IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Andrey Jivsov <crypto@brainhub.org> Mon, 08 June 2015 06:38 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB781B2C5D for <cfrg@ietfa.amsl.com>; Sun, 7 Jun 2015 23:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urWAe83qnHXH for <cfrg@ietfa.amsl.com>; Sun, 7 Jun 2015 23:38:29 -0700 (PDT)
Received: from resqmta-po-07v.sys.comcast.net (resqmta-po-07v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:166]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 897F31B2C89 for <cfrg@irtf.org>; Sun, 7 Jun 2015 23:38:29 -0700 (PDT)
Received: from resomta-po-20v.sys.comcast.net ([96.114.154.244]) by resqmta-po-07v.sys.comcast.net with comcast id dieS1q0045Geu2801ieUpk; Mon, 08 Jun 2015 06:38:28 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-po-20v.sys.comcast.net with comcast id dieS1q00A4uhcbK01ieS3Z; Mon, 08 Jun 2015 06:38:28 +0000
Message-ID: <55753862.9070205@brainhub.org>
Date: Sun, 07 Jun 2015 23:38:26 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <5564CBEC.8070109@brainhub.org> <87siafxiyw.fsf@latte.josefsson.org> <556D4112.7040208@brainhub.org> <87zj4d38lp.fsf@latte.josefsson.org>
In-Reply-To: <87zj4d38lp.fsf@latte.josefsson.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1433745508; bh=r9rVa1jP2UXGa+0xTKKROSGc8P/nZg3i6rNIuE57YZQ=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=VaxJ5Y88KOCGptXZ63HLK+DbWwsjvVDCq9Pb91wwCGd2leZHfUigO+5lAD3qwfBQz VSs0L3M0Vzxpl9hgZ9sn98gQgJjlsa7zzasQ6duVbk23idK81WapKONvCpe6x0pLo9 cHnhXQqdsmWZAnV4qw0+tZbOTXlvC8L8xgQqn7WF4BjFPqTtGRdDdErvI5ZA4Rez28 u7IO6gaZQ5JbR2XO3XAEXEun340uITFY7QhgAVjQd+PahRMDT0ETxSNGUv5ZjE2CtT bKzDkej2kw/N1YeemuFrKI2fOdVJyE+S4wj8qEFDz9+7A2teGIt5pEBCl4gdGjdyXQ jSL2effIWmiMA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/SXBZdwZ7czLXIjyyjqxcoTWJKiU>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 06:38:32 -0000

On 06/05/2015 06:53 PM, Simon Josefsson wrote:
...
>> Yes, but what cost "no problems" actually has in some cases?
>>
>> Before: one could hash during streaming.
>> After: one extra re-hashing is needed, denying the benefit of hashing
>> while streaming.
>
> I believe you are mistaken.  OpenPGP with EdDSA only hashes once, during
> streaming.
>

For example, GnuPGP, which follows the 
https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-02#section-5 
(search for "a digest of the message is used as input"), hashes the 
message three times.

_gcry_ecc_eddsa_sign hashes the input twice (per EdDSA spec), and the 
'gcry_mpi_t input', the input to the EdDSA sign function, is the hash of 
the message (note that the input is the MPI, not a file or a buffer). 
The higher-level code hashed the actual input into that MPI passed to 
_gcry_ecc_eddsa_sign.

By doing so GnuPG implementation and the spec above depend on the poll's 
#3 as the only mode (for large or small messages alike).

It follows that GnuPG signing method always depends on collision 
resistance of the hash function, (always with ECDSA, and always with 
EdDSA). This means that the 2 extra hashings done in the EdDSA sign 
function don't buy much (at least they don't free one from using a 
collision resistant function).

>> To fix this new demand of low-level crypto there needs to be an
>> engineering fix at a higher level. In the case of OpenPGP applications
>> this means the buffering of the entire input must happen, somehow.
>
> This is false, there is no need to buffer the entire message.  Just hash
> the stream and sign the hash.

Correct. This is poll's #3. One would need to buffer during streaming 
with poll's #2.

>
>> If a user signs+encrypts a 1 TB file, he needs to have at least 2TB of
>> disk space, one at the destination, and another at an
>> implementation-specific location (e.g. /tmp directory, at destination,
>> or $HOME). Besides user unfriendliness, such as slower performance and
>> extra free space demands, one cannot really delete/wipe a sensitive
>> file on an SSD drive, and the temporary file allows good possibility
>> for signature fault attacks.
>
> I believe GnuPG already implements EdDSA signing, so you can look at the
> implementation to see how it actually works.  There is no temporary
> files the same size as the input.

I double-checked the above with the libgcrypt-1.6.3 source code.

>
> /Simon
>

v2.23.0 | Report a Bug | By Email