| < draft-pornin-deterministic-dsa-01.txt | draft-pornin-deterministic-dsa-02.txt > | |||
|---|---|---|---|---|
| Internet Engineering Task Force T. Pornin | Internet Engineering Task Force T. Pornin | |||
| Internet-Draft August 27, 2012 | Internet-Draft May 30, 2013 | |||
| Intended status: Informational | Intended status: Informational | |||
| Expires: February 28, 2013 | Expires: December 1, 2013 | |||
| Deterministic Usage of DSA and ECDSA Digital Signature Algorithms | Deterministic Usage of DSA and ECDSA Digital Signature Algorithms | |||
| draft-pornin-deterministic-dsa-01 | draft-pornin-deterministic-dsa-02 | |||
| Abstract | Abstract | |||
| This document defines a deterministic digital signature generation | This document defines a deterministic digital signature generation | |||
| procedure. Such signatures are compatible with standard DSA and | procedure. Such signatures are compatible with standard DSA and | |||
| ECDSA digital signatures, and can be processed with unmodified | ECDSA digital signatures, and can be processed with unmodified | |||
| verifiers, which need not be aware of the procedure described | verifiers, which need not be aware of the procedure described | |||
| therein. Deterministic signatures retain the cryptographic security | therein. Deterministic signatures retain the cryptographic security | |||
| features associated with digital signatures, but can be more easily | features associated with digital signatures, but can be more easily | |||
| implemented in various environments since they do not need access to | implemented in various environments since they do not need access to | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 28, 2013. | This Internet-Draft will expire on December 1, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 32 ¶ | |||
| 3.1. Building Blocks . . . . . . . . . . . . . . . . . . . . . 10 | 3.1. Building Blocks . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.1.1. HMAC . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 3.1.1. HMAC . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 3.2. Generation of k . . . . . . . . . . . . . . . . . . . . . 11 | 3.2. Generation of k . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3.3. Alternate Description of the Generation of k . . . . . . . 12 | 3.3. Alternate Description of the Generation of k . . . . . . . 12 | |||
| 3.4. Usage Notes . . . . . . . . . . . . . . . . . . . . . . . 14 | 3.4. Usage Notes . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 14 | 3.5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.6. Variants . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 3.6. Variants . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | |||
| 6. Intellectual Property Status . . . . . . . . . . . . . . . . . 17 | 6. Intellectual Property Status . . . . . . . . . . . . . . . . . 17 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 17 | 7.1. Normative References . . . . . . . . . . . . . . . . . . . 18 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 18 | 7.2. Informative References . . . . . . . . . . . . . . . . . . 18 | |||
| Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 20 | Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| A.1. Detailed Example . . . . . . . . . . . . . . . . . . . . . 20 | A.1. Detailed Example . . . . . . . . . . . . . . . . . . . . . 20 | |||
| A.1.1. Key Pair . . . . . . . . . . . . . . . . . . . . . . . 20 | A.1.1. Key Pair . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| A.1.2. Generation of k . . . . . . . . . . . . . . . . . . . 20 | A.1.2. Generation of k . . . . . . . . . . . . . . . . . . . 20 | |||
| A.1.3. signature . . . . . . . . . . . . . . . . . . . . . . 23 | A.1.3. signature . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| A.2. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . 24 | A.2. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| A.2.1. DSA, 1024 bits . . . . . . . . . . . . . . . . . . . . 25 | A.2.1. DSA, 1024 bits . . . . . . . . . . . . . . . . . . . . 25 | |||
| A.2.2. DSA, 2048 bits . . . . . . . . . . . . . . . . . . . . 27 | A.2.2. DSA, 2048 bits . . . . . . . . . . . . . . . . . . . . 27 | |||
| A.2.3. ECDSA, 192 bits (prime field) . . . . . . . . . . . . 30 | A.2.3. ECDSA, 192 bits (prime field) . . . . . . . . . . . . 30 | |||
| skipping to change at page 17, line 32 ¶ | skipping to change at page 17, line 32 ¶ | |||
| One remaining issue with deterministic (EC)DSA, as presented in this | One remaining issue with deterministic (EC)DSA, as presented in this | |||
| document, is the "double use" of the private key 'x', both as private | document, is the "double use" of the private key 'x', both as private | |||
| key in the signature generation algorithm itself, and as input to the | key in the signature generation algorithm itself, and as input to the | |||
| HMAC_DRBG-based pseudo-random oracle for producing the 'k' value. | HMAC_DRBG-based pseudo-random oracle for producing the 'k' value. | |||
| This requires HMAC_DRBG to keep on being a random oracle, even when | This requires HMAC_DRBG to keep on being a random oracle, even when | |||
| the public key (which is computed from 'x') is also known. Given the | the public key (which is computed from 'x') is also known. Given the | |||
| lack of common structure between HMAC and discrete logarithm, this | lack of common structure between HMAC and discrete logarithm, this | |||
| seems a reasonable assumption. | seems a reasonable assumption. | |||
| Side channel attacks are an important consideration whenever an | ||||
| attacker can accurately measure aspects of an implementation such as | ||||
| the length of time that it takes to perform a signing operation, or | ||||
| the power consumed at each point of a signing operation. The | ||||
| determinism of the algorithms described in this note may be useful to | ||||
| an attacker in some forms of side channel attacks, so implementations | ||||
| SHOULD use defensive measures to avoid leaking the private key | ||||
| through a side channel. | ||||
| 6. Intellectual Property Status | 6. Intellectual Property Status | |||
| To the best of our knowledge, deterministic (EC)DSA is not covered by | To the best of our knowledge, deterministic (EC)DSA is not covered by | |||
| any active patent. The paper [BDLSY2011] points to two independent | any active patent. The paper [BDLSY2011] points to two independent | |||
| publications of the idea of derandomization by Barwood and Wigley, | publications of the idea of derandomization by Barwood and Wigley, | |||
| both in early 1997; then a patent application by Naccache, M'Raihi | both in early 1997; then a patent application by Naccache, M'Raihi | |||
| and Levy-dit-Vehel a few months later [NML1997], but the application | and Levy-dit-Vehel a few months later [NML1997], but the application | |||
| was withdrawn in 2003. We are not aware of any other patent on that | was withdrawn in 2003. We are not aware of any other patent on that | |||
| subject. | subject. | |||
| End of changes. 7 change blocks. | ||||
| 7 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||