IETF Logo Mail Archive

Re: [Cfrg] Big-key cryptography

Aaron Zauner <azet@azet.org> Tue, 15 December 2015 12:48 UTC

Return-Path: <azet@azet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF68C1A8877 for <cfrg@ietfa.amsl.com>; Tue, 15 Dec 2015 04:48:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GbOogQN3JdSr for <cfrg@ietfa.amsl.com>; Tue, 15 Dec 2015 04:48:36 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11E3A1A8871 for <cfrg@irtf.org>; Tue, 15 Dec 2015 04:48:36 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id n186so163267417wmn.1 for <cfrg@irtf.org>; Tue, 15 Dec 2015 04:48:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=BesvP0MwwCBVBGhmhYTCPc8nxzsvkiLBBtzUt4VvZIk=; b=Am6sGooA5XVMCARCJXFOySNUypGlX3M5s/GU0K4VgIGu3lGBErDU4rrrpyerdf+kN6 07TPx1/2r8c6BgZpdFruLS8X/x2DcL2VwxctnhkbTwtfqOSsTIH0khVBwmpl3qUEXJhG VIupNWfahiPzoQJ9tt6WlomPqfSYHoBNw50Nk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=BesvP0MwwCBVBGhmhYTCPc8nxzsvkiLBBtzUt4VvZIk=; b=KEQYX/Bk3rgrO+rLVFyfURKwjrOBSrTTJEem2DC3+MxeLKq7TxXl4ye5SCqJwaXod6 wjeqp+xJLf7SmX1MF9LKcA3hs5Ki0NqUgZH0wBBea4CTDWhQd2wTyw+GCPUQEd7On0lP m5tfRWzXKB/U++IGUMtqfSreSX+5WRW9y0lu1OcvAuC7NiSJyumvtE1Auqhy+gKmGg2D ar7VZizNbGbkewD7U6C598zeFwT16yfArhuHOSfTxqamglAQdZkjmPWVmcgydUcM7wvv 1MRNK/qyQ8f4pzCO8M2g7CinLVyZ5N4zB16fIIZQRnw91KmM4zbxVm6MGoCjrIsqU2qA ZO/Q==
X-Gm-Message-State: ALoCoQnf5abnT5wvVhc5TUdTdVtLvTm9Dp0Rch8b7PYTcuTkI86Dgr7Ko8NT6CRi/DrpOfOdVyz/s0Uf1Gs8OLQLX3i+pmlBTA==
X-Received: by 10.28.133.8 with SMTP id h8mr4559854wmd.71.1450183714442; Tue, 15 Dec 2015 04:48:34 -0800 (PST)
Received: from [192.168.1.111] ([41.232.117.184]) by smtp.gmail.com with ESMTPSA id q4sm1317513wja.6.2015.12.15.04.48.32 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 15 Dec 2015 04:48:33 -0800 (PST)
Message-ID: <56700C1C.9070902@azet.org>
Date: Tue, 15 Dec 2015 13:48:28 +0100
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: Grigory Marshalko <marshalko_gb@tc26.ru>
References: <566C3791.2050705@azet.org> <5669F8AF.2000008@azet.org> <bcbd3d10ecc43f8bd1e302f095a2ade0@mail.tc26.ru> <803c5559d8b8b2d6853c066ee906355c@mail.tc26.ru> <51b7ad9ad4199cff7e1538ded64193c3@mail.tc26.ru>
In-Reply-To: <51b7ad9ad4199cff7e1538ded64193c3@mail.tc26.ru>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig2F159F4D126D48C92B405336"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/sXpwAuugHWwamwXFu9Jy0vrz3f4>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Big-key cryptography
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 12:48:38 -0000

Hi Grigory,

See also Ryan's reply.

Grigory Marshalko wrote:
> Hi Aaron,
> 
> I mean that when we speak about key generation we should always control the amount of entropy. So the bigger the key the more entropy we need. That is the main problem in this approach - how to generate the initial key/state (By pool I mean entropy pool like in Fortuna RBG). 
> Regards,

Generation of "randomness" is not really a big issue anymore (at least
on Linux - probably pretty similar on other Operating Systems). These
days modern Intel Chips come with a RDRAND instruction that is mixed
into the pool (with many other inputs, e.g. IRQs). RDRAND

```
The RDSEED instruction was added to Intel Secure Key for seeding another
pseudorandom number generator,[16] available in Broadwell CPUs. The
entropy source for the RDSEED instruction runs asynchronously on a
self-timed circuit and uses thermal noise within the silicon to output a
random stream of bits at the rate of 3 GHz.
``` -- https://en.wikipedia.org/wiki/RdRand

If you're really clever you could do something like how BoringSSL seeds:
```
TLS servers that are pushing lots of AES-CBC need the RNG to be really
fast because each record needs a random IV. Because of this, if
BoringSSL detects that the machine supports Intel's RDRAND instruction,
it'll read a seed from urandom, expand it with ChaCha20 and XOR entropy
from RDRAND. The seed is thread-local and refreshed every 1024 calls or
1MB output, whichever happens first.
``` -- https://www.imperialviolet.org/2015/10/17/boringssl.html

HTH,
Aaron

v2.23.0 | Report a Bug | By Email