IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Nico Williams <nico@cryptonector.com> Thu, 21 May 2015 20:14 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD8B71A8A6C for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 13:14:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.266
X-Spam-Level:
X-Spam-Status: No, score=-0.266 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5ekAtkGGOjt for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 13:14:48 -0700 (PDT)
Received: from homiemail-a97.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id CC59B1A8A6D for <cfrg@irtf.org>; Thu, 21 May 2015 13:14:47 -0700 (PDT)
Received: from homiemail-a97.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTP id 98BA32860C1; Thu, 21 May 2015 13:14:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=EW5h+B9Gy4kJV+ S2Srl1TrpzGsc=; b=KrISJN45x0rX0aB9YTNvSzzfnDNUcVYyW3sBIKXDMi4TE7 Qm6FDXDZlNc/f1P1jvK+MiAwnc/ircMCKtq/cSCgEgKN/AZUBsIEtqGJgZEhxCu3 NjBqJvJv+B0YDcZwZN6b2uIJhVTdkAIkVg+m2oc4uDxyRp5vY7n7pqI1g4bxM=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a97.g.dreamhost.com (Postfix) with ESMTPA id F13972860D2; Thu, 21 May 2015 13:14:46 -0700 (PDT)
Date: Thu, 21 May 2015 15:14:45 -0500
From: Nico Williams <nico@cryptonector.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Message-ID: <20150521201444.GA3791@localhost>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com> <9A043F3CF02CD34C8E74AC1594475C73AB028273@uxcn10-tdc05.UoA.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73AB028273@uxcn10-tdc05.UoA.auckland.ac.nz>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/zX2nW2y81_So32hqacZlfOBt6Is>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 20:14:49 -0000

On Thu, May 21, 2015 at 12:22:55PM +0000, Peter Gutmann wrote:
> Alexey Melnikov <alexey.melnikov@isode.com> writes:
> >However, this approach implies that the signing algorithm would have to
> >buffer the entire message. That could lead to unacceptable memory usage for
> >applications that sign very large messages.
> 
> It's also pretty much an instant fail for any API-based security toolkit that
> implements streaming/staged message processing via the init/update/final
> model, which seems to be pretty much all of them (using PKCS #11 as a
> representative example, you've got "begin", "update", "update", [...], "end",
> which hardcodes a single pass over the data, OpenSSL does the same thing, as
> does CryptoAPI, Java (JCE/Bouncy Castle/whatever), my own cryptlib, and I'd
> guess most other libraries).

I hate to agree with this, but this is just too common an API pattern.
The assumption of online signing is quite pervasive; an off-line-only
signature scheme might have a hard time getting traction.

> >#1: The signature scheme should follow the traditional model of hashing the
> >message to be signed, thus trivially supporting IUF APIs in constant-space,
> >at the cost of requiring collision resistant hash functions.
> 
> +1.  Without having done a survey of all implementers, I do however get the
> feeling that this is the only option available for practical use, meaning the
> choice would be to either go with this option or have whatever other option
> you select ignored because it's impractical for general use.

#3 wouldn't hurt.  From an API perspective #3 is best seen as *two*
signature schemes (with different OIDs), one of which is incompatible
with online signature APIs.

I'd certainly like to have both.  Protocols like TLS and PKIX should use
the off-line signature scheme when the implementor can manage it, as it
would be the preferred scheme.  Pretty much all apps using existing
crypto frameworks (generic APIs parametrized by algorithm ID) would get
the online version.

Nico
--

v2.23.0 | Report a Bug | By Email