IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 03 June 2015 23:04 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D814C1B304B for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 16:04:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cd2OgRMhCxxk for <cfrg@ietfa.amsl.com>; Wed, 3 Jun 2015 16:04:53 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C53961B303E for <cfrg@irtf.org>; Wed, 3 Jun 2015 16:04:52 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8C802BF0B; Thu, 4 Jun 2015 00:04:51 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mDdVNhtlxVX; Thu, 4 Jun 2015 00:04:49 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.31.250]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C8149BF08; Thu, 4 Jun 2015 00:04:49 +0100 (IST)
Message-ID: <556F8811.2070101@cs.tcd.ie>
Date: Thu, 04 Jun 2015 00:04:49 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
In-Reply-To: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/CisittTkgM1S6AvahNmWr-_-Tw8>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 23:04:55 -0000

I'd hate to miss one of Alexey's polls:-)

I'm almost neutral on this one. While we have historically preferred
#1 for the reason noted in the subject line, there are really very few
cases where that turns out to be a real issue, as opposed to being a
theoretical one.

So I think we could probably live with #2, and that could suffice for
TLS and DNSSEC and other applications, even though #2 would mean
that users of the signature scheme (e.g. IETF protocol developers) may
need to learn something new, which is a downside.

While #3 seems superficially attractive, my guess is it'd cause more
confusion and interop issues, and is of course offering a choice to
users of the scheme and so I don't like that one:-)

So put me down for (#2 or #1) for this one, with a very very tiny
preference for #2 and documenting that one ought not use this for
signing large things directly (which one probably ought not do in any
case). But #1 would also be an acceptable outcome from my POV since
we're in practice already dependent on the collision resistance of
all the relevant hash functions and that won't ever really go away
as long as there are RSA/SHA256 certificates out there which'll be
the case for years and maybe decades to come. So the security
benefit of #2 isn't so great, although it's real.

If, later on, there is a real need for signing a large thing in a very
memory constrained device, or for verifying such a signature in such a
device, then we could always just define another set of codepoints
and OIDs, etc. for that and treat it as just another signature scheme
that happens to involve the same curve and hash function but used in a
different manner. (And I would guess there'll be more work to do in
this space, if not for that, then for a signature scheme with message
recovery, probably for the just-forming cose wg would be my bet at
the moment, but we'll see what we see.)

Cheers,
S.

On 20/05/15 22:16, Alexey Melnikov wrote:
> Signature schemes have, traditionally, hashed the message to be signed to
> a representative value and then actually signed that value. This has led
> to APIs that follow the Init, Update*, Final (IUF) pattern that allows for
> fragmented or very large messages to be signed with constant memory usage.
> 
> Alternatively, some signature schemes hash the message to be signed twice,
> where a prefix of the second hash depends on the result of the first.
> Ed25519 is an example of a scheme of this type. This typically allows the
> signature scheme to require fewer assumptions about the strength of the
> hash function that is employed. However, this approach implies that the signing
> algorithm would have to buffer the entire message. That could lead to
> unacceptable memory usage for applications that sign very large messages.
> 
> Penalising large messages might be seen as a positive by some because
> signing arbitrarily large messages invites implementations to process
> unauthenticated data because of its potential size. Also, designs that
> really wish to do this can always define that the message to be signed is
> actually a hash of the data. In doing so they would reintroduce the
> requirement that the hash function be collision resistant, but can
> implement an IUF API in constant space again.
> 
> On the other hand, if we wish a signature primitive to be easy to
> substitute into existing protocols then supporting a constant-space IUF
> API might be seen as a requirement.
> 
> Chairs wish to poll the group on the following topic (please pick one):
> 
> #1: The signature scheme should follow the traditional model of hashing
> the message to be signed, thus trivially supporting IUF APIs in
> constant-space, at the cost of requiring collision resistant hash
> functions.
> 
> #2: The signature scheme should not depend on collision resistance, at the
> cost of the signing algorithm having to buffer messages to be signed.
> 
> #3: option #2, but with an additional "large message" mode defined for
> protocols that feel that they need it, where the message to be signed is
> actually a hash of the true message.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email