Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Andrey Jivsov <crypto@brainhub.org> Mon, 08 June 2015 06:38 UTC
Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB781B2C5D for <cfrg@ietfa.amsl.com>; Sun, 7 Jun 2015 23:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urWAe83qnHXH for <cfrg@ietfa.amsl.com>; Sun, 7 Jun 2015 23:38:29 -0700 (PDT)
Received: from resqmta-po-07v.sys.comcast.net (resqmta-po-07v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:166]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 897F31B2C89 for <cfrg@irtf.org>; Sun, 7 Jun 2015 23:38:29 -0700 (PDT)
Received: from resomta-po-20v.sys.comcast.net ([96.114.154.244]) by resqmta-po-07v.sys.comcast.net with comcast id dieS1q0045Geu2801ieUpk; Mon, 08 Jun 2015 06:38:28 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-po-20v.sys.comcast.net with comcast id dieS1q00A4uhcbK01ieS3Z; Mon, 08 Jun 2015 06:38:28 +0000
Message-ID: <55753862.9070205@brainhub.org>
Date: Sun, 07 Jun 2015 23:38:26 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <5564CBEC.8070109@brainhub.org> <87siafxiyw.fsf@latte.josefsson.org> <556D4112.7040208@brainhub.org> <87zj4d38lp.fsf@latte.josefsson.org>
In-Reply-To: <87zj4d38lp.fsf@latte.josefsson.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1433745508; bh=r9rVa1jP2UXGa+0xTKKROSGc8P/nZg3i6rNIuE57YZQ=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=VaxJ5Y88KOCGptXZ63HLK+DbWwsjvVDCq9Pb91wwCGd2leZHfUigO+5lAD3qwfBQz VSs0L3M0Vzxpl9hgZ9sn98gQgJjlsa7zzasQ6duVbk23idK81WapKONvCpe6x0pLo9 cHnhXQqdsmWZAnV4qw0+tZbOTXlvC8L8xgQqn7WF4BjFPqTtGRdDdErvI5ZA4Rez28 u7IO6gaZQ5JbR2XO3XAEXEun340uITFY7QhgAVjQd+PahRMDT0ETxSNGUv5ZjE2CtT bKzDkej2kw/N1YeemuFrKI2fOdVJyE+S4wj8qEFDz9+7A2teGIt5pEBCl4gdGjdyXQ jSL2effIWmiMA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/SXBZdwZ7czLXIjyyjqxcoTWJKiU>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 06:38:32 -0000
On 06/05/2015 06:53 PM, Simon Josefsson wrote: ... >> Yes, but what cost "no problems" actually has in some cases? >> >> Before: one could hash during streaming. >> After: one extra re-hashing is needed, denying the benefit of hashing >> while streaming. > > I believe you are mistaken. OpenPGP with EdDSA only hashes once, during > streaming. > For example, GnuPGP, which follows the https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-02#section-5 (search for "a digest of the message is used as input"), hashes the message three times. _gcry_ecc_eddsa_sign hashes the input twice (per EdDSA spec), and the 'gcry_mpi_t input', the input to the EdDSA sign function, is the hash of the message (note that the input is the MPI, not a file or a buffer). The higher-level code hashed the actual input into that MPI passed to _gcry_ecc_eddsa_sign. By doing so GnuPG implementation and the spec above depend on the poll's #3 as the only mode (for large or small messages alike). It follows that GnuPG signing method always depends on collision resistance of the hash function, (always with ECDSA, and always with EdDSA). This means that the 2 extra hashings done in the EdDSA sign function don't buy much (at least they don't free one from using a collision resistant function). >> To fix this new demand of low-level crypto there needs to be an >> engineering fix at a higher level. In the case of OpenPGP applications >> this means the buffering of the entire input must happen, somehow. > > This is false, there is no need to buffer the entire message. Just hash > the stream and sign the hash. Correct. This is poll's #3. One would need to buffer during streaming with poll's #2. > >> If a user signs+encrypts a 1 TB file, he needs to have at least 2TB of >> disk space, one at the destination, and another at an >> implementation-specific location (e.g. /tmp directory, at destination, >> or $HOME). Besides user unfriendliness, such as slower performance and >> extra free space demands, one cannot really delete/wipe a sensitive >> file on an SSD drive, and the temporary file allows good possibility >> for signature fault attacks. > > I believe GnuPG already implements EdDSA signing, so you can look at the > implementation to see how it actually works. There is no temporary > files the same size as the input. I double-checked the above with the libgcrypt-1.6.3 source code. > > /Simon >
- [Cfrg] Elliptic Curves - signature scheme: friend… Alexey Melnikov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Adam Langley
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Jim Schaad
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Peter Gutmann
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Mike Hamburg
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Laurens Van Houtven
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Watson Ladd
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Dan Brown
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Salz, Rich
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… D. J. Bernstein
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… David Leon Gil
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Nico Williams
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Taylor R Campbell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Stephen Farrell
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Tom Yu
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Rene Struik
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Yoav Nir
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] square roots Rene Struik
- [Cfrg] testability of signature input/output para… Rene Struik
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] square roots David Jacobson
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Taylor R Campbell
- Re: [Cfrg] square roots Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Derek Atkins
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Mike Hamburg
- Re: [Cfrg] testability of signature input/output … Yoav Nir
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Rene Struik
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Watson Ladd
- Re: [Cfrg] testability of signature input/output … Nico Williams
- Re: [Cfrg] testability of signature input/output … Ilari Liusvaara
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Andrey Jivsov
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Ilari Liusvaara
- [Cfrg] Summary of the poll: Elliptic Curves - sig… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Watson Ladd
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Nico Williams
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Elliptic Curves - signature scheme: fr… Simon Josefsson
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… D. J. Bernstein
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alexey Melnikov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Björn Edström
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Adam Langley
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paul Hoffman
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Tony Arcieri
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Paterson, Kenny
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Taylor R Campbell
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Alyssa Rowan
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Andrey Jivsov
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Dan Brown
- Re: [Cfrg] Summary of the poll: Elliptic Curves -… Stephen Farrell