Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-07.txt
Björn Haase <bjoern.m.haase@web.de> Sat, 07 September 2019 16:00 UTC
Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 267FA1200F7 for <cfrg@ietfa.amsl.com>; Sat, 7 Sep 2019 09:00:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jy8-ugp7biwx for <cfrg@ietfa.amsl.com>; Sat, 7 Sep 2019 09:00:53 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.15.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 382A51200E6 for <cfrg@ietf.org>; Sat, 7 Sep 2019 09:00:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1567872050; bh=fRD+z/DP85gnTFbspTr1xHZ+4B8DLwHpdSiX+5imLlk=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=Tk3VX6RM/wcU3vajsitkvnkHccJDUkq46AemkoshQIMaRisGJhgf59QfLM9nhKBTz KUG5wbXlJTRMzr078cryQox2cFdLwdWfFBddZXBgTfA6O426aomuFdCvdFcW44988a eTchGhzS0Uqlt19/Q7Cdui6aeGeeTTuFA0sIpQ/8=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([92.75.65.225]) by smtp.web.de (mrweb003 [213.165.67.108]) with ESMTPSA (Nemesis) id 0MF3iV-1hupNC0BCd-00GEJ1 for <cfrg@ietf.org>; Sat, 07 Sep 2019 17:55:45 +0200
To: cfrg@ietf.org
References: <156786924315.31101.8797096997412723904@ietfa.amsl.com>
From: Björn Haase <bjoern.m.haase@web.de>
Message-ID: <0b548a0c-2266-5fb2-4662-d66ba5755bc1@web.de>
Date: Sat, 07 Sep 2019 17:55:45 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <156786924315.31101.8797096997412723904@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:17pmw5WuTI4Oi8LwQLrthLVMfRDdL0lXmJDaV0YLL/WzPGOxqlc kEMtBd+GvZJB0EyxohzHb71wB/7MJrjMTeY3oJAfVzgW6fWcxofEgYli1idiZKzQNjcqdN3 Yalp7NvE0mwrgsto+BFHy9+59V8OzSd9VpTkpoVvngH0g3u02R6VGxAdkj/LRXNB0B0aPen ozE1ksJWRIkVoM7qUM7Uw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:1yga1hORV/Q=:aFFr5BIVr9tFUAfkNuboy2 n6dqzR+0gTxaOFvxH9bOJilJYDJaVqgoZmV/bxyuwWYydtWusYvgwx9mGmCZ14JNLDJ3DQXVT oayYg49sImV5f/Y6HQ9io99H7AeyKWaD1RHFwDZKCzl4g1JnVmXKiy0XOCPhoYP/itQyUphW8 9szTTutm418PuW1tdSqI4CuTdWUk18t6+BfQHZbLNd38nXXbkChEbnAHWILQLTQ7Gy7/pSGr2 4Gl6YnNL3omncfYusFWFgP1dMmW1PyoYWusR748ipALi2s6s2tzETwL3b00qdSEFnviGel4g/ y/DXMKUflwJ2g65/Y5X3WCDc/mdjXh7pXDQvqEyb5zZoP6yB/+ZeMmd6TbXUrx3Ssob09tYem QCyr6H97W4yOSBFQxlEMXa8TYbU9cti8JKLWHnRi47doiAkk1d2KL3i+GSuAAukKzYuGZZSzj +zBExix5DOrW+dDGB1Gyo8mc2Al3TZezdCrG7/+8BaUBMdBMm894iHQP6y3DCsWMXua11JT95 m5Sum9np4ybWa7+lU/DOcwOlcYWQpHNSkiyrbehFSIiiXbmXHtLfHCJgR8VrmRhlhZxWSRO1w 9ywJro4YqhnKDD0dYYSzgWzsZaqijyOmE8iC4a5rHCw0wIXfXnBZ48iX/x4WeaknxK3eOzOOE AviBGDy9oJNWWhHW2i5IMCthL27WWWL3idUQn0d4KfmRIaqtXQRktvkJz7M1OcmqJtiKGOHWH JnTU0PC6he+p0w9RYNoCyt6Al5kL9iy4MjAAVc9p6+/5US7ceYwwRun4/8z19rts1/VkV6atV M2vV7s7hlCuom/JdWKrTO69HSNOM3Ef+M2Mcc1ZDf/KMlrs0swV2h/eYvENpHy+GATwg6bg6g rz3hDw2vHXZlzFYkPduL10oAHMRdllS2g0s8EFVMOXQIw+JA+at0ddIvMzT2RAMg4ZvBvj2LU vrkZdCPfo9V7UW1DdmAwb4NSBrqvoiK6O8iE4AdEWlVAogbp3IAnrX4sTYWKfnj9+s/5ayawM SBAPGsBRmd6G7+nJF7HsUxPwByUXZMGdJ3DIWMRZtcHXDn7PUZkd5SFL5sb1hcpeXc3XOhhxl DaiXknhicxEwunHwEvNudXxthGDMwOK7LpMdDEnE6GTta2iKj6XPfUGsX5dAfH74QNOkekwPl N48fB0PCt4kcCYllghdpj7KEAItcSDdaV7+fHQAnrPB4rtLBKVc76iw2NOp1HKyM0Z0S0U1mR JMDHPhVT14TB1uZXI
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/hH6M3OJ13j9wIIqTcB84tAJUgqE>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness-improvements-07.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2019 16:00:55 -0000
Am 07.09.2019 um 17:14 schrieb internet-drafts@ietf.org: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Crypto Forum RG of the IRTF. > > Title : Randomness Improvements for Security Protocols I support the idea of adding an independent random seed for protocols where randomness is crucial. I also agree that the hashed key derivation function approach (Expand-Exctract) is a conservative, yet possibly somewhat costly and slow choice. I had a couple of discussion with different cryptographers, specifically considering the topic of side-channel resistance (e.g. with respect to DPA) and it turned out that some sponge-based construction might be ideal for mixing together different entropy sources and for providing also decent side-channel properties. The idea would be to operate the sponge in some mode similar to SHAKE, such that it is possible to extract arbitrary length strings. For mixing in entropy, one might run the permutation, xor the new entropy inputs into the state and run the permutation once again before continuing with pulling out further random bits. In the end one might have a moving target for SCA and a quite efficient construction at the same time and this would be independent from the rate that a TRNG or other entropy source produces new data.? Here I would like to ask whether somebody is actually aware of such a system or a paper considering it and whether a sponge-based approach has also been considered for the randomness-improvement draft? I am asking specifically because for the very same use-cases the external reviewers that we have asked for approval of our production-code implementations requested us to use a rather complex construction based on a combination of HKDF and AES-CTR for generating the random streams which I believe to be worse than a sponge construction from a side-channel perspective. I'd appreciate to learn whether somebody is aware of some scientific paper regarding efficient sponge based RNG constructions for scenarios which are targeted by the randomness-improvements draft. Yours, Björn
- [Cfrg] I-D Action: draft-irtf-cfrg-randomness-imp… internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-randomness… Björn Haase