Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]

David McGrew <> Thu, 02 January 2014 18:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 55D161AD0EA for <>; Thu, 2 Jan 2014 10:17:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.339
X-Spam-Status: No, score=-12.339 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uHnKTpWfyPno for <>; Thu, 2 Jan 2014 10:17:02 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 890631AC49D for <>; Thu, 2 Jan 2014 10:17:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=7047; q=dns/txt; s=iport; t=1388686616; x=1389896216; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=GomWjQGrH84uyHRMK2xJG63C0DgpMMBr8alzUAgpw3s=; b=XLe1uxHlrOSaioyem6nUZtU4Z7qWioikdHL77S37rcUuZtbskNVbXAWw oQ8vpBwhGdAJt7OXDwqCdWHJvpq3bgNvoiIu/x91WjWCr4vNrLan9CbO1 9Ws3dj/G8HKzaXN9FbA89ncO35SRDtaAM2LoYwSnHIGL7LAkDEmo9jO2f Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.95,592,1384300800"; d="scan'208";a="294926541"
Received: from ([]) by with ESMTP; 02 Jan 2014 18:16:55 +0000
Received: from [] ( []) by (8.14.5/8.14.5) with ESMTP id s02IGr9K027768; Thu, 2 Jan 2014 18:16:54 GMT
Message-ID: <>
Date: Thu, 02 Jan 2014 13:16:53 -0500
From: David McGrew <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: Watson Ladd <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "" <>
Subject: Re: [Cfrg] Dual_EC_DRBG ... [was RE: Requesting removal of CFRG co-chair]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 Jan 2014 18:17:11 -0000

Hi Watson,

I think that we are in agreement on all of the main points here, but I 
did want to comment on a tangent:

On 12/30/2013 09:52 AM, Watson Ladd wrote:
> On Mon, Dec 30, 2013 at 8:56 AM, David McGrew <> wrote:
>> Hi Dan,
>> On 12/27/2013 06:34 PM, Dan Brown wrote:
>> -----Original Message-----
>> From: Dan Harkins
>> Sent: Friday, December 27, 2013 4:46 PM
>> On Fri, December 27, 2013 1:42 pm, David McGrew wrote:
>> I understand that these topics deserve discussion, but in the long
>> term it might be more fruitful to consider what recommendations should
>> be given to implementers and standards group on the subject of PRNGs.
>> Yes, I just wanted to clarify.
>> Now, since you asked about recommendations ...
>> PRNGs are not needed for interoperability, but the some of the core
>> "schemes" standards that I am familiar with, such as ANSI X9.62 and SEC1,
>> make normative requirements about the PRNGs and entropy used to generate
>> keys.  I think that's reasonable for the sake of security.  In theory, if
>> IETF "protocols" specs reference these core "schemes" standards, then they
>> would inherit the PRNG requirements.  I'd recommend IETF "schemes" specs
>> similarly follow suit, although an alternative is just to require a (secure)
>> randomly generated key, but that could be little risky to ask implementers
>> to do this without sufficient guidance.
>> Maybe I'm biased,
>> I love the pun there ;-)
>> but for a PRNG, I'd recommend Dual_EC_DRBG with
>> alternative P&Q, at least on systems that can afford the extra latency, e.g.
>> high-end user equipment, if only because of the refereed security analysis.
>> Also, considerable attention, because of the potential backdoor, has been
>> paid to Dual_EC_DRBG, yet no major attack since that security analysis has
>> been uncovered.
>> I respectfully disagree.   We need to keep in mind a holistic security model
>> that considers all of the threats to information security, and one such
>> threat is the possibility that the P and Q parameters in a particular
>> implementation might be changed by an untrustworthy software provider
>> (either a vendor or an open-source contributor), hardware provider (in the
>> case that the software is pre-installed on the hardware), a reseller, or
>> someone else in the supply chain.   If those parameters are set correctly by
>> the initial developer, but then changed by someone else, the unwitting end
>> user might be compromised.   It is doubtful that this change would be
>> detected.
> There is a distinguishing attack on Dual_EC_DRBG taking time 2^28 with
> good success probability.
> See for details. This alone makes it
> unacceptable.
> Also note that Certicom has IPR. Dan Brown hasn't disclosed this, but
> his name is on the patent
> on the alternate parameters. There isn't a single good reason for
> Dual_EC_DRBG to even be
> considered.
>> One could counter-argue that 1) software boot-time integrity can be provided
>> through boot-time signature checking and 2) a malicious actor in the supply
>> chain could undermine the efficacy of any DRBG.   However, boot-time
>> integrity is absent on many systems at this time, it does not address
>> run-time integrity even when it is present, and if a DRBG based on symmetric
>> cryptography is undermined, that fact will be noticeable (at least in
>> principle).
> I don't think this is quite true. Imagine a HMAC-DRBG implementation
> with all but 40 bits of the
> key hardwired to a fixed value. Given an external seed it gets the
> wrong answers, but if the key is
> generated internally you would never know.

If I understand your strawman here, the undermined DRBG would be 
detectable after 2^20 distinct invocations on distinct seeds, it would 
produce repeating values.   A test harness that could invoke the DRBG on 
a million distinct seeds could detect this fact, assuming of course that 
it was actually using different seed values.   Of course, it is not 
clear how the test harness could ensure that the DRBG was not "cheating" 
by e.g. just returning a pseudorandom value, such as the output of HMAC 
in couter mode.   A "cheating" DRBG would not be detectable.

It would be really valuable if there were a testing methodology for 
random sources and DRBGs that enabled a third party (such as the end 
user, or a verification lab that is unaffiliated with the manufacturer) 
to assess the quality of both of those components. This could make a 
significant positive impact IMO - would be interested to hear what other 
people think.

In my experience, most vendors who build random sources are very 
hesitant to provide the raw output of the source that would be needed to 
perform an independent statistical validation of the soundness of the 
source.  From what I can tell, this sometimes reflects a lack of 
confidence in the design.


> Sincerely,
> Watson Ladd
>> David
>> The three other DRBG algorithms now in SP 800-90 should be much faster, if
>> such speed is needed, and should also be secure, since no major attacks have
>> been published, despite their high profile in NIST specs.  The HMAC_DRBG
>> also has a proof.
>> I'm also aware of other research into comparable alternatives:
>> but I'm not sure if these have been standardized anywhere.  If I had to
>> summarize these in a few words, I would hazard to say that they provide
>> constructions to build a PRNG from a PRF (where for a PRF, think RC4, or
>> AES-CTR).
>> There's also lots of research into "randomness extractors", but that's
>> something slight different.
>>    Indeed! And might this discussion move to, the
>> mailing
>> list formed to discuss just this very subject?
>> Thanks. I completely forgot about that mailing list, I saw the announcement
>> but never looked into it.  Is there a WG site?
>> Best regards,
>> Dan
>> ---------------------------------------------------------------------
>> This transmission (including any attachments) may contain confidential
>> information, privileged material (including material protected by the
>> solicitor-client or other applicable privileges), or constitute non-public
>> information. Any use of this information by anyone other than the intended
>> recipient is prohibited. If you have received this transmission in error,
>> please immediately reply to the sender and delete this information from your
>> system. Use, dissemination, distribution, or reproduction of this
>> transmission by unintended recipients is not authorized and may be unlawful.
>> _______________________________________________
>> Cfrg mailing list