IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Simon Josefsson <simon@josefsson.org> Wed, 10 June 2015 14:04 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E52A1B2A9C for <cfrg@ietfa.amsl.com>; Wed, 10 Jun 2015 07:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.348
X-Spam-Level:
X-Spam-Status: No, score=0.348 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCpYtSZ4kzw9 for <cfrg@ietfa.amsl.com>; Wed, 10 Jun 2015 07:04:04 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1ECB1B29D4 for <cfrg@irtf.org>; Wed, 10 Jun 2015 07:04:02 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t5AE3mnn003136 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 10 Jun 2015 16:03:50 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Andrey Jivsov <crypto@brainhub.org>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <5564CBEC.8070109@brainhub.org> <87siafxiyw.fsf@latte.josefsson.org> <556D4112.7040208@brainhub.org> <87zj4d38lp.fsf@latte.josefsson.org> <55753862.9070205@brainhub.org>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150610:cfrg@irtf.org::gxOEPwhI261ZZIod:2dQx
X-Hashcash: 1:22:150610:crypto@brainhub.org::ewkBz19n0WgMDsyp:Qvlo
Date: Wed, 10 Jun 2015 16:03:47 +0200
In-Reply-To: <55753862.9070205@brainhub.org> (Andrey Jivsov's message of "Sun, 07 Jun 2015 23:38:26 -0700")
Message-ID: <87h9qfpsn0.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/vAbe_tWwvSSiw_VmnieNb6T7Od4>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jun 2015 14:04:05 -0000

Andrey Jivsov <crypto@brainhub.org> writes:

> On 06/05/2015 06:53 PM, Simon Josefsson wrote:
> ...
>>> Yes, but what cost "no problems" actually has in some cases?
>>>
>>> Before: one could hash during streaming.
>>> After: one extra re-hashing is needed, denying the benefit of hashing
>>> while streaming.
>>
>> I believe you are mistaken.  OpenPGP with EdDSA only hashes once, during
>> streaming.
>
> For example, GnuPGP, which follows the
> https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-02#section-5 
> (search for "a digest of the message is used as input"), hashes the
> message three times.

Well, not really, it hashes the message (the data to sign) once, and
then signs the hash value using EdDSA.  Yes, EdDSA internally hashes its
input (the hash value) twice, but that won't require buffering the
entire data to sign (the message).  I believe it was that property
("hash entire message once or multiple times") that was under
discussion.  So I think we actually agree on everything except we had
different contexts of this discussion.

> _gcry_ecc_eddsa_sign hashes the input twice (per EdDSA spec), and the
> 'gcry_mpi_t input', the input to the EdDSA sign function, is the hash
> of the message (note that the input is the MPI, not a file or a
> buffer). The higher-level code hashed the actual input into that MPI
> passed to _gcry_ecc_eddsa_sign.
>
> By doing so GnuPG implementation and the spec above depend on the
> poll's #3 as the only mode (for large or small messages alike).

Right.  Thanks for analysis.

> It follows that GnuPG signing method always depends on collision
> resistance of the hash function, (always with ECDSA, and always with
> EdDSA). This means that the 2 extra hashings done in the EdDSA sign
> function don't buy much (at least they don't free one from using a
> collision resistant function).

Right.

>>> To fix this new demand of low-level crypto there needs to be an
>>> engineering fix at a higher level. In the case of OpenPGP applications
>>> this means the buffering of the entire input must happen, somehow.
>>
>> This is false, there is no need to buffer the entire message.  Just hash
>> the stream and sign the hash.
>
> Correct. This is poll's #3. One would need to buffer during streaming
> with poll's #2.

Not so fast -- it would be perfectly fine for CFRG to stop and only do
#2 and leave the #3 part to higher-level protocols, like OpenPGP and
S/MIME which has the large-message-concern.  It seems OpenPGP has
already done this.

/Simon

v2.23.0 | Report a Bug | By Email