John Mattsson <[email protected]> wrote: > I don't think this is a good recommendation for IoT devices. In the > last 5 years, i.e. after work on RFC 8152 started, there has been a > large amount of academic papers showing that purely deterministic ECC > algorithms in accesable IoT devices suffers from side-channel and fault > injection attacks. For a list of papers see e.g. Seciton 1 of > https://tools.ietf.org/html/draft-mattsson-cfrg-det-sigs-with-noise-02
> I would suggest changing the SHOULD to MAY, but I know the draft is
> already in RFC editors que...
I will read your ID and think about it.
In my experience, the use of randmized ECDSA has two negative effects:
1) it's really hard to judge quality of randomness when writing a library
or module, and so even clueful application builders can miss this.
2) unit test cases wind up as non-deterministic, so either the randomized
input is made deterministic, or the randomized version is just not tested.
Since unit test cases often serve as documentation, which is copy&pasted,
the result is that the randomized version is used with a constant input.
We've seen this with DSA vs RSA back 20 years ago.
I was really annoyed with ECDSA until the deterministic version came to
light, and I really don't want to go back.
> "Deterministic elliptic-curve signatures such as deterministic ECDSA
> and EdDSA have gained popularity over randomized ECDSA as their
> security do not depend on a source of high-quality randomness. Recent
> research has however found that implementations of these signature
> algorithms may be vulnerable to certain side-channel and fault
> injection attacks due to their determinism. See e.g. Section 1 of
> [draft-mattsson-cfrg-det-sigs-with-noise] for a list of attack papers."
> Recommending deterministic ECDSA for IoT devices without any security
> considerations would not be good.
> FYI, CFRG has discussed and agreed that this is a problem.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
