IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 04 May 2015 18:08 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02C381A8756 for <cfrg@ietfa.amsl.com>; Mon, 4 May 2015 11:08:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CtRV84i-QR6X for <cfrg@ietfa.amsl.com>; Mon, 4 May 2015 11:08:09 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 079491A8755 for <cfrg@irtf.org>; Mon, 4 May 2015 11:08:08 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id 057B04003; Mon, 4 May 2015 21:08:04 +0300 (EEST)
Date: Mon, 04 May 2015 21:08:04 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Michael Hamburg <mike@shiftleft.org>
Message-ID: <20150504180804.GA9724@LK-Perkele-VII>
References: <5546032D.5070208@isode.com> <55464BB2.5040101@sbcglobal.net> <CACEhwkSdzb-g7Q7uBASp4QB3g_9AGM_nUuXVypdzxGUYypxDaQ@mail.gmail.com> <55468C6E.6070101@sbcglobal.net> <B3B0DA6C-8C27-4A67-BE8D-AC010E5889B3@shiftleft.org> <55477EEC.2010704@sbcglobal.net> <99D726C1-2700-4084-8A4A-C3E7042173BC@shiftleft.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <99D726C1-2700-4084-8A4A-C3E7042173BC@shiftleft.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/uhHcDTMzrVmyWHKU_xnCuO67oqM>
Cc: Mihir Bellare <mihir@eng.ucsd.edu>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 18:08:11 -0000

On Mon, May 04, 2015 at 09:16:45AM -0700, Michael Hamburg wrote:
> 
> I also agree that CFRG should specify a derandomized signature algorithm.
> But since it does not harm interoperability (or security if done right),
> we should not absolutely require the nonce to be computed in the way we
> specify.  We should allow a different PRF to be substituted, because for
> example HMAC-SHA2 is a nightmare to blind against DPA.  We should allow
> the use of random nonces: if not in TLS, then in low-latency
> environments like v2v where pregenerated signature coupons could be
> a big win.

Regarding coupon generation: Derandomization can be used to turn
the "nonce" with extreme randomness requirements into true nonce.
It may still be random, but needs only be random enough to be
unique, not to be quasi-perfectly random.


-Ilari

v2.23.0 | Report a Bug | By Email