Join Log in
Score:6
DannyNiu avatar Crypto

What's the current status of development of hedged ECDSA and EdDSA?

vu flag
DannyNiu

In the IETF Draft Deterministic ECDSA and EdDSA Signatures with Additional Randomness, methods had been specified to seed RNG deterministically with external input, to securely obtain a nonce for use in signing formula. The external input is variable to mitigate certain side-channel that may occur with fully deterministic signing.

However, the draft seem to have expired, with several security-related issue outstanding. I'm interested in implementing the said draft, but before that, I need to be certain that what it specify is something stable.

So what's the current status of that draft? I tried to follow the link to mailing list, but to no avail.

132
1 + 6
DannyNiu avatar
vu flag
DannyNiu
The main obstacles seem to be about IPR according to the 2022-08-05 mail from Alexey Melnikov.
0
Reply
samuel-lucas6 avatar
bs flag
samuel-lucas6
I'd recommend doing it the [Soatok way](https://soatok.blog/2020/05/03/hedged-signatures-with-libsodium-using-dhole/) because then it's implementable with existing APIs.
0
Reply
DannyNiu avatar
vu flag
DannyNiu
@samuel-lucas6 That sounds interesting. But I'm planning to take a different approach for my suite. Specifically, 2 variants - 1 take a seeded PRNG and a random bits generating function; 1 take a nonce string (and its length, since it's in C) - the latter seeds a random oracle which is passed as the PRNG instance to the former.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
That Draft RFC reads like a research paper to be honest. I'm not against such a scheme, but introduce it as a paper, not a standard. Standards should be for algorithms that have been researched and have seen some practical use.
0
Reply
DannyNiu avatar
vu flag
DannyNiu
@MaartenBodewes I see some of us have some good opinion about the draft, so maybe bring the discussion to the CFRG list?
0
Reply
DannyNiu avatar
vu flag
DannyNiu
@MaartenBodewes Also, the content of the draft seems pretty solid and standardization-ready, as the draft is basing the construction on that used by [XEdDSA](https://www.signal.org/docs), which as far as I can tell, was introduced as early as 2016.
0
Reply
Score:1
DannyNiu avatar Crypto
vu flag
DannyNiu

This is an interim answer. The technical aspects are meant as outsider comment and may be reposted to the CFRG mailing list when I subscribe to it.

Bureaucracy Aspect

Although the draft is expired, the document is still in "Active RG Document" state. All? IETF drafts have maximum 6 months. Those merit further developent will see state change throughout its life.

The "Active RG Document" is defined as:

This document has been adopted by the RG and is being actively developed

Where RG stands for "research group". (CFRG being the one we're discussing here).

Technical Aspect

The updates the draft prescribed for EdDSA isn't intricate. From my experience implementing the draft, I find these issues for ECDSA.

Problem 1

The draft treats the HMAC calls as white box interaction across the boundary of HMAC-DRBG. The original intent of RFC6979 is to be able to reuse existing PRNG implementation un-modified, and the draft changed that.

Specifically, if the random nonce Z is variable length, then one of the following happens:

  • the implementation make hosted calls to allocate memory for the seed material.

  • the implementation penetrate the PRNG boundary and make individual calls to stream nonce and private key into the HMAC working context.

Those who has read NIST-SP-800-90Ar1 will know how serious NIST is about DRBG boundary.

Luckily for now, Z is specified to be fixed-length. And I've experimented with a 3rd approach,

  • hash Z and construct seed material buffer in a statically-sized stack buffer.

Problem 2

The draft recommends KMAC when ECDSA is instantiated with SHAKE. But with one important detail missing:

  • When generating output, do we use KMAC as a XOF, or fixed-length hash and call KMAC repeatedly?

And I ask this not to solicit answer, but to inspire to think, with Keccak, are we really satisfied with any of the NIST-SP-800-90Ar1 DRBGs? NIST had suggested the possibility of a permutation-based PRNG in the last few slides in one of their presentations, shoudn't we push harder and request for one be specified? possibly after another public contest?

Put up or shut up

For those interested in how the draft work in practice, I've implemented it in a branch of my spare-time project.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.