IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 21 May 2015 14:17 UTC

Return-Path: <prvs=25835a2448=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F11891A1AA2 for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 07:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xI7Nf0DPTRL9 for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 07:17:46 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8B01A1AA7 for <cfrg@irtf.org>; Thu, 21 May 2015 07:16:44 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id t4LEGPQu019505; Thu, 21 May 2015 10:16:38 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "'pgut001@cs.auckland.ac.nz'" <pgut001@cs.auckland.ac.nz>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Thread-Index: AQHQk0OLFDSeE8K1SEulXt/pi1Nwa52GnkGA///ZCx0=
Date: Thu, 21 May 2015 14:03:28 +0000
Message-ID: <65D2FD736B6B2B48B2EAD2BD189DC9CC271C8A8B@LLE2K10-MBX01.mitll.ad.local>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73AB028273@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [155.34.14.22]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-05-21_05:2015-05-20,2015-05-21,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1505210197
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Ps6K9S9OkhxecM3mtu2KA-rhnaM>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 14:17:48 -0000

+1


----- Original Message -----
From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz]
Sent: Thursday, May 21, 2015 08:22 AM
To: Alexey Melnikov <alexey.melnikov@isode.com>; cfrg@irtf.org <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Alexey Melnikov <alexey.melnikov@isode.com> writes:

>However, this approach implies that the signing algorithm would have to
>buffer the entire message. That could lead to unacceptable memory usage for
>applications that sign very large messages.

It's also pretty much an instant fail for any API-based security toolkit that
implements streaming/staged message processing via the init/update/final
model, which seems to be pretty much all of them (using PKCS #11 as a
representative example, you've got "begin", "update", "update", [...], "end",
which hardcodes a single pass over the data, OpenSSL does the same thing, as
does CryptoAPI, Java (JCE/Bouncy Castle/whatever), my own cryptlib, and I'd
guess most other libraries).

>Penalising large messages might be seen as a positive by some because signing
>arbitrarily large messages invites implementations to process unauthenticated
>data because of its potential size. 

In most cases where you're processing large messages you don't have any
choice, and the signing is often done for things like accounting purposes
rather than because the devices involved are trying to enter into a legal
agreement.  For example medical images, which have to be uncompressed in order
to avoid introducing compression artefacts, are enormous, streamed out to a
remote system in a single pass, and signed purely for accounting/bookkeeping
purposes.  So you've got something where you absolutely need one-pass
processing, and the app/users couldn't care less about any fancy properties
that two-pass processing provides.

>#1: The signature scheme should follow the traditional model of hashing the
>message to be signed, thus trivially supporting IUF APIs in constant-space,
>at the cost of requiring collision resistant hash functions.

+1.  Without having done a survey of all implementers, I do however get the
feeling that this is the only option available for practical use, meaning the
choice would be to either go with this option or have whatever other option
you select ignored because it's impractical for general use.

Peter.

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email