Re: [Cfrg] Schnorr just as vulnerable to bad RNG

Sandy Harris <sandyinchina@gmail.com> Sat, 26 July 2014 14:16 UTC

Return-Path: <sandyinchina@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5301A02DD for <cfrg@ietfa.amsl.com>; Sat, 26 Jul 2014 07:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6snvo3kdb_2Z for <cfrg@ietfa.amsl.com>; Sat, 26 Jul 2014 07:16:56 -0700 (PDT)
Received: from mail-vc0-x234.google.com (mail-vc0-x234.google.com [IPv6:2607:f8b0:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51D3C1A0278 for <cfrg@irtf.org>; Sat, 26 Jul 2014 07:16:56 -0700 (PDT)
Received: by mail-vc0-f180.google.com with SMTP id ij19so8937161vcb.11 for <cfrg@irtf.org>; Sat, 26 Jul 2014 07:16:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Ur5XovxHu+GFz5Qf9xWco6rMjhSnhgvc0k0R2RVdv2o=; b=usB9bIKN0jmLyR5KHECmTmXUpKdrtoN4M3J59MpNCA17vJUrDUBqYgM9vTaifdYSCg 2WWCygf7+Vta0NE7a13aOAwZVQP0Hyf01sO95LOJPpGPgXZsyaXiaNzRk8nRjvf0PADc xiSeN37GYAkubupin+hONdnJJBD9rtVbgFzrg2xEUb8Ko9lge5UuNoovBydy5vWYJQmA I+i6T6be6gd9N4k+xQK91EXYd19x+2LezhUmUQjMzibKOkF7r+DxMWGKrIt0V8jtJhr1 hMPoyeAZlvRk/58i0P8FAfAhALNA71y5/n5Ke5q6RfYixo+3e/jlL7cCP3LfM4J4G/Gg oYdw==
MIME-Version: 1.0
X-Received: by 10.52.7.163 with SMTP id k3mr809056vda.58.1406384214125; Sat, 26 Jul 2014 07:16:54 -0700 (PDT)
Received: by 10.58.34.108 with HTTP; Sat, 26 Jul 2014 07:16:54 -0700 (PDT)
In-Reply-To: <53D31396.2040909@sbcglobal.net>
References: <20140725131738.6639765.60290.17138@certicom.com> <CADMpkcJD_qXkNFECQ4YoBUhyxQJNrh1=K6gAGfJ23jFWaD51-Q@mail.gmail.com> <53D31396.2040909@sbcglobal.net>
Date: Sat, 26 Jul 2014 10:16:54 -0400
Message-ID: <CACXcFm=SLXTz0mUY22igUffyHknsuv5VE4LSrHNm8GTebN1dWQ@mail.gmail.com>
From: Sandy Harris <sandyinchina@gmail.com>
To: cfrg@irtf.org
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/OPOtXUKVqDELDZL5a3mBJ1HRceI
Subject: Re: [Cfrg] Schnorr just as vulnerable to bad RNG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jul 2014 14:16:58 -0000

David Jacobson <dmjacobson@sbcglobal.net> wrote:

> This is wandering off topic, but I'm going to mention it anyway.

One place where it is on-topic and often discussed is Perry's
crypto list:
http://www.metzdowd.com/mailman/listinfo/cryptography

There is also a list specifically for RNG discussion:
http://lists.bitrot.info/mailman/listinfo/rng

> Entropy
> generation is a very tricky thing.  Unfortunately, there is far too much
> emphasis on estimating the entropy of a source based on long term averages
> of something.

It is possible to build an RNG without having to estimate average
entropy. Instead you can get a provable minimum on Nyquist
noise in a circuit from well-understood physics:
http://www.av8n.com/turbid/paper/turbid.htm

>  The problem is that many sources have entropy dropouts.  In
> one system I'm aware of, ... had a seed been grabbed right
> during a dropout, it would have been a cryptographic disaster.

"Doctor, it hurts when I do this." "Well, don't do that, then."

Do not grab seeds straight from the source; use an entropy
pool, stir in the source data, and generate output with a
cryptographically strong mixer. This is not foolproof, i.e.
not remarkably easy to get right, but there is hope. It is
safe if the total input entropy is adequate and the crypto
anywhere even close to its design goals.