Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-02.txt

"Blumenthal, Uri - 0553 - MITLL" <> Wed, 11 March 2020 16:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 38A493A0D4D for <>; Wed, 11 Mar 2020 09:38:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CbhPnOVA5yB4 for <>; Wed, 11 Mar 2020 09:38:30 -0700 (PDT)
Received: from (LLMX3.LL.MIT.EDU []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F1E433A0D49 for <>; Wed, 11 Mar 2020 09:38:26 -0700 (PDT)
Received: from ( by (unknown) with ESMTPS id 02BGcNrb039666; Wed, 11 Mar 2020 12:38:23 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: John Mattsson <>, "" <>
Thread-Topic: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-02.txt
Thread-Index: AQHV98N6fVnviP0GFUG+Ojo08zPqcg==
Date: Wed, 11 Mar 2020 16:38:22 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3666775102_822246427"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-03-11_07:2020-03-11, 2020-03-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2002050000 definitions=main-2003110100
Archived-At: <>
Subject: Re: [Cfrg] FW: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Mar 2020 16:38:32 -0000

Perfect, *thank you!*

On 3/11/20, 12:15 PM, "Cfrg on behalf of John Mattsson" < on behalf of> wrote:

    Dear CFRG,
    After the comments on the list I submitted a new version. The changes since -00 are
    - As suggested Quynh Dang and Uri Blumenthal, the new version replaces the XOR construction with concatenation and places the random value before the message.
    - As suggested [SBBDS17] and Uri Blumenthal, the new version implements the additional countermeasure to pad with zeroes so that so that the first block is composed only of the hashed private key and the random value, but not the message.
    - As suggested by Tony Arcieri, the terminology "noise" could be confusing and has been changes to "additional randomness"
    - Some more text on the construction and benefits with the construction.
    - Reduced and slightly rewritten discussion section (to be removed in the future)
    -----Original Message-----
    From: "" <>
    Date: Wednesday, 11 March 2020 at 16:11
    To: John Mattsson <>om>, John Mattsson <>om>, Sini Ruohomaa <>om>, Erik Thormarker <>
    Subject: New Version Notification for draft-mattsson-cfrg-det-sigs-with-noise-02.txt
        A new version of I-D, draft-mattsson-cfrg-det-sigs-with-noise-02.txt
        has been successfully submitted by =?utf-8?q?John_Preu=C3=9F_Mattsson?= and posted to the
        IETF repository.
        Name:		draft-mattsson-cfrg-det-sigs-with-noise
        Revision:	02
        Title:		Deterministic ECDSA and EdDSA Signatures with Additional Randomness
        Document date:	2020-03-11
        Group:		Individual Submission
        Pages:		13
           Deterministic elliptic-curve signatures such as deterministic ECDSA
           and EdDSA have gained popularity over randomized ECDSA as their
           security do not depend on a source of high-quality randomness.
           Recent research has however found that implementations of these
           signature algorithms may be vulnerable to certain side-channel and
           fault injection attacks due to their determinism.  One countermeasure
           to such attacks is to re-add randomness to the otherwise
           deterministic calculation of the per-message secret number.  This
           document updates RFC 6979 and RFC 8032 to recommend constructions
           with additional randomness for deployments where side-channel attacks
           and fault injection attacks are a concern.
        Please note that it may take a couple of minutes from the time of submission
        until the htmlized version and diff are available at
        The IETF Secretariat
    Cfrg mailing list