IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

David Jacobson <dmjacobson@sbcglobal.net> Sun, 03 May 2015 16:24 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 817B71A7026 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 09:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8pv_btKU2b24 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 09:24:19 -0700 (PDT)
Received: from nm5-vm5.access.bullet.mail.gq1.yahoo.com (nm5-vm5.access.bullet.mail.gq1.yahoo.com [216.39.63.123]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B04421A7020 for <cfrg@irtf.org>; Sun, 3 May 2015 09:24:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1430670259; bh=8YrvNcPxU7IeBQ6plN/bagYyJttI/jgZU7TXaDEbnDo=; h=Date:From:To:Subject:References:In-Reply-To:From:Subject; b=LXNcLvMNGUnnbtJRO10ESktK9I3DDZz5yUq6TO+0DAJyIOZflkZVYrZgmvFbNNOTRn0ayB2u0KuWYdlJ5dkPnRYxkdezOjS7EIYH2IsSWRdUk8z1S45Dqpdw2kR76jcCiAYSYLsvW9su74Mx7VXcUkYoCiKarRkTSN7fJowSa9mNxy4fXeABrOi2SHZDBSmX7suVLMBv9sTvuodSaxokQvV+Wh9p+2p/ZUAKJsL3/k8bM0u9kUCoanR+C6bdfD2tQwVbEnf8ZCJHJ+crEdDPnnRWd/MZUI+0ulayimhMOj3CafeHf4SMUbPXTV3eGTvqJGUlYkkAt6rCZLf3ZHhcJg==
Received: from [216.39.60.171] by nm5.access.bullet.mail.gq1.yahoo.com with NNFMP; 03 May 2015 16:24:19 -0000
Received: from [67.195.22.117] by tm7.access.bullet.mail.gq1.yahoo.com with NNFMP; 03 May 2015 16:24:19 -0000
Received: from [127.0.0.1] by smtp112.sbc.mail.gq1.yahoo.com with NNFMP; 03 May 2015 16:24:19 -0000
X-Yahoo-Newman-Id: 212695.44661.bm@smtp112.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: _ezItPEVM1lintA.DGBBmi_44g8Eo3qVhezujcTyZ0aToQm X3syit8Ra.ZjWSjlwb.nS7mJC0ZwdkbrDeRClhlkRou_gALAHh01AhXHx2UV D9pZoQYawaWtBsgIv415hoQnuaOvvIheYyQbr2o80MKWMnOL9HZq7wssBfCc k3c_3fI1cPdzVwzNBEL2dPQjqo_6cnTuceNVMV0EiO0_Yu7ui71AsuFEFVGt 7z9YH1RtdcfUqOq5c3Sw1ogcx4UZLP_4_dknnMnKvYbRd8nkWxA.fSag3Kaa WFSG3dRlVNk4trMmkfaMiNtpHBsGzYHV4rV1VQ6._f1XT0GadnH7_9m70wIL d1DDZR0RPaEm3eZxqbxEUyiiMVUqIScRAydpTF.QN3SpnhULBSCCz7JKWdw5 uCRfFCICvP7D3SjzCZt5MmLqFqkhI7qvhm1EWBnfSNPAZmTUCjFhNIApTBUc P1b4D437whLfEnvT8.B6QhnDa9kAVcZ6FffnbwdAntqqQAzYWoH1168tGica kdbGU3ljPYqvNyeSYH3Xe_CTXnwSmD40c5vF44Yt_AjXIC.Ow0GqiDRhY
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <55464BB2.5040101@sbcglobal.net>
Date: Sun, 03 May 2015 09:24:18 -0700
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <5546032D.5070208@isode.com>
In-Reply-To: <5546032D.5070208@isode.com>
Content-Type: multipart/alternative; boundary="------------010801030905080800040301"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/u2KCz8IgtK-xUHc6oyNEkiSPv4M>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 16:24:21 -0000

On 5/3/15 4:14 AM, Alexey Melnikov wrote:
> CFRG chairs are starting discussion of the next topic.
>
> The consensus view of the mailing list was that NIST compliance of our 
> selected
> signature scheme is not necessary, opening up the opportunity for us to
> consider a rich class of signature schemes beyond ECDSA.
>
> Most if not all signature schemes defined over elliptic curves can be
> de-randomised by generating the "random" value used during signing in a
> pseudorandom manner from the message to be signed. This ameliorates some
> catastrophic failure modes for these schemes. The generation could involve
> using a PRF such as HMAC with a key designed solely for this purpose
> (resulting in an augmented private (signing) key). An alternative could be
> to hash a string consisting of a concatenation of the private (signing)
> key with the message to be signed. There are other possibilities too.
> Several methods are described in detail in RFC 6979
> (http://tools.ietf.org/html/rfc6979).
>
> To determine the way forward, we are going to conduct a poll to determine
> how we should tackle the question of de-randomisation. Please pick one 
> of the
> options specified below:
>
> 1. CFRG should stick to randomised signature schemes only.
>
> 2. CFRG should adopt deterministic signature scheme only.
>
> 3. De-randomisation should be an optional feature for implementers to
> decide upon (i.e. both choices 1 and 2 allowed).
>
> Please address only this specific topic of de-randomisation at this time.
> Further topics will follow.
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

If everyone did encrypt then sign (the recommended procedure), or sign 
then encrypt, identical plaintext would still be different in what was 
sent (assuming an nonce-like IV is supplied to the encryption).  If 
someone was foolish enough to do encrypt and sign, then there would be a 
need to make identical plaintext not have identical signatures.  If 
anyone feels that we need to accommodate this, then it would be good to 
allow an optional random input  (#4 as suggested by Andy Lutomirski in 
his response).

A counter argument is that if you want to do something like that, you 
should just have your application include an application-level nonce in 
the plaintext, and not burden the signature standard with making 
identical plaintext have different signatures.

So, amongst those listed I choose #2, but perhaps Andy's #4 should be 
considered.

   --David Jacobson

v2.23.0 | Report a Bug | By Email