channel protection, threshold signatures, > low-latency coupons or whatever) should not be forbidden by the spec, > especially since the other party can’t tell how you signed it. +1 to the above #3. If I see it correctly, the value of #2 is viewed in the following context: * we trust the system to correctly generate a long-term secret, and possibly a dedicated long-term seed * the signature standard will specify a DRBG and how to seed it to generate bytes, e.g. for the r in ECDSA * we rely on audit or a vendor assurance that the implementation indeed uses the standard-mandated DRBG and the seed(s) correctly; note that using random bytes instead of said DRBG is undetectable by verifiers I second the problem with #2 that it's not cryptographically enforceable and it limits some performance optimizations. Therefore, SHOULD is fine, but prohibiting random bytes instead of specific DRBG is overkill. TLS1.2 currently requires access to plenty of random/pseudorandom bytes, for example. > > PS Sorry Alexey, I accidentally replied only to you before. > >> On May 3, 2015, at 4:14 AM, Alexey Melnikov <alexey.melnikov@isode.com >> <mailto:alexey.melnikov@isode.com>> wrote: >> >> CFRG chairs are starting discussion of the next topic. >> >> The consensus view of the mailing list was that NIST compliance of our >> selected >> signature scheme is not necessary, opening up the opportunity for us to >> consider a rich class of signature schemes beyond ECDSA. >> >> Most if not all signature schemes defined over elliptic curves can be >> de-randomised by generating the "random" value used during signing in a >> pseudorandom manner from the message to be signed. This ameliorates some >> catastrophic failure modes for these schemes. The generation could involve >> using a PRF such as HMAC with a key designed solely for this purpose >> (resulting in an augmented private (signing) key). An alternative could be >> to hash a string consisting of a concatenation of the private (signing) >> key with the message to be signed. There are other possibilities too. >> Several methods are described in detail in RFC 6979 >> (http://tools.ietf.org/html/rfc6979). >> >> To determine the way forward, we are going to conduct a poll to determine >> how we should tackle the question of de-randomisation. Please pick one >> of the >> options specified below: >> >> 1. CFRG should stick to randomised signature schemes only. >> >> 2. CFRG should adopt deterministic signature scheme only. >> >> 3. De-randomisation should be an optional feature for implementers to >> decide upon (i.e. both choices 1 and 2 allowed). >> >> Please address only this specific topic of de-randomisation at this time. >> Further topics will follow. >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org <mailto:Cfrg@irtf.org> >> http://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Elliptic Curves - signature scheme: random… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Hoffman
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andy Lutomirski
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Alyssa Rowan
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… James Cloos
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Damien Miller
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Jacobson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Michael Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Daniel Kahn Gillmor
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Parkinson, Sean
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Paul Lambert
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Olafur Gudmundsson
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Russ Housley
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Brian Smith
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Sean Turner
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: ra… David Leon Gil
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov