Re: [saag] [Cfrg] Recommendations Regarding Deterministic Signatures

Tony Arcieri <bascule@gmail.com> Wed, 27 November 2019 17:10 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95889120809 for <saag@ietfa.amsl.com>; Wed, 27 Nov 2019 09:10:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFIWI7d60JKP for <saag@ietfa.amsl.com>; Wed, 27 Nov 2019 09:10:39 -0800 (PST)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD61F12004D for <saag@ietf.org>; Wed, 27 Nov 2019 09:10:38 -0800 (PST)
Received: by mail-oi1-x231.google.com with SMTP id e9so20758765oif.8 for <saag@ietf.org>; Wed, 27 Nov 2019 09:10:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i33esFxqJZqL2ot8DhAC5kMOiJfM9t65gLrn65ATwUI=; b=HbMijUfBVEkHlt0v/kIr0eJe4Itb/lx2gP2bFkaccZkx+NRTVLbO+heOSL2a/NPv0I 1M8WTysQ7Y86ZCLCct0AP5g4M4uULpHpALLaaswz5T99Efvv8/Zv0XDzfUxr6sSg+GUH y99Wx4879/WkKGs8j7/cWdYAhUOXRJ4pWe4oSRHeuFpsSF6SXcBsYIpkw6H5ciPxDRLu M3InjwzmK0JUHl41XtVJkA8shyWvRb72mNMSgB99n/APvOxgYRH0yVMENK1hpWkhL0nj 2dUbegWMcecUpWMQKRzAt+xG34bQ5ZL12UxIGI0W7oa9YTZerau/b85XyfcdzaT/2SyW Mz7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i33esFxqJZqL2ot8DhAC5kMOiJfM9t65gLrn65ATwUI=; b=PughbWB8oAsZNwDtSNu+d6kLpPW0VuGbtqbBRtKZQULxyc+L5pz3X/UKpIZbuJhVH0 BdTXkJvNiDcNvflY2RTtvv0iXP2muTh9FgJCk5P/Nwx0kgmfpMkm3KiO44sVW0Q6O/v8 /8xJ3crCoaschrgWsikeQV0WcfGi5oY9o+BJLbVDPzvHmBOWnWmeID/DYsiCuocqIEV6 I1u+iSaMod2iko/Uxl4ZXgg8wNvOXZjHs1H0UGaNyzdPb0X2w9WlqHbPCmf5FONubLDS BZmBJDu8NtsaFPTRXeMmrOFSkcNo4m+z/xxjLZ5UHtJtW4bAiy49MHX+2lKFVewp4iMv l42A==
X-Gm-Message-State: APjAAAVQaFqiJPGBcEPuyAC1HvUPIWW+SpL+UAl30FJMkrNYrTT9PvcZ 9mSWzRwK2vHg43XtRXkJoQg1kw3ynNcoigffb9dMoROF
X-Google-Smtp-Source: APXvYqyYg0QckU6nf4meGqs/p44Iwkc9NC++JD0CQsrtxH41glDYZPBxNX3+w4mmRYGmLYpmPcjalKOtfAvP6EVJeks=
X-Received: by 2002:aca:ded4:: with SMTP id v203mr5176747oig.96.1574874638090; Wed, 27 Nov 2019 09:10:38 -0800 (PST)
MIME-Version: 1.0
References: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
In-Reply-To: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 27 Nov 2019 09:10:27 -0800
Message-ID: <CAHOTMVK5rkFpKE5ijAKw6JY-oJqAsXT=OhCacv=m+-PWQY8EAg@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e89bb05985713c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/FfSiEXJDZNyg35YixpyOh_ik5eU>
Subject: Re: [saag] [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 17:10:42 -0000

On Wed, Nov 27, 2019 at 3:14 AM John Mattsson <john.mattsson=
40ericsson.com@dmarc.ietf.org>; wrote:

> My current view is that best practice seems to be to use deterministic
> algorithms (deterministic ECDSA or EdDSA) with "additional randomness" /
> "noise" like in XEdDSA.


I'll +1 this, but also noting that for existing deterministic signature
algorithms, one potential mitigation for fault injection attacks against
these algorithms (depending on whether circumstances / threat models permit
it) is verifying generated signatures before releasing them.

That doesn't help with the issue of leaking message equivalence, however
I'll also note that some applications of deterministic signatures I work on
personally benefit from the determinism from a fault-tolerance perspective,
as it allows for recomputing a signature on a message which may or may not
have been lost in a protocol where inconsistent signature generation in and
of itself is considered a fault.

-- 
Tony Arcieri