IETF Logo Mail Archive

Re: [saag] [Cfrg] Recommendations Regarding Deterministic Signatures

Akira Takahashi <takahashi@cs.au.dk> Fri, 13 December 2019 03:00 UTC

Return-Path: <takahashi@cs.au.dk>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE137120822 for <saag@ietfa.amsl.com>; Thu, 12 Dec 2019 19:00:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.au.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XiUObusi4vWC for <saag@ietfa.amsl.com>; Thu, 12 Dec 2019 19:00:07 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50046.outbound.protection.outlook.com [40.107.5.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E021F120820 for <saag@ietf.org>; Thu, 12 Dec 2019 19:00:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nwfSAjmycEVGlw3BBTONHCffjKEn/Jo0FzTmJhTydwiSqWtbreGHFnUh4QyI/GjSU0rxtF0VYYSGMEAur5z2BDU24MfSvGCAlbm0vLg01I9bY+OzlSaVCQpgwgMQOn+8pO/Izbt9OA7Rz5hWVrJpfsrtwz1Y6f85MHqihx68I0znCxc5Lk8XvenYywOoWSDVDFtdscuQU0eZOkUmdUaLQOg1tjDrgyJWsAKrCaFFb2V5rDI2MRVHukzB/FcNT1BEKnSv0rLJO6AEBYcnVlRPFoDxIGMTp5UTIpG9cewNEso25mXmCzgUygKHfhhuqLXg2C76F0pPGcFel4qjV+jtsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ps2GneqyI92QrrHDV/eBrRiZjzjMZYY97eau1rEbSo=; b=V6stLA9vwQoEnximxLIwkm2Y/QFB0TjNsEe4OBG6Nl8DvQZYYApGHFWHy9qEE/hUskamYLqgZ6MnhVg52VCpjTUPrvMCYdyl/Vy3i0lKWtgeRHM8oKGxKVcunRuIxj+nJY+c6w/qCvpBO0BaSZFUjD+94zpR7ekXR+iykfkNA+UBA1cbPwdGI2jbP17CY5+7kTIBB7lj03QNeNbZfV0WChor2yVWm7qCsOW364e0CUS9uNzUOC1sp/cB/qpaWc9MjPyNaFvKFQoX57UM/z4BsR8yBorkTQt6i3tjA8PtIXvpgemvaBKCUorQLB8Pr2QnyLCaJa9XWwl9oCsQsNOieA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.au.dk; dmarc=pass action=none header.from=cs.au.dk; dkim=pass header.d=cs.au.dk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.au.dk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ps2GneqyI92QrrHDV/eBrRiZjzjMZYY97eau1rEbSo=; b=hsBItB3iSZ++kk4q/qFv9Ll087MWbGzu85CuJ8YV0iUKX2eR2UsXduL6gNAfuP6n3/4CpQpRrZ/gjQtEZRkOOGk4rHQSIYj73qpSAnKLEQcY/7g/G7bWdIlfPM28DXUkiY1T8gY0Xb6jFQUeDLKBSq59Cktgslr8Z37oF/VT88w=
Received: from DB6PR0102MB2838.eurprd01.prod.exchangelabs.com (10.170.214.149) by DB6PR0102MB2696.eurprd01.prod.exchangelabs.com (10.170.210.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.17; Fri, 13 Dec 2019 03:00:02 +0000
Received: from DB6PR0102MB2838.eurprd01.prod.exchangelabs.com ([fe80::8886:77a9:c9bf:7b38]) by DB6PR0102MB2838.eurprd01.prod.exchangelabs.com ([fe80::8886:77a9:c9bf:7b38%7]) with mapi id 15.20.2516.019; Fri, 13 Dec 2019 03:00:02 +0000
From: Akira Takahashi <takahashi@cs.au.dk>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>, "Diego F. Aranha" <dfaranha@eng.au.dk>, Claudio Orlandi <orlandi@cs.au.dk>, Greg Zaverucha <gregz@microsoft.com>
Thread-Topic: [Cfrg] Recommendations Regarding Deterministic Signatures
Thread-Index: AQHVsWFoT88TcBJjaEuKXvLQCyOcEQ==
Date: Fri, 13 Dec 2019 03:00:01 +0000
Message-ID: <DB6PR0102MB283861277B9ADF9D1A7551A395540@DB6PR0102MB2838.eurprd01.prod.exchangelabs.com>
References: <08737FB3-C63E-453D-BF4E-45BD2A3ABB55@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=takahashi@cs.au.dk;
x-originating-ip: [210.149.252.44]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a39af628-e422-4183-9599-08d77f788c3b
x-ms-traffictypediagnostic: DB6PR0102MB2696:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DB6PR0102MB2696D642A3C28B3AF2D15A6395540@DB6PR0102MB2696.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 0250B840C1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(346002)(366004)(376002)(396003)(199004)(189003)(53546011)(316002)(5660300002)(52536014)(86362001)(966005)(81166006)(55236004)(6506007)(4744005)(786003)(71200400001)(186003)(66946007)(76116006)(26005)(66556008)(33656002)(2906002)(8676002)(64756008)(55016002)(66476007)(66446008)(7696005)(8936002)(110136005)(9686003)(91956017)(81156014)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0102MB2696; H:DB6PR0102MB2838.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cs.au.dk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BWv7IGFsZrvMkANZtgw9xVuDGMlNiw4yer6N7n/+3uy8OZHXhbnW/yxf08QHU0ohVDFOXB0nncjCwI7AkdzhVxEwWPXBUV8k2hpsh/DknFx2mIR+jEcxRU5UGFWpHinCrTq0ytq7/o1/wMXC4+jL/RDBMccJcKHPjCuqsJ6AaxpH5YdtvE/qLk/XauensHU1sTAAzoKcXCEECQ6cpeeB7PVSxr4jwL1rmG1rC72GNICFZNyPNzTrpZjNECH0bv+GwXSSv68PvZM5Yn/t/kSlfzF9EYgqzy+vLFzDIHSbT5MdMhLnK+NCHAivuilB+Hh0ynYzVlX293LL/4Lk+xGn8k174SVf9s17gzxG7EnUXuImc/K7S2/NkUPrUv3m+wHRW+weBuPcFaKwSR07Z7cjvBXPRDZtaLQxFWn+Cvb/BX+wzzh5JJ/vC/lo5Xobkr2KQwEdtrC+LDndFT4/EDsGzakDYuHfzw0rJXZMDDhIcng=
Content-Type: multipart/alternative; boundary="_000_DB6PR0102MB283861277B9ADF9D1A7551A395540DB6PR0102MB2838_"
MIME-Version: 1.0
X-OriginatorOrg: cs.au.dk
X-MS-Exchange-CrossTenant-Network-Message-Id: a39af628-e422-4183-9599-08d77f788c3b
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2019 03:00:02.0033 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 61fd1d36-fecb-47ca-b7d7-d0df0370a198
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MMAgZ2HNdlzbfKIZqJg5dlbPoEy6a9NBBDUdh1oyJAATxAgB9gjuSsWlYPn6dVzbUiMszUpO5Ugq4aM4+2glkg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0102MB2696
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/QPQrxbHeQ00jUZqx6lU1J8-WCjw>
X-Mailman-Approved-At: Sat, 14 Dec 2019 12:21:12 -0800
Subject: Re: [saag] [Cfrg] Recommendations Regarding Deterministic Signatures
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 03:00:10 -0000

On 11/27/19 12:13 PM, John Mattsson wrote:

My current view is that best practice seems to be to use deterministic algorithms (deterministic ECDSA or EdDSA) with "additional randomness" / "noise" like in XEdDSA. This also mitigates attacks on theoretical use cases where deterministically signing the same message twice leaks information.


We would like to draw your attention to our recent result related to such "hedged" constructions that derive the randomness by hashing the secret key, message, and a nonce:

    D. F. Aranha, C. Orlandi, A. Takahashi, G. Zaverucha. Security of Hedged Fiat–Shamir Signatures under Fault Attacks. 2019. https://eprint.iacr.org/2019/956.pdf

We analyzed the fault resilience of hedged Fiat-Shamir type signatures within the provable security methodology and formally confirmed that the countermeasure does thwart several recent attacks targeted at the deterministic ones.
Our result also directly applies to XEdDSA.

Best regards,
Diego, Claudio, Akira, and Greg

v2.23.0 | Report a Bug | By Email