• State TI Thinks Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 51 subscribers
  • Views 382 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2642R: EDDSA driver support for partial verification

Mehul Dalal
Expert 2180 points
Part Number: CC2642R

Hi, in the SDK v5.10, I can see that support for EDDSA has been present. 

https://software-dl.ti.com/simplelink/esd/simplelink_cc13x2_26x2_sdk/5.10.00.48/exports/docs/drivers/doxygen/html/_e_d_d_s_a_8h.html

We have a requirement on verifying the EDDSA signature on a large data ~300KB. We cannot go for a single shot verification operation due to the large data size. Just like SHA2 which supports partial calculations, whether EDDSA driver can support partial verification on a memory chunk and at the end, determine whether the verification is successful or not? 

  • 0
    TI__Guru** 101450 points

    Hi,

    Allow me a couple of days to look into this possibility.

    I will be back to you by Wednesday 12th.

    Please bear with me,

    Regards,

  • 0 in reply to Clément
    TI__Guru** 101450 points

    Hi Mehul,

    The EDDSA driver does not support partial verification yet. We recommend to use the SHA2 driver instead.

    With respect to RFC 8032 that defines Ed25519 and Ed448, we can consider using Ed25519ph, where the ph stands for prehash. Here, instead of signing all 300KB of the message, we hash the 300 KB message to a 512-bit SHA512 digest and sign that. To verify this, we again use the 300 KB message hash.

    The SHA2 Hardware can only support 65k bytes of length at a time. You should call the addData function on the SHA2 driver passing in only 65,535 bytes at a time. You can loop over the 300kB data input calling addData until all data has been hashed. The output hash will then be provided to the EDDSA driver.

    Here is the algorithm.This is a variation of EDDSA that is closer to Ed25519ph. The only difference is that we do not have a context or input octet string for the hash. Based on the example code in EDDSA.h, this is how I would do update preHashedMessage and preHashedMessageLength for use in EDDSA with an extremely large message. Note that we are choosing the inputs to the EDDSA driver rather than modifying the EDDSA driver. Let us assume we have a very large messageIn with corresponding messageInLength.

                SHA2_addData(sha2Handle,
                         messageIn,
                         messageInLength); //Limit to 64 KB
            
            SHA2_addData(sha2Handle,
                         messageIn,        //2nd chunk of 64 KB
                         messageInLength); //Limit to 64 KB    
            
            ... //Add data in chunks of 64 KB, could be done iteratively
            
            SHA2_finalize(sha2Handle,
                          preHashedMessage); // Store the SHA2 digest to preHashedMessage
            
            preHashedMessageLength = 64; // 512 bits is 64 bytes

    Now, we are signing and verifying the SHA-512 digest of the 300 KB data. There are no known collision attacks on SHA-512, so it is expected that even finding a collision for this EDDSA implementation will take 2**256 operations for a simple collision. If we wanted to do a pre-image attack to forge a message with the same digest, this would take 2**512 operations. Both of these are infeasible with today’s technology.

    Best regards,

  • 0 in reply to Clément
    Expert 2180 points

    Hi Clement,

    We do not have any other option then to use EdDSA only as it is the requirement not 'ph' variant.

    Is there anyway TI is planning to add support for the partial verification in future SDK releases? Can you add that up for the next SDK release at least? I believe that many other customer will also have this requirement knowing the SDK supports EdDSA.

    Thanks for looking into this.

  • 0 in reply to Mehul Dalal
    TI__Guru** 101450 points

    Hi Mehul,

    I cannot comment on our future developments on a public forum. With that said I understand the need and agree on the value of this feature.

    I would recommend to contact your TI local sales teams and mention this need.

    Best regards,