Re: [Cfrg] Schnorr just as vulnerable to bad RNG
David Jacobson <dmjacobson@sbcglobal.net> Sat, 26 July 2014 02:34 UTC
Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B556C1A01F2 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 19:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ubC1qZY1O-0 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 19:33:59 -0700 (PDT)
Received: from nm17-vm5.access.bullet.mail.gq1.yahoo.com (nm17-vm5.access.bullet.mail.gq1.yahoo.com [216.39.63.135]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CF031A01E5 for <cfrg@irtf.org>; Fri, 25 Jul 2014 19:33:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1406342039; bh=1QDKZx7jYqKunH+YVzBO93pZhoz8B+A0TIR+EcxRKNU=; h=Received:Received:Received:DKIM-Signature:X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=MtuwupYA1sIKpZdACrtt1rIY7v7LeBIE4NtxZ7P0PZFdiO2JlvnmWwPnS9EBgIBS5s9NcW2umz+biqAjqXk6vCeczb6aYNQUeDBSKTVZJKI+l6MRz80e4KO1dsPUAgLMbRGF5nTyAXS+TERyfQvSmKl7Hbwlz2auOBYB7/8LDNSaRSqNnWGB8ZXvixeVhW1/ZgeFCnGDW461xnAoOUJeqX9o2npR+NjUXP+DSALQeUJU3Iw4jmJ39GSquKJ4R7RS9JjQCVgdgFrpy8rmyDBW+n0V/CmGNClM6boA7vYyNDG5evqMbOUx+qEgXzGiD36+Tpm3arcyFUMgxwlHzouMhQ==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=sbcglobal.net; b=RSA21KiNGHeRYSSCAyUIdSX6AZIc8G0awhp1xBHTjO7Q1xz81/Ny00TQcA11b+a5sNdb+PolcZZLfRQjJAV4Nku9NnVfrC2XNZN0adq/Ttsxokxb+XOzzlhz+FhGcTns+HZiMOS3xcDqMZKIkjqniA+zeeZV9idFcm4IzHnozCr9z3cR8emg3YVc2lsutm7g8msXIFrW8LaaEdI5WRv6T7y3yvjBvO8FOdMqmJM5tiwtTDI6MQqBOLV3cRrapat//XjeiK/9kDJ+wWRrIjBEP+XlDbANl/1gs9QqiSc/B15+3G7tSxy1BUeHDcahc9ucp4cm7QwQJnwFOBkqlXwIHw==;
Received: from [216.39.60.166] by nm17.access.bullet.mail.gq1.yahoo.com with NNFMP; 26 Jul 2014 02:33:59 -0000
Received: from [67.195.22.117] by tm2.access.bullet.mail.gq1.yahoo.com with NNFMP; 26 Jul 2014 02:33:59 -0000
Received: from [127.0.0.1] by smtp112.sbc.mail.gq1.yahoo.com with NNFMP; 26 Jul 2014 02:33:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1406342039; bh=1QDKZx7jYqKunH+YVzBO93pZhoz8B+A0TIR+EcxRKNU=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=DD0YznWAlGkrgFTODT4I91s5v2MhxNcnDVA4GncxVVcd7fZM/a9yXrxyPTjjwSNZs4/z6Kv/70w3JCuwSnTfBurNrZWW4rwCF8FQQ4TIZRWh5Yjec1CyDgdBCMVHIPuUC9c8OwYmnDrl6EFFMzRav3CdGNAWSvI54i/7wI71wT0=
X-Yahoo-Newman-Id: 6802.35745.bm@smtp112.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 715HlcoVM1nfW1WmDUyVMohm_slzL1coUuuXR2bP0r.Lwqq mK8lik6El2oxD4wcp0dwxRn7HFgdGdKMaDFE74IkQ4BfY88j9eTBF_tgLRHN PpcMiM1UqTsHz.mRfgwuyULUY6f9IISywgX_Mu_zw_0jCBcVCZaMLMSNsieH U4fjkwAxXHokA5MviwEzl7hePDGeH5xIK5z3MJtN7mVruXxVixaIOfdvCtMK 4HNqETPT6K4Q2WdYIIfax2YHup272l2I_MKkODNGPKLQvdVqBcVuFmWGCMK. S.JO54xzFhYEb0d.eVUAV3qNioh8VSfPOGT2YiBBnVqJJoYOeK5KS6vlqp6L YkS4OQKWt0HMovCfL58nc_VB4YtnK1dByRCQgogbNVoMN9DSOR99S2dlc0TN pI3tiR5dOSi3AKGki1Mi8SshnODWPHXVIH5nGeA4KE56.XPE5suCADZnKihB HiZ2ZfrcXs13OKB9T7APGrt4FVWD5mn8V39P30mBkj0XotEUUyhPLb8IawS7 3T71xLXWYk6XXifSyw.My8dQxTdNk2xY16ruRCy2qHr.Ft8ol6POOZqk-
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <53D31396.2040909@sbcglobal.net>
Date: Fri, 25 Jul 2014 19:33:58 -0700
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Bodo Moeller <bmoeller@acm.org>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <20140725131738.6639765.60290.17138@certicom.com> <CADMpkcJD_qXkNFECQ4YoBUhyxQJNrh1=K6gAGfJ23jFWaD51-Q@mail.gmail.com>
In-Reply-To: <CADMpkcJD_qXkNFECQ4YoBUhyxQJNrh1=K6gAGfJ23jFWaD51-Q@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/v5f63r-secsMtf7RI07w5uNOVTY
Subject: Re: [Cfrg] Schnorr just as vulnerable to bad RNG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jul 2014 02:34:00 -0000
On 7/25/14 7:09 AM, Bodo Moeller wrote: > ... in practice, sometimes you *think* you have proper seeding when > you actually don't. This is wandering off topic, but I'm going to mention it anyway. Entropy generation is a very tricky thing. Unfortunately, there is far too much emphasis on estimating the entropy of a source based on long term averages of something. The problem is that many sources have entropy dropouts. In one system I'm aware of, entropy was collected from noise in a radio. I got a pile of the raw entropy, and noticed that every so often there were long runs of zeros. My guess is that there were occasional powerful RF "clicks" that overloaded the front end RF circuitry, and until the system recovered from the overload, zeros were reported. These dropouts were tiny compared to the overall data, maybe 0.01%, so they would have negligible effect on any metric that does long averages. But had a seed been grabbed right during a dropout, it would have been a cryptographic disaster. And 0.01% corresponds to about 13 bits of security. --David Jacobson
- Re: [Cfrg] Schnorr just as vulnerable to bad RNG Stephen Farrell
- [Cfrg] Schnorr just as vulnerable to bad RNG Dan Brown
- Re: [Cfrg] Schnorr just as vulnerable to bad RNG Bodo Moeller
- Re: [Cfrg] Schnorr just as vulnerable to bad RNG Rene Struik
- Re: [Cfrg] Schnorr just as vulnerable to bad RNG Bodo Moeller
- Re: [Cfrg] Schnorr just as vulnerable to bad RNG Michael Hamburg
- Re: [Cfrg] Schnorr just as vulnerable to bad RNG David Jacobson
- Re: [Cfrg] Schnorr just as vulnerable to bad RNG Sandy Harris