'Robin Larrieu' via pqc-forum writes:
> Moreover, in PKCS-#11 incremental verification, the signature is
> available only during C_VerifyFinal, when the whole message has been
> processed.
With this type of interface, typical applications end up processing
streams that haven't been verified yet, and the attacker can trivially
feed forged data to the applications.
Since this type of interface is dangerous from a security perspective,
creating hassles for this type of interface should be viewed as a
positive feature of a spec rather than a negative feature.
It would be useful to instead specify secure signing for streams. For
example, the verifier maintains a transcript hash h (starting as context
or simply a constant), receives a signed packet (h,p,s) where h doesn't
need to be transmitted explicitly, opens the signed packet to recover
plaintext p, outputs p, updates h to H(h,p) where H is a hash function,
and moves on to the next packet. It should be feasible with current
techniques to computer-verify the security properties of such designs.
Instead of sending (p,s) in clear, I would send AONT(p,s) with any AONT
in the literature, preferably keyed by h: for example, xor a hash of
(h,s) into p, xor a hash of (h,p) into s, and so on for whatever number
of rounds. 4 rounds are ample, and even 1 round (just xoring a hash of
(h,s) into p), with a very weak hash function, would probably do the job
of encouraging applications to call the proper cryptographic functions
rather than extracting and releasing p. But the hash function H used to
update h has to be strong so that the attacker can't rearrange packets.
An alternative to signing (h,p) is to sign H(h,p), so the receiver takes
(p,s), replaces h with a hash of (h,p), and opens the signed message
(h,s). However, this seems to increase the damage done by collisions.
Most applications shouldn't notice the cost of an extra hash layer.
If all data is available to the signer in advance then of course one
signature on a hash tree suffices, and it's easy to arrange hashes so
that packets can be verified in parallel. This covers the "we need to
quickly verify firmware on boot" use case.
---D. J. Bernstein