Joseph Birr-Pixton <jpix...@gmail.com> wrote: > I'd like to propose that TLS1.3 mandates RFC6979 deterministic ECDSA. >
What about the way BoringSSL (and OpenSSL, I think) does it? It incorporates all the inputs that RFC6979 does, but using SHA-512 instead of HMAC. And, it also includes a random element in the SHA-512 hash. Ed25519 uses SHA-512 instead of HMAC for the same purpose and people seem to think it works fine. Also hashing in some randomness seems like it would help avoid some side channel leakage. Note that most (all the ones I've looked at for more than 5 minutes) open-source ECDSA implementations have side-channel issues of various levels of significance. Anyway, I do think that implementations should do something *like this* to avoid problems when the RNG is bad, but I think prescribing RFC 6979 as the solution is overly-specific, especially when it doesn't even seem to be the best way to accomplish the goal in many cases. Cheers, Brian
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
