Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

["Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>]

100% agree with Andrey. 


----- Original Message -----
From: Andrey Jivsov [mailto:crypto@brainhub.org]
Sent: Tuesday, June 02, 2015 01:37 AM
To: cfrg@irtf.org <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)


On 5/29/2015 12:49 PM, Simon Josefsson wrote:
> Andrey Jivsov <crypto@brainhub.org> writes:
>
>> Major OpenPGP implementations use streaming mode to sign (e.g. in 'cat
>> InFile | gpg --clearsign'), just as with encryption, without writing
>> sensitive data to a temporary file. They depend on IUF. I haven't seen
>> this with SMIME/CMS -- this is harder, but possible.
> It is no problem to support streaming of inputs and at the same time
> support for example EdDSA which does not follow the IUF paradigm.  Don't
> confuse Unix stdin/stdout streaming with streaming of input to a digital
> signature algorithm.

Yes, but what cost "no problems" actually has in some cases?

Before: one could hash during streaming.
After: one extra re-hashing is needed, denying the benefit of hashing 
while streaming.

To fix this new demand of low-level crypto there needs to be an 
engineering fix at a higher level. In the case of OpenPGP applications 
this means the buffering of the entire input must happen, somehow.

If a user signs+encrypts a 1 TB file, he needs to have at least 2TB of 
disk space, one at the destination, and another at an 
implementation-specific location (e.g. /tmp directory, at destination, 
or $HOME). Besides user unfriendliness, such as slower performance and 
extra free space demands, one cannot really delete/wipe a sensitive file 
on an SSD drive, and the temporary file allows good possibility for 
signature fault attacks.

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg