IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Andrey Jivsov <crypto@brainhub.org> Tue, 02 June 2015 05:37 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AC9D1A1AB4 for <cfrg@ietfa.amsl.com>; Mon, 1 Jun 2015 22:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.201
X-Spam-Level:
X-Spam-Status: No, score=-1.201 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZuPir8Ml6j9F for <cfrg@ietfa.amsl.com>; Mon, 1 Jun 2015 22:37:27 -0700 (PDT)
Received: from mail-ig0-f180.google.com (mail-ig0-f180.google.com [209.85.213.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1621F1A1AB1 for <cfrg@irtf.org>; Mon, 1 Jun 2015 22:37:26 -0700 (PDT)
Received: by igbyr2 with SMTP id yr2so79147696igb.0 for <cfrg@irtf.org>; Mon, 01 Jun 2015 22:37:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:message-id:date:from:user-agent :mime-version:to:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=rrwdNXgQ82ChXdKFgZE498rvq3EvaAh8SQ4un8+RuAM=; b=MJ/1vDk1Q1+93pKlE50mOkLTP3Ora8agWzSpGoDPO7zATrwp9Tj3WmHhF6V7vXFhU+ ubqyyvBvoJDCmybQ5AncMK8LwSiGstwW77bpm1M09AyPVUoIyBWSdkwRdEDwfj0pvghj dTT/utNckfAJ4TXfshgCWYE3tUNyEQkfsd8bdMnkGV2bo8xdApcGEqRdebbdbMa2jwJU pcysK3oIcAJrA70bbAIYfVsQj7w3bGhAZ4f3cLklU+Xsf5Yw8wtr9tgOHgiyoFrKHMRc REAdY9T0J0dRhJLPH0i8aiJRYVLLo+GsDudDr2GtKwqEEtX1FougfaURsBkeiOGLp2UY ITNA==
X-Gm-Message-State: ALoCoQne4kQ0jT1B+G+TzzeqR2xWxBJ+sU3PmC2b6L0ACMpTvpeAgYXXT0dCPV3XDU+zmFeOVMEi
X-Received: by 10.107.41.14 with SMTP id p14mr31048747iop.58.1433223446105; Mon, 01 Jun 2015 22:37:26 -0700 (PDT)
Received: from [10.10.7.53] ([206.169.237.4]) by mx.google.com with ESMTPSA id j5sm10229036ioo.8.2015.06.01.22.37.24 for <cfrg@irtf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 01 Jun 2015 22:37:25 -0700 (PDT)
Sender: Andrey <andrey@brainhub.org>
Message-ID: <556D4112.7040208@brainhub.org>
Date: Mon, 01 Jun 2015 22:37:22 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: cfrg@irtf.org
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <5564CBEC.8070109@brainhub.org> <87siafxiyw.fsf@latte.josefsson.org>
In-Reply-To: <87siafxiyw.fsf@latte.josefsson.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/_MBSwZaeyzQwGkwwuAtIWTBx2qQ>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 05:37:29 -0000

On 5/29/2015 12:49 PM, Simon Josefsson wrote:
> Andrey Jivsov <crypto@brainhub.org> writes:
>
>> Major OpenPGP implementations use streaming mode to sign (e.g. in 'cat
>> InFile | gpg --clearsign'), just as with encryption, without writing
>> sensitive data to a temporary file. They depend on IUF. I haven't seen
>> this with SMIME/CMS -- this is harder, but possible.
> It is no problem to support streaming of inputs and at the same time
> support for example EdDSA which does not follow the IUF paradigm.  Don't
> confuse Unix stdin/stdout streaming with streaming of input to a digital
> signature algorithm.

Yes, but what cost "no problems" actually has in some cases?

Before: one could hash during streaming.
After: one extra re-hashing is needed, denying the benefit of hashing 
while streaming.

To fix this new demand of low-level crypto there needs to be an 
engineering fix at a higher level. In the case of OpenPGP applications 
this means the buffering of the entire input must happen, somehow.

If a user signs+encrypts a 1 TB file, he needs to have at least 2TB of 
disk space, one at the destination, and another at an 
implementation-specific location (e.g. /tmp directory, at destination, 
or $HOME). Besides user unfriendliness, such as slower performance and 
extra free space demands, one cannot really delete/wipe a sensitive file 
on an SSD drive, and the temporary file allows good possibility for 
signature fault attacks.

v2.23.0 | Report a Bug | By Email