IETF Logo Mail Archive

Re: [Cfrg] Big-key cryptography

"Grigory Marshalko" <marshalko_gb@tc26.ru> Wed, 16 December 2015 19:39 UTC

Return-Path: <marshalko_gb@tc26.ru>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D7F01A8940 for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2015 11:39:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.159
X-Spam-Level: **
X-Spam-Status: No, score=2.159 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XB-xgJHSnFSq for <cfrg@ietfa.amsl.com>; Wed, 16 Dec 2015 11:39:19 -0800 (PST)
Received: from mail.tc26.ru (mail.tc26.ru [188.40.163.82]) by ietfa.amsl.com (Postfix) with ESMTP id 34DB71A8937 for <cfrg@irtf.org>; Wed, 16 Dec 2015 11:39:18 -0800 (PST)
Received: from mail.tc26.ru (localhost [127.0.0.1]) by mail.tc26.ru (Postfix) with ESMTPSA id 55E003000EC; Wed, 16 Dec 2015 22:39:09 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.tc26.ru 55E003000EC
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tc26.ru; s=mx; t=1450294756; bh=5PGADKW9eSGPIxgkBz78WfkHYWJ7oX7iQUZyTStkVF8=; h=Date:From:Subject:To:Cc:In-Reply-To:References:From; b=B9fcB9RidM3XOKDJsADxVyjBaM0yH3EZKNS7uNVGEZ5FRDh1aQDXDhLCXi5nKGKuF f76T1Y1FD1iPTa3q/ZrJ0MbXJzE2XeB2OJAvgCvnS0jF3bnRkBM+gW9K5+kNgvZLyo 4yicgWkpVtpU0nlkoko3MaRaMr3Jd2z1yVZWCXV0=
Mime-Version: 1.0
Date: Wed, 16 Dec 2015 19:39:09 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <2ce973de502c24af64d8b64fa5ffd78c@mail.tc26.ru>
X-Mailer: RainLoop/1.9.3.365
From: Grigory Marshalko <marshalko_gb@tc26.ru>
To: Aaron Zauner <azet@azet.org>
In-Reply-To: <56700C1C.9070902@azet.org>
References: <56700C1C.9070902@azet.org> <566C3791.2050705@azet.org> <5669F8AF.2000008@azet.org> <bcbd3d10ecc43f8bd1e302f095a2ade0@mail.tc26.ru> <803c5559d8b8b2d6853c066ee906355c@mail.tc26.ru> <51b7ad9ad4199cff7e1538ded64193c3@mail.tc26.ru>
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 88358 [Dec 16 2015]
X-KLMS-AntiSpam-Version: 5.5.6
X-KLMS-AntiSpam-Envelope-From: marshalko_gb@tc26.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Moebius-Timestamps: 3873942, 3873972, 3873677
X-KLMS-AntiSpam-Info: LuaCore: 393 393 c2c6794cec399221a2b2ea37c1235b8c69404071, www.imperialviolet.org:7.1.1; tc26.ru:7.1.1; en.wikipedia.org:4.0.4,7.1.1; 127.0.0.200:7.1.3; www.alchemistowl.org:7.1.1; d41d8cd98f00b204e9800998ecf8427e.com:7.1.1; 127.0.0.199:7.1.2; mail.tc26.ru:7.1.1, Auth:dkim=none
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, 2015/12/16 14:04:47
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server, version 8.0.1.721, bases: 2015/12/16 14:19:00 #6751863
X-KLMS-AntiVirus-Status: Clean, skipped
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/jJoWG-8SXMq5ehQ8kXpzYZOAx1k>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Big-key cryptography
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 19:39:21 -0000

Hi, Aaron,

I agree that with developmnets in hardware the problem is going to be less serious on the one hand, but on the other hand we would always have enough room for suspicions :)  E.g.  https://www.alchemistowl.org/pocorgtfo/pocorgtfo03.pdf p.20 shows how linux random generation could fail in case of backdored RDRAND.
 
 

Regards,
Grigory Marshalko,
expert,
Technical committee for standardisation "Cryptography and security mechanisms" (ТC 26)
www.tc26.ru
15 декабря 2015 г., 15:48, "Aaron Zauner" <azet@azet.org> написал:
> Hi Grigory,
> 
> See also Ryan's reply.
> 
> Grigory Marshalko wrote:
> 
>> Hi Aaron,
>> 
>> I mean that when we speak about key generation we should always control the amount of entropy. So
>> the bigger the key the more entropy we need. That is the main problem in this approach - how to
>> generate the initial key/state (By pool I mean entropy pool like in Fortuna RBG).
>> Regards,
> 
> Generation of "randomness" is not really a big issue anymore (at least
> on Linux - probably pretty similar on other Operating Systems). These
> days modern Intel Chips come with a RDRAND instruction that is mixed
> into the pool (with many other inputs, e.g. IRQs). RDRAND
> 
> ```
> The RDSEED instruction was added to Intel Secure Key for seeding another
> pseudorandom number generator,[16] available in Broadwell CPUs. The
> entropy source for the RDSEED instruction runs asynchronously on a
> self-timed circuit and uses thermal noise within the silicon to output a
> random stream of bits at the rate of 3 GHz.
> ``` -- https://en.wikipedia.org/wiki/RdRand
> 
> If you're really clever you could do something like how BoringSSL seeds:
> ```
> TLS servers that are pushing lots of AES-CBC need the RNG to be really
> fast because each record needs a random IV. Because of this, if
> BoringSSL detects that the machine supports Intel's RDRAND instruction,
> it'll read a seed from urandom, expand it with ChaCha20 and XOR entropy
> from RDRAND. The seed is thread-local and refreshed every 1024 calls or
> 1MB output, whichever happens first.
> ``` -- https://www.imperialviolet.org/2015/10/17/boringssl.html
> 
> HTH,
> Aaron

v2.23.0 | Report a Bug | By Email