Slow zone signing with ECDSA

Mukund Sivaraman muks at isc.org
Thu Apr 20 16:01:35 UTC 2017


On Thu, Apr 20, 2017 at 04:03:21PM +0100, Chris Thompson wrote:
> On Apr 20 2017, Tony Finch wrote:
> 
> > Mark Andrews <marka at isc.org> wrote:
> > > 
> > > DSA requires random values as part of the signing process.
> > 
> > Traditionally, yes, but it isn't actually required -
> > https://tools.ietf.org/html/rfc6979
> 
> There is a great deal to be said for using deterministic DSA even if
> your random number source is both trustworthy and fast.
> 
> The EdDSA standards (RFCs 8032 & 8080) mandate deterministic signatures
> and this is certainly intentional. Of course, there are also many other
> ways in which they are improvements on the earlier NIST-based ECDSA
> standards, and we should all be looking forward to the time when BIND,
> inter alia, supports them...

As there's some discussion on use of entropy during signing, allow me to
talk about other draft RRSIG algorithms.

When preparing support for SHA-3 algorithms, the RSASSA-PSS signature
scheme was chosen for RSA RRSIGs as it is a more robust scheme than
RSASSA-PKCS1-v1_5:

https://tools.ietf.org/html/draft-muks-dnsop-dnssec-sha3-01

Unlike the existing RSA DNSKEY/RRSIG algorithms, RSASSA-PSS uses a
"salt" input (per signature), but we made its randomness requirement a
"SHOULD" in the draft. This allows signing in environments where an
entropy source is not available, however, where one is available, a PRNG
ought to be sufficient for signing purposes. The non-randomness of the
salt is not crucial (see full domain hash vs. RSA PSS in "The Exact
Security of Digital Signatures - How to Sign with RSA and Rabin",
Bellare and Rogaway.) However, with a random salt, the scheme has exact
security and a similar security guarantee is achieved with a smaller RSA
modulus size.

The draft also covers ECDSA(SHA-3()).

		Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170420/43e8203e/attachment.bin>


More information about the bind-users mailing list