IETF Logo Mail Archive

Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 21 May 2015 12:23 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 605B41AD1F5 for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 05:23:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b9sfr4TJLEMl for <cfrg@ietfa.amsl.com>; Thu, 21 May 2015 05:23:00 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 423C91AD16B for <cfrg@irtf.org>; Thu, 21 May 2015 05:22:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1432210980; x=1463746980; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=0yWJ5SHm1SqHKH9ptgtM1PR3dt3wqFaCWkpmvJ0IAcg=; b=OroEtfjI8xhha6cdiqupiKE307EbSa0khYulOT4+q8BqImXt+U4QRCcc 541mIlo57gVYssM5YJ00LmFMrz1XDew2OPojp/xyzGbqFSiP/w+hijRL3 YgNhjnY549uAwO0DW+HOwTqiheHfin0c/cUMG9FCAxgXZh+UafPUiZYEP c8VgUQJe1UDTqzs8TbLeR/H16tNpIsBKGZguVUmYNW/aBGVMiDq7Z+M+2 nnY+zGVULu1omP9bysN5Pr5dd349Td7RhARua5nX9smhNLDVyYyxZrJnL KBPEmP4ijANg5m0nPMKs7KKOmavE/iY28DBl22/YtCGqigojGPd2Kim0A g==;
X-IronPort-AV: E=Sophos;i="5.13,468,1427713200"; d="scan'208";a="17355283"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.171 - Outgoing - Outgoing
Received: from uxchange10-fe4.uoa.auckland.ac.nz ([130.216.4.171]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 22 May 2015 00:22:56 +1200
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.151]) by uxchange10-fe4.UoA.auckland.ac.nz ([169.254.109.63]) with mapi id 14.03.0174.001; Fri, 22 May 2015 00:22:56 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
Thread-Index: AQHQk0I8RSIdJrsHMUCPeSikOwlxvp2GWPVl
Date: Thu, 21 May 2015 12:22:55 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C73AB028273@uxcn10-tdc05.UoA.auckland.ac.nz>
References: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
In-Reply-To: <C49BFA4F-76B9-48A1-913B-144D606FBBDD@isode.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/zbNEyzp7-dqIuzOurFiVfv5wfCc>
Subject: Re: [Cfrg] Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 12:23:02 -0000

Alexey Melnikov <alexey.melnikov@isode.com> writes:

>However, this approach implies that the signing algorithm would have to
>buffer the entire message. That could lead to unacceptable memory usage for
>applications that sign very large messages.

It's also pretty much an instant fail for any API-based security toolkit that
implements streaming/staged message processing via the init/update/final
model, which seems to be pretty much all of them (using PKCS #11 as a
representative example, you've got "begin", "update", "update", [...], "end",
which hardcodes a single pass over the data, OpenSSL does the same thing, as
does CryptoAPI, Java (JCE/Bouncy Castle/whatever), my own cryptlib, and I'd
guess most other libraries).

>Penalising large messages might be seen as a positive by some because signing
>arbitrarily large messages invites implementations to process unauthenticated
>data because of its potential size. 

In most cases where you're processing large messages you don't have any
choice, and the signing is often done for things like accounting purposes
rather than because the devices involved are trying to enter into a legal
agreement.  For example medical images, which have to be uncompressed in order
to avoid introducing compression artefacts, are enormous, streamed out to a
remote system in a single pass, and signed purely for accounting/bookkeeping
purposes.  So you've got something where you absolutely need one-pass
processing, and the app/users couldn't care less about any fancy properties
that two-pass processing provides.

>#1: The signature scheme should follow the traditional model of hashing the
>message to be signed, thus trivially supporting IUF APIs in constant-space,
>at the cost of requiring collision resistant hash functions.

+1.  Without having done a survey of all implementers, I do however get the
feeling that this is the only option available for practical use, meaning the
choice would be to either go with this option or have whatever other option
you select ignored because it's impractical for general use.

Peter.

v2.23.0 | Report a Bug | By Email