Hi, I just noticed that RFC8152bis has the recommendation:
"Implementations SHOULD use a deterministic version of ECDSA such as the one defined in [RFC6979]." I don't think this is a good recommendation for IoT devices. In the last 5 years, i.e. after work on RFC 8152 started, there has been a large amount of academic papers showing that purely deterministic ECC algorithms in accesable IoT devices suffers from side-channel and fault injection attacks. For a list of papers see e.g. Seciton 1 of https://tools.ietf.org/html/draft-mattsson-cfrg-det-sigs-with-noise-02 I would suggest changing the SHOULD to MAY, but I know the draft is already in RFC editors que... Alternatively (or additionally) the draft could add some non-normative security consideration regarding deterministic ECC signatures. "Deterministic elliptic-curve signatures such as deterministic ECDSA and EdDSA have gained popularity over randomized ECDSA as their security do not depend on a source of high-quality randomness. Recent research has however found that implementations of these signature algorithms may be vulnerable to certain side-channel and fault injection attacks due to their determinism. See e.g. Section 1 of [draft-mattsson-cfrg-det-sigs-with-noise] for a list of attack papers." Recommending deterministic ECDSA for IoT devices without any security considerations would not be good. FYI, CFRG has discussed and agreed that this is a problem. Cheers, John _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
