IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Simon Josefsson <simon@josefsson.org> Sat, 06 June 2015 01:54 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A9B1ACD33 for <cfrg@ietfa.amsl.com>; Fri, 5 Jun 2015 18:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.348
X-Spam-Level:
X-Spam-Status: No, score=0.348 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IVhfkKc5Bq73 for <cfrg@ietfa.amsl.com>; Fri, 5 Jun 2015 18:54:05 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9AC21ACD2E for <cfrg@irtf.org>; Fri, 5 Jun 2015 18:54:04 -0700 (PDT)
Received: from latte.josefsson.org ([216.55.31.130]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t561ruSQ030790 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Sat, 6 Jun 2015 03:54:00 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Andrey Jivsov <crypto@brainhub.org>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <5564CBEC.8070109@brainhub.org> <87siafxiyw.fsf@latte.josefsson.org> <556D4112.7040208@brainhub.org>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150606:cfrg@irtf.org::u43Z2jimRqtxZECD:6q09
X-Hashcash: 1:22:150606:crypto@brainhub.org::uXfRsFsG2cReUvvR:kLQA
Date: Sat, 06 Jun 2015 03:53:54 +0200
In-Reply-To: <556D4112.7040208@brainhub.org> (Andrey Jivsov's message of "Mon, 01 Jun 2015 22:37:22 -0700")
Message-ID: <87zj4d38lp.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/bcibR0nq0n32D4NAWr68QEZC5PM>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jun 2015 01:54:06 -0000

Andrey Jivsov <crypto@brainhub.org> writes:

> On 5/29/2015 12:49 PM, Simon Josefsson wrote:
>> Andrey Jivsov <crypto@brainhub.org> writes:
>>
>>> Major OpenPGP implementations use streaming mode to sign (e.g. in 'cat
>>> InFile | gpg --clearsign'), just as with encryption, without writing
>>> sensitive data to a temporary file. They depend on IUF. I haven't seen
>>> this with SMIME/CMS -- this is harder, but possible.
>> It is no problem to support streaming of inputs and at the same time
>> support for example EdDSA which does not follow the IUF paradigm.  Don't
>> confuse Unix stdin/stdout streaming with streaming of input to a digital
>> signature algorithm.
>
> Yes, but what cost "no problems" actually has in some cases?
>
> Before: one could hash during streaming.
> After: one extra re-hashing is needed, denying the benefit of hashing
> while streaming.

I believe you are mistaken.  OpenPGP with EdDSA only hashes once, during
streaming.

> To fix this new demand of low-level crypto there needs to be an
> engineering fix at a higher level. In the case of OpenPGP applications
> this means the buffering of the entire input must happen, somehow.

This is false, there is no need to buffer the entire message.  Just hash
the stream and sign the hash.

> If a user signs+encrypts a 1 TB file, he needs to have at least 2TB of
> disk space, one at the destination, and another at an
> implementation-specific location (e.g. /tmp directory, at destination,
> or $HOME). Besides user unfriendliness, such as slower performance and
> extra free space demands, one cannot really delete/wipe a sensitive
> file on an SSD drive, and the temporary file allows good possibility
> for signature fault attacks.

I believe GnuPG already implements EdDSA signing, so you can look at the
implementation to see how it actually works.  There is no temporary
files the same size as the input.

/Simon

v2.23.0 | Report a Bug | By Email