IETF Logo Mail Archive

Re: [Suit] SUIT Manifest MTI Algorithms

Russ Housley <housley@vigilsec.com> Wed, 10 November 2021 20:12 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: suit@ietfa.amsl.com
Delivered-To: suit@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D6BC3A131E for <suit@ietfa.amsl.com>; Wed, 10 Nov 2021 12:12:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmOzSdOIvUzg for <suit@ietfa.amsl.com>; Wed, 10 Nov 2021 12:12:15 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58CE03A131D for <suit@ietf.org>; Wed, 10 Nov 2021 12:12:15 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F1981300BF9 for <suit@ietf.org>; Wed, 10 Nov 2021 15:12:16 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id NUOuELiOk4gc for <suit@ietf.org>; Wed, 10 Nov 2021 15:12:14 -0500 (EST)
Received: from [192.168.1.159] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id A08D63005D8; Wed, 10 Nov 2021 15:12:14 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <396751.1636572754@dooku>
Date: Wed, 10 Nov 2021 15:12:11 -0500
Cc: suit <suit@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EFB8D782-9E26-4BFF-A8EB-8D6D3DEFBB34@vigilsec.com>
References: <ED069850-06BE-4DEA-A319-FDF0469627C3@vigilsec.com> <CANK0pbZcuYidA7hX823t5Q0V8+Nq_5LjVgXcQcN2MOhb+D9u4w@mail.gmail.com> <396751.1636572754@dooku>
To: Emmanuel Baccelli <Emmanuel.Baccelli@inria.fr>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/suit/j7b4hx-7vsgQ0uyyyu9zpyvyPi4>
Subject: Re: [Suit] SUIT Manifest MTI Algorithms
X-BeenThere: suit@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Software Updates for Internet of Things <suit.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/suit>, <mailto:suit-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/suit/>
List-Post: <mailto:suit@ietf.org>
List-Help: <mailto:suit-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/suit>, <mailto:suit-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 20:12:22 -0000

Emmanuel:

The signature verification for HSS/LMS should be much smaller and faster too.

I notices that you used the Cisco SHA-256 for HSS/LMS.  When I was using the Cisco code to ensure that pyhsslms.py was interoperable, I discovered that the SHA-256 in OpenSSL was a lot faster.  I wonder if the SHA-256 from mbedtls would give you different results.

Russ


> On Nov 10, 2021, at 2:32 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> Emmanuel Baccelli <Emmanuel.Baccelli@inria.fr> wrote:
>> We have recently conducted an experimental study on this topic,
>> evaluating SUIT on common microcontrollers (Cortex-M, ESP-32 and
>> RISC-V) In particular, we evaluate the cost of upgrading from ed25519
>> to HSS/LMS with SUIT used to secure actual RIOT firmware updates: see
>> preprint at https://eprint.iacr.org/2021/781.pdf
> 
> Awesome!
> 
>> In a nutshell: for small-sized software updates using SUIT with LMS, we
>> measured impact on network transfer costs (~45% more data over the
>> wire) and on memory footprint on-device (~35% more Flash memory
>> required), but only little impact on RAM or execution time, compared to
>> using SUIT with ed25519. If the baseline is something else (i.e. not
>> SUIT, or not ed25519), the overhead might be more.
> 
> I looked into your paper trying to understand where this 35% more flash
> memory required.  Is it table 6 and 7?   I think it's a 35% increase of
> the verification code from ECDSA to HSS-LSS.  I don't think it's a 35%
> increase in total flash required, right?
> 
>> What will be considered bearable overhead to upgrade to SUIT-compliant
>> security, on microcontroller-based IoT devices? That is a question.
> 
> Your paper seems to suggest it's acceptable.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        | network architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> 
> 
>

v2.8.7 | Report a Bug | By Email