IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)

Andy Lutomirski <luto@amacapital.net> Sun, 03 May 2015 15:13 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 923131A6EE6 for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 08:13:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hkyIHHx3S-8W for <cfrg@ietfa.amsl.com>; Sun, 3 May 2015 08:13:43 -0700 (PDT)
Received: from mail-lb0-f179.google.com (mail-lb0-f179.google.com [209.85.217.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D9131A2119 for <cfrg@irtf.org>; Sun, 3 May 2015 08:13:43 -0700 (PDT)
Received: by lbcga7 with SMTP id ga7so90724542lbc.1 for <cfrg@irtf.org>; Sun, 03 May 2015 08:13:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=LOU73rfIOTl4pVFtktsiuH7o/5VqT6zMP8pLm4okxZ0=; b=CqXsAO0c+0vORJg79Wg35wLcPTKCJZic9tT3USbO4nTQP1I2wGPl7Yz76lKbR9Pinj sM/t2Y+U+W3vTn3F3/1/C/s+y9hi3XFjQ83FQRQGXkJpLC4YMhuGvKTLjjB9EZFRmoVs AqPj5APXq8FZLSomgCmy3a/n9W6qrflsK0lENshDOzdP8xV/zd1ezTXCUAoCCRFCmtlR n2IiaCbV9sEbSbaoarQUgQ2lC0pZ77Ygr2OmKUewNRruWH37n7lVHPFX7a47VGlYzFAT WoiOXoa/tKlmtT/Acs1JhfcgUuyq4dLRf1E7xwD3y9EcqipBcSh06QZC5X/yqYXd6IR0 0pFQ==
X-Gm-Message-State: ALoCoQleYE8xnfVSqVnCat5WtviknAAK1fcg0wiTiwB+C0NF/RrsORd4CbDUzf6Julqp0TKAZyyF
MIME-Version: 1.0
X-Received: by 10.112.148.101 with SMTP id tr5mr16469812lbb.0.1430666021640; Sun, 03 May 2015 08:13:41 -0700 (PDT)
Received: by 10.152.246.10 with HTTP; Sun, 3 May 2015 08:13:41 -0700 (PDT)
Received: by 10.152.246.10 with HTTP; Sun, 3 May 2015 08:13:41 -0700 (PDT)
In-Reply-To: <5546032D.5070208@isode.com>
References: <5546032D.5070208@isode.com>
Date: Sun, 03 May 2015 08:13:41 -0700
Message-ID: <CALCETrXGq4QDpCp5V9OebSYJ72TR61u+88GDYvXzczKO3WFbAA@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Content-Type: multipart/alternative; boundary="047d7b3a898c03314f05152ee47d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/zydgROKQ8FXQrxVOW5un8DImM-Y>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: randomised or not (ends on May 13th)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 May 2015 15:13:45 -0000

On May 3, 2015 4:15 AM, "Alexey Melnikov" <alexey.melnikov@isode.com> wrote:
>
> CFRG chairs are starting discussion of the next topic.
>
> The consensus view of the mailing list was that NIST compliance of our
selected
> signature scheme is not necessary, opening up the opportunity for us to
> consider a rich class of signature schemes beyond ECDSA.
>
> Most if not all signature schemes defined over elliptic curves can be
> de-randomised by generating the "random" value used during signing in a
> pseudorandom manner from the message to be signed. This ameliorates some
> catastrophic failure modes for these schemes. The generation could involve
> using a PRF such as HMAC with a key designed solely for this purpose
> (resulting in an augmented private (signing) key). An alternative could be
> to hash a string consisting of a concatenation of the private (signing)
> key with the message to be signed. There are other possibilities too.
> Several methods are described in detail in RFC 6979
> (http://tools.ietf.org/html/rfc6979).
>
> To determine the way forward, we are going to conduct a poll to determine
> how we should tackle the question of de-randomisation. Please pick one of
the
> options specified below:
>
> 1. CFRG should stick to randomised signature schemes only.
>
> 2. CFRG should adopt deterministic signature scheme only.
>
> 3. De-randomisation should be an optional feature for implementers to
> decide upon (i.e. both choices 1 and 2 allowed).

You left out 4: schemes that are secure without random input but that
nonetheless accept random input.  These could work like derandomized
schemes but with an extra input to the hash.

My preference order would be 2, 4, 3, 1.  Some people want random
signatures for what I consider to be strange reasons.  4 should satisfy
them, and test vectors could verify that they aren't omitting the hash.

--Andy

v2.23.0 | Report a Bug | By Email