IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Nico Williams <nico@cryptonector.com> Tue, 26 May 2015 19:09 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679701ACDC6 for <cfrg@ietfa.amsl.com>; Tue, 26 May 2015 12:09:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmLFhJcJUrMo for <cfrg@ietfa.amsl.com>; Tue, 26 May 2015 12:09:37 -0700 (PDT)
Received: from homiemail-a89.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 5B1781ACD35 for <cfrg@irtf.org>; Tue, 26 May 2015 12:09:36 -0700 (PDT)
Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 8AC063180A9; Tue, 26 May 2015 12:09:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=ugha8p1Vsv4Pgr R8G+HnmB290I0=; b=hp3d5t4nYlRYX4F0QI6o7okOmwNHxXONZu7tytISwhfT8u oFTaEQyz1Qf8lUrQG0fS0P4J84i0Cs7EIp16HRzCS2yNV34IypWENrjV41qFEjbv rQqukMqSlqSbWklQ90RcCfhLClvjE3GELB2wKovNWU+S6Ti7NwzwHchHnuxlI=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPA id 924203180A7; Tue, 26 May 2015 12:09:34 -0700 (PDT)
Date: Tue, 26 May 2015 14:09:33 -0500
From: Nico Williams <nico@cryptonector.com>
To: "D. J. Bernstein" <djb@cr.yp.to>
Message-ID: <20150526190932.GA27628@localhost>
References: <20150522173119.GG3791@localhost> <20150523004131.24067.qmail@cr.yp.to>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150523004131.24067.qmail@cr.yp.to>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/BKpTLN-Sw4gwAC69-YaGA7ePuWk>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 19:09:38 -0000

I had been concerned with the signing side in my earlier posts.  I agree
that the verification side cannot be online regardless.  An online
signer can be useful because of HSMs and such.

On Sat, May 23, 2015 at 12:41:31AM -0000, D. J. Bernstein wrote:
> How long are the messages that are actually signed in IETF protocols?

There are at least two cases where online signatures are useful:

 - when signing bulk data (e.g., CMS, PGP);

 - when signing a communication transcript of more than two consecutive
   messages and the service needs to be stateless, putting the state in
   an encrypted state cookie.

   (A good example here is Kerberos KDC exchanges.)

In the latter the state cookie's size grows as the exchange grows.  (I'm
not sure that this is actually a problem, or that it will be.)

> For the protocols where the answer is uncontrolled: Do implementations
> allow messages that don't fit into memory? How do those implementations

It's not just memory, but I/O and performance, as well as interface
design considerations.

Signing a file can be done with much less memory than the file's size,
reading a block at a time and reading the file twice (in the case of
EdDSA).

Someone mentioned HSMs, for example.  An HSM interface to support
off-line signatures like EdDSA would require passing the message to the
HSM twice when the message doesn't fit in the HSM's memory.

It's also not just IETF protocols of today.  Imagine a filesystem where
there's a "commit" operation and where files are signed by the last
writer...  Random access writes go out the window with an off-line
signature scheme unless we're using something like a Merkle signature
tree.  You proposed something like that earlier, and pointed out that
we'd need security proofs.  Intuitively a Merkle tree of signatures
should work.  (Filesystems effectively implement a tree, and filesystems
like ZFS implement a Merkle hash tree, so a Merkle signature tree would
fit right in.)

> avoid passing along unverified data? For PGP we know that the answer is
> "They do pass along unverified data, and this is a security nightmare."

No matter what, complete signature verification must be required prior
to processing the signed data.  This means that verification is never
online.  I was only concerned with the signing side in my previous
messages.

The verifier side is easier than the signer side in that at least we
don't have to worry about HSMs.

> There are other protocols that don't naturally trigger this problem---
> they keep lengths under control, and implementations have no trouble
> fitting messages into memory. These implementations should be encouraged
> to use a simple, high-security, all-in-one verification API, and the
> protocols should be encouraged to use a simple, high-security,
> all-in-one signature system.

Yes.

Nico
--

v2.23.0 | Report a Bug | By Email