IETF Logo Mail Archive

Re: [Cfrg] Big-key cryptography

Natanael <natanael.l@gmail.com> Mon, 07 December 2015 00:58 UTC

Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9D5B1A905E for <cfrg@ietfa.amsl.com>; Sun, 6 Dec 2015 16:58:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l5VYmEDPVA2L for <cfrg@ietfa.amsl.com>; Sun, 6 Dec 2015 16:58:28 -0800 (PST)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C94261A9057 for <cfrg@irtf.org>; Sun, 6 Dec 2015 16:58:27 -0800 (PST)
Received: by wmvv187 with SMTP id v187so144769332wmv.1 for <cfrg@irtf.org>; Sun, 06 Dec 2015 16:58:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lSL5mNE2jqMYxg+xWVC9wXGJFNhG9KkhDaEMS0aRtZ4=; b=WHJQ7fTf2JMx5EE36lbX3GcAq+vNRDODMKzGVL1ax1lZDrfsashkYbArePQLX4kRy4 LEdSXQRL5Ht+ereonepMwoaWAanjtqMnqusb98eYLRuVRdKzf2tWWWqQHmH+WO8l82on RWJ50SqhtXADe0PTg9HE3eoF6DZUiqTguZeIjehCNs/gclXZjpT49GZt5iJJj5pJ4qTM MD1BAYTtR5PKohYZMkELUTJSDSMyK90cCcBCmQWtYyLhfIHnVEcl2iob00AbT/CaRKwn RxMaPp2ilXJePD0IQHfBPS9Wub3tN4GU4dAIMlM3y18m6YWMV9o0X8HBbBnuZqqUX8hk ZzMQ==
MIME-Version: 1.0
X-Received: by 10.28.16.72 with SMTP id 69mr18972032wmq.100.1449449906335; Sun, 06 Dec 2015 16:58:26 -0800 (PST)
Received: by 10.194.68.35 with HTTP; Sun, 6 Dec 2015 16:58:25 -0800 (PST)
Received: by 10.194.68.35 with HTTP; Sun, 6 Dec 2015 16:58:25 -0800 (PST)
In-Reply-To: <5664D280.306@azet.org>
References: <5664D280.306@azet.org>
Date: Mon, 07 Dec 2015 01:58:25 +0100
Message-ID: <CAAt2M185uJS+joRmX12ixgawiY8A7D=gsiWmD+PmeCi5AT6BdQ@mail.gmail.com>
From: Natanael <natanael.l@gmail.com>
To: Aaron Zauner <azet@azet.org>
Content-Type: multipart/alternative; boundary="001a11471346c974dc0526445ac6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/UfL5M5Qdd6KH7hCwH9G81xMYxsI>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Big-key cryptography
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2015 00:58:31 -0000

Den 7 dec 2015 01:28 skrev "Aaron Zauner" <azet@azet.org>:
>
> People that have read Rogaway's recent IACR Distinguished Lecture [0]
> might have noticed (besides an amazing essay on crypto, ethics and
> politics of course) that there's new work mentioned on something they
> call 'Big-key cryptography'. Let me quote Verbatim:
>
> Suppose you have a bigkey K. You want to use it for some protocol P that
> has been designed to use a conventional-length key K. So choose a random
> value R (maybe 256 bits) and hash it to get some number p of probes into
> the bigkey:
>
> i_1 = H(R, 1) i_2 = H(R, 2) ... i_p = H(R, p) .

> [...]

> I think that the subkey prediction problem, and the key-encapsulation
> algorithm based on it, will give rise to nice means for
> exfiltration-resistant authenticated-encryption and pseudorandom
> generators. In general, I see bigkey cryptography as one tool that
> cryptographers can contribute to make mass surveillance harder.
>
> This seems to be a yet unpublished manuscript but I can think of quite a
> few instances where this approach might come in handy for keys used in
> various high-confidentiality protocols. What does CFRG think?

Looks like security-by-obesity extended from protected data using
all-or-nothing transforms to key material. I've seen similar methods
discussed before, but it is nice to see an actual proof for it when used
with key material.

And why not put this key material onto intentionally low-bandwith devices?
Like say putting some really big disk array holding your key material in a
well protected box, with the only external interface being an Arduino (or
maybe something tamper proof?) or similar very simple hardware? Could even
up the security against physical attacks by making it an m-of-n scheme with
multiple boxes physically spread out. Your only plausible attacks on it
would be outright theft or planting backdoors in the control / interface
chip.

http://ethanheilman.tumblr.com/post/28481738192/security-through-obesity
Discussion of that above link:
https://www.reddit.com/r/netsec/comments/xi587/a_look_at_securitythroughobesity/
https://stelfox.net/blog/2012/08/security-through-obesity/
https://www.reddit.com/r/netsec/comments/13mrle/new_developments_in_password_hashing_romporthard/

If you don't trust any HSM and need to generate shared key material between
two locations, this is one way to make your own.

v2.23.0 | Report a Bug | By Email