[Cfrg] My thoughts on randomized signature generation

Watson Ladd <watsonbladd@gmail.com> Tue, 05 May 2020 12:36 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB61B3A00D5 for <cfrg@ietfa.amsl.com>; Tue, 5 May 2020 05:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfN9BYnHP79V for <cfrg@ietfa.amsl.com>; Tue, 5 May 2020 05:36:10 -0700 (PDT)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8D193A00D2 for <cfrg@irtf.org>; Tue, 5 May 2020 05:36:09 -0700 (PDT)
Received: by mail-lf1-x130.google.com with SMTP id w14so1219627lfk.3 for <cfrg@irtf.org>; Tue, 05 May 2020 05:36:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=x1FBRUYT44YXG59zra1osuL6f4wdFv5v6VgNPZcEMWY=; b=fUOysb7M15m50b9yz05k1Lj8attP3CSkfdxIek1GaXvtFUIbHVGIYkGtwMDpKg5pQb GXeqNPxMhVPbW+8P5e94C8b3YCHnMSEM1ARiXUgA1QsiEn0uW6HiCowQ2I2FXvNLkzgj p8lMMr//8zIiOnku7GAfQEaHRPLaRKUrYvAKJUiB50qIgGSZrhxJgW6o6SmkTtEiTlPb ez8AagKRNCUlo2209HfG+585FgmmPmnCljWaeGD5aYjOb2419pWewIKcXIeC8jiHhZUV J27XMzkvmEWbEpuhUvx9dF7nctfDe9k8VRXpv7pEtAfSnJk+h741YQILU5Qkx1LmgBge rjvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=x1FBRUYT44YXG59zra1osuL6f4wdFv5v6VgNPZcEMWY=; b=DaFyLD2r/tU0xYIFOvU5yYLUSBVQ+acRU41xPFd9Z6vOYLoCzeFvbuI5qXt6WwlQSw lArEVrh70pQ4mzAM+54BMI50LePM9GeibuLyFHsMqM9KPh9yy3qylKdWZZQ2by1szfTy 46bk5pyvOluC0lMyXqwL+sLSSZQMZhbuMP++5+PYWuarLytScrgmq/j/Xr5ZQaSU8Yd5 0jAXcCnIkWtk81Ao/qC+McFsBkCAiBbAPHhK8HsMKRo43KWdVira7soLJB1oUIx91Tfq a9QGIsTN9Kyo6HV//IGU5znc9J746z6uAM98Ql43GD60LDT+l0T3okke9elTSo2vBvMr d2KQ==
X-Gm-Message-State: AGi0PuYu22dzFlTb60jZpokIbkSiXXbcERInM44jiFMtRlf9X6An/cxf QQcPzm2uCnP7YgrbJz2l4XgtHD+ceq1IouYbV4zUPcjh
X-Google-Smtp-Source: APiQypK8odoOR14CF5XCgO4U6qtbrrpuq8OGmrFYKDk67vLGKEAREAKH2sEaz3sdWTqi6sl2HrT2L92bJyGOADIAqzk=
X-Received: by 2002:ac2:464c:: with SMTP id s12mr1533756lfo.147.1588682167264; Tue, 05 May 2020 05:36:07 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 05 May 2020 08:35:56 -0400
Message-ID: <CACsn0c=8TTmh=_Zbf170sSxDHkSyzeTsvp2g=KZm4U19LCb7eQ@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/n17RfVwA7lmQMFVxcDp8zHo6lIw>
Subject: [Cfrg] My thoughts on randomized signature generation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 12:36:11 -0000

Dear participants,

I apologize for the long delay between the virtual meeting and this
email. I'm writing to expand upon my opposition at the mike to
distinguishing between interoperable signatures based on the method of
generation.

My opposition is rooted in the following facts: the signature
generation method doesn't introduce any incompatibility with existing
verfiers, and the existing installed verifiers expect the already
allocated codepoints. A new system using randomized generation that
doesn't use the existing codepoints will thus be incompatible. It
would of course be possible to avoid this, and the right way is simply
to use the existing codepoints rather then implement the less secure
generation method.

Sincerely,
Watson Ladd