updated text on random vs deterministic signatures

lamps-wg · Jan 30, 2024 · 6a67d02 · 6a67d02
1 parent aa67fa5
commit 6a67d02
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 12 deletions.
diff --git a/draft-ietf-lamps-dilithium-certificates.txt b/draft-ietf-lamps-dilithium-certificates.txt
@@ -447,17 +447,16 @@ Table of Contents
    EDNOTE: Discuss deterministic vs randomized signing and the impact on
    security.
 
-   ML-DSA offers both deterministic and randomized signing.  The
-   difference between these two versions of the scheme is a one line
-   modification in which the seed is chosen at random (in the randomized
-   version) or as a hash of a key together with the message (in the
-   deterministic version).  A Hedged signature scheme may be obtained by
-   making a modification to the randomized version to include the
-   message and key into the seed that generates the the nonce y.  This
-   middle ground between a randomized nonce and one tied to the message
-   and key could be the solution to mitigation both nonce-reuse attacks
-   in places of poor entropy, as well as mitigate fault attacks that
-   rely on differential analysis.
+   ML-DSA offers both deterministic and randomized signing.  By default
+   ML-DSA signatures are non-deterministic, the private random seed rho'
+   is pseudorandomly derived from the signer's private key, the message,
+   and a 256-bit string, rnd - where rnd should be generated by an
+   approved RBG.  In the deterministic version, rng is instead a 256-bit
+   constant string.  The source of randomness in the randomized mode has
+   been "hedged" against sources of poor entropy, by including the
+   signers private key and message into the derivation.  The primary
+   purpose of rnd is to facilitate countermeasures to side-channel
+   attacks and fault attacks on deterministic signatures.
 
    EDNOTE: Discuss side-channels for ML-DSA.
 

diff --git a/draft-ietf-lamps-dilithium-certificates.xml b/draft-ietf-lamps-dilithium-certificates.xml
@@ -388,7 +388,7 @@ x5AXF2HOm4o=
       <!-- [EC] Something is wrong with "(at the point in which the challenge polynomial)"  -->
       during the signing procedure (at the point in which the challenge polynomial). However, due to the fact that ML-DSA signatures may require the signing procedure to be repeated several times for a signature to be produced, ML-DSA implementations can make use of pre-hashing the message to prevent rehashing with each attempt.</t>
       <t>EDNOTE: Discuss deterministic vs randomized signing and the impact on security.</t>
-      <t>ML-DSA offers both deterministic and randomized signing. The difference between these two versions of the scheme is a one line modification in which the seed is chosen at random (in the randomized version) or as a hash of a key together with the message (in the deterministic version). A Hedged signature scheme may be obtained by making a modification to the randomized version to include the message and key into the seed that generates the the nonce y. This middle ground between a randomized nonce and one tied to the message and key could be the solution to mitigation both nonce-reuse attacks in places of poor entropy, as well as mitigate fault attacks that rely on differential analysis.</t>
+      <t>ML-DSA offers both deterministic and randomized signing. By default ML-DSA signatures are non-deterministic, the private random seed rho' is pseudorandomly derived from the signer’s private key, the message, and a 256-bit string, rnd - where rnd should be generated by an approved RBG. In the deterministic version, rng is instead a 256-bit constant string. The source of randomness in the randomized mode has been "hedged" against sources of poor entropy, by including the signers private key and message into the derivation. The primary purpose of rnd is to facilitate countermeasures to side-channel attacks and fault attacks on deterministic signatures. </t>
       <t>EDNOTE: Discuss side-channels for ML-DSA.</t>
       <t>ML-DSA has been designed to provide side-channel resilience by eliminating a reliance on Gaussian sampling. While deliberate design decisions such as these can help to deliver a greater ease of secure implementation - particularly against side-channel attacks - it does not necessarily provide resistance to more powerful attacks such as differential power analysis. Some amount of side-channel leakage has been demonstrated in parts of the signing algorithm (specifically the bit-unpacking function), from which a demonstration of key recovery has been made over a large sample of signatures. Masking countermeasures exist for ML-DSA<!--[MGTF19]-->, but come with a performance overhead.</t>