Re: [TLS] Require deterministic ECDSA
Michael StJohns <msj@nthpermutation.com> Sun, 24 January 2016 18:08 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 794DA1A1ACA for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 10:08:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8mgjRVy_Bh5 for <tls@ietfa.amsl.com>; Sun, 24 Jan 2016 10:08:36 -0800 (PST)
Received: from mail-qg0-x234.google.com (mail-qg0-x234.google.com [IPv6:2607:f8b0:400d:c04::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44AC11A1A7B for <tls@ietf.org>; Sun, 24 Jan 2016 10:08:35 -0800 (PST)
Received: by mail-qg0-x234.google.com with SMTP id 6so93679118qgy.1 for <tls@ietf.org>; Sun, 24 Jan 2016 10:08:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=5MnTyFJQPTN7T7ZeMbwVJ294yWtJlbHjs833A+yvsx4=; b=z6CUji4z3++dlZJWWMUKwkE6sVjEwuNyWtPTLNFy1BNV1oYk/lnTtr5YOLhrqFqRZf tRPVd7DEPN9nfLikEowrYGSFUR4CjQ6rO8eb7rbeixQTYcBOwMIY+CJe/iVBZ4KQrQfW xxVwZgZv9FcLkwtOUfZJLKVxr3gz9mi/dcdgsQUFOj9PlL9uxcn3V84IXdiKo5MEzJgu gTMPDTHRrfs3nnEtCaTZSWK7UyUC6ddeuVWQbChEQt/P0yL+XFLcfMbZ7F6O7E6rn9Bv VglldzCWdB3hKAWpMSFB6EHLS8LnCXlLqd2xY2vpCR/jl5hJGe+iRP7cPtVQN/gZjnDA MU2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=5MnTyFJQPTN7T7ZeMbwVJ294yWtJlbHjs833A+yvsx4=; b=MasxyjWhrfezD1Z+0u8B19iCIUJzad5RP9rhpWy2SH6SoFoqT4bQKXE6uNSdwummDY 8f4M49YVDXT9ZfupnumOGhTID3ImjU9GiHzSXngCwsV3yK7eseD4bHsmBZSrQpfT8gc7 xXSYLMqwba/x3L3ve/zcd3YuCmN6lSWI+8OdMyXgohdRRHLduYbfKfyh955jIuSxY4E5 b5ogVPJNF1/yp1AhZPq4MCquxpuGcLnKrPGvjtwAcYgV7kqt8Wz5DWM8LuRMYxoyNJhS XzKqdMeIlGdTZVad71vDyJ6Rq0eJ0AFVqGc2LfzeM2x+/IsBX5hx/x7J8o334DDNNFlD zpWg==
X-Gm-Message-State: AG10YOQc6P7jBQ06r5WyQgMPXJiZmIK87LJP496XaV7od7QvE9tHqJhwvfayfaM/gFMRzg==
X-Received: by 10.140.100.141 with SMTP id s13mr16021999qge.25.1453658915065; Sun, 24 Jan 2016 10:08:35 -0800 (PST)
Received: from ?IPv6:2601:148:c000:1bb4:49cd:a64a:bc7e:4016? ([2601:148:c000:1bb4:49cd:a64a:bc7e:4016]) by smtp.gmail.com with ESMTPSA id e11sm7234891qkb.39.2016.01.24.10.08.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Jan 2016 10:08:34 -0800 (PST)
To: Yoav Nir <ynir.ietf@gmail.com>
References: <CACaGAp=-xJZN=L3av+DX_WQcki_k=L-_tc5dZnJNtM=M0W8MnQ@mail.gmail.com> <56A41F0F.70609@nthpermutation.com> <FFB0FFED-841A-4D97-8C09-0DCC6D2A91AE@gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <56A51327.2020406@nthpermutation.com>
Date: Sun, 24 Jan 2016 13:08:39 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <FFB0FFED-841A-4D97-8C09-0DCC6D2A91AE@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Bwxz-oQ_n-qoPCH6JNF8d6rqK7c>
Cc: tls@ietf.org
Subject: Re: [TLS] Require deterministic ECDSA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2016 18:08:37 -0000
On 1/24/2016 5:15 AM, Yoav Nir wrote: >> >Correct me if I'm wrong but: >> > >> >1) A receiver of an deterministic ECDSA signature verifies it EXACTLY like they would a non-deterministic signature. >> >2) A receiver of an ECDSA signature cannot determine whether or not the signer did a deterministic signature. >> >3) A TLS implementation has no way (absent repeating signatures over identical data) of telling whether or not a given signature using the client or server private key is deterministic. > I might be missing something, but if k is deterministic, do we really need to send it? Can’t the receiver figure it out the same way that the sender did? > > I know that makes it break compatibility, but since this is TLS 1.3 anyway, that’s not an issue, I think. > > Yoav > Hi Yoav If K is known and the signature is known then the private key is known. The particular method the RFC uses to create the signature is to incorporate the signing private key as part of the input to the pseudo-random generation of K (along with the message). The receiver doesn't have the private key and so can't derive K (which is a *GOOD* thing - see the point above. :-) ) Mike.
- [TLS] Require deterministic ECDSA Joseph Birr-Pixton
- Re: [TLS] Require deterministic ECDSA Joseph Birr-Pixton
- Re: [TLS] Require deterministic ECDSA Geoffrey Keating
- Re: [TLS] Require deterministic ECDSA Yoav Nir
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Brian Smith
- Re: [TLS] Require deterministic ECDSA Dave Garrett
- Re: [TLS] Require deterministic ECDSA Yoav Nir
- Re: [TLS] Require deterministic ECDSA Yoav Nir
- Re: [TLS] Require deterministic ECDSA Watson Ladd
- Re: [TLS] Require deterministic ECDSA Filippo Valsorda
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Michael StJohns
- [TLS] Fwd: Re: Require deterministic ECDSA Michael StJohns
- Re: [TLS] Require deterministic ECDSA Hubert Kario
- Re: [TLS] Require deterministic ECDSA Jacob Maskiewicz
- Re: [TLS] Require deterministic ECDSA Salz, Rich
- Re: [TLS] Require deterministic ECDSA Adam Langley
- Re: [TLS] Require deterministic ECDSA Yoav Nir
- Re: [TLS] Require deterministic ECDSA Salz, Rich
- Re: [TLS] Require deterministic ECDSA Daniel Kahn Gillmor
- Re: [TLS] Require deterministic ECDSA Joseph Birr-Pixton
- Re: [TLS] Require deterministic ECDSA Watson Ladd
- Re: [TLS] Require deterministic ECDSA Salz, Rich
- Re: [TLS] Require deterministic ECDSA Jacob Maskiewicz
- Re: [TLS] Require deterministic ECDSA Bill Cox
- Re: [TLS] Require deterministic ECDSA Michael StJohns