Re: [Cfrg] Schnorr just as vulnerable to bad RNG

David Jacobson <dmjacobson@sbcglobal.net> Sat, 26 July 2014 02:34 UTC

Return-Path: <dmjacobson@sbcglobal.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B556C1A01F2 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 19:34:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ubC1qZY1O-0 for <cfrg@ietfa.amsl.com>; Fri, 25 Jul 2014 19:33:59 -0700 (PDT)
Received: from nm17-vm5.access.bullet.mail.gq1.yahoo.com (nm17-vm5.access.bullet.mail.gq1.yahoo.com [216.39.63.135]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CF031A01E5 for <cfrg@irtf.org>; Fri, 25 Jul 2014 19:33:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s2048; t=1406342039; bh=1QDKZx7jYqKunH+YVzBO93pZhoz8B+A0TIR+EcxRKNU=; h=Received:Received:Received:DKIM-Signature:X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=MtuwupYA1sIKpZdACrtt1rIY7v7LeBIE4NtxZ7P0PZFdiO2JlvnmWwPnS9EBgIBS5s9NcW2umz+biqAjqXk6vCeczb6aYNQUeDBSKTVZJKI+l6MRz80e4KO1dsPUAgLMbRGF5nTyAXS+TERyfQvSmKl7Hbwlz2auOBYB7/8LDNSaRSqNnWGB8ZXvixeVhW1/ZgeFCnGDW461xnAoOUJeqX9o2npR+NjUXP+DSALQeUJU3Iw4jmJ39GSquKJ4R7RS9JjQCVgdgFrpy8rmyDBW+n0V/CmGNClM6boA7vYyNDG5evqMbOUx+qEgXzGiD36+Tpm3arcyFUMgxwlHzouMhQ==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=sbcglobal.net; b=RSA21KiNGHeRYSSCAyUIdSX6AZIc8G0awhp1xBHTjO7Q1xz81/Ny00TQcA11b+a5sNdb+PolcZZLfRQjJAV4Nku9NnVfrC2XNZN0adq/Ttsxokxb+XOzzlhz+FhGcTns+HZiMOS3xcDqMZKIkjqniA+zeeZV9idFcm4IzHnozCr9z3cR8emg3YVc2lsutm7g8msXIFrW8LaaEdI5WRv6T7y3yvjBvO8FOdMqmJM5tiwtTDI6MQqBOLV3cRrapat//XjeiK/9kDJ+wWRrIjBEP+XlDbANl/1gs9QqiSc/B15+3G7tSxy1BUeHDcahc9ucp4cm7QwQJnwFOBkqlXwIHw==;
Received: from [216.39.60.166] by nm17.access.bullet.mail.gq1.yahoo.com with NNFMP; 26 Jul 2014 02:33:59 -0000
Received: from [67.195.22.117] by tm2.access.bullet.mail.gq1.yahoo.com with NNFMP; 26 Jul 2014 02:33:59 -0000
Received: from [127.0.0.1] by smtp112.sbc.mail.gq1.yahoo.com with NNFMP; 26 Jul 2014 02:33:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbcglobal.net; s=s1024; t=1406342039; bh=1QDKZx7jYqKunH+YVzBO93pZhoz8B+A0TIR+EcxRKNU=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=DD0YznWAlGkrgFTODT4I91s5v2MhxNcnDVA4GncxVVcd7fZM/a9yXrxyPTjjwSNZs4/z6Kv/70w3JCuwSnTfBurNrZWW4rwCF8FQQ4TIZRWh5Yjec1CyDgdBCMVHIPuUC9c8OwYmnDrl6EFFMzRav3CdGNAWSvI54i/7wI71wT0=
X-Yahoo-Newman-Id: 6802.35745.bm@smtp112.sbc.mail.gq1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 715HlcoVM1nfW1WmDUyVMohm_slzL1coUuuXR2bP0r.Lwqq mK8lik6El2oxD4wcp0dwxRn7HFgdGdKMaDFE74IkQ4BfY88j9eTBF_tgLRHN PpcMiM1UqTsHz.mRfgwuyULUY6f9IISywgX_Mu_zw_0jCBcVCZaMLMSNsieH U4fjkwAxXHokA5MviwEzl7hePDGeH5xIK5z3MJtN7mVruXxVixaIOfdvCtMK 4HNqETPT6K4Q2WdYIIfax2YHup272l2I_MKkODNGPKLQvdVqBcVuFmWGCMK. S.JO54xzFhYEb0d.eVUAV3qNioh8VSfPOGT2YiBBnVqJJoYOeK5KS6vlqp6L YkS4OQKWt0HMovCfL58nc_VB4YtnK1dByRCQgogbNVoMN9DSOR99S2dlc0TN pI3tiR5dOSi3AKGki1Mi8SshnODWPHXVIH5nGeA4KE56.XPE5suCADZnKihB HiZ2ZfrcXs13OKB9T7APGrt4FVWD5mn8V39P30mBkj0XotEUUyhPLb8IawS7 3T71xLXWYk6XXifSyw.My8dQxTdNk2xY16ruRCy2qHr.Ft8ol6POOZqk-
X-Yahoo-SMTP: nOrmCa6swBAE50FabWnlVFUpgFVJ9Gbi__8U5mpvhtQq7tTV1g--
Message-ID: <53D31396.2040909@sbcglobal.net>
Date: Fri, 25 Jul 2014 19:33:58 -0700
From: David Jacobson <dmjacobson@sbcglobal.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Bodo Moeller <bmoeller@acm.org>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <20140725131738.6639765.60290.17138@certicom.com> <CADMpkcJD_qXkNFECQ4YoBUhyxQJNrh1=K6gAGfJ23jFWaD51-Q@mail.gmail.com>
In-Reply-To: <CADMpkcJD_qXkNFECQ4YoBUhyxQJNrh1=K6gAGfJ23jFWaD51-Q@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/v5f63r-secsMtf7RI07w5uNOVTY
Subject: Re: [Cfrg] Schnorr just as vulnerable to bad RNG
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jul 2014 02:34:00 -0000

On 7/25/14 7:09 AM, Bodo Moeller wrote:
> ... in practice, sometimes you *think* you have proper seeding when 
> you actually don't.
This is wandering off topic, but I'm going to mention it anyway. Entropy 
generation is a very tricky thing.  Unfortunately, there is far too much 
emphasis on estimating the entropy of a source based on long term 
averages of something.  The problem is that many sources have entropy 
dropouts.  In one system I'm aware of, entropy was collected from noise 
in a radio.  I got a pile of the raw entropy, and noticed that every so 
often there were long runs of zeros. My guess is that there were 
occasional powerful RF "clicks" that overloaded the front end RF 
circuitry, and until the system recovered from the overload, zeros were 
reported.  These dropouts were tiny compared to the overall data, maybe 
0.01%, so they would have negligible effect on any metric that does long 
averages.  But had a seed been grabbed right during a dropout, it would 
have been a cryptographic disaster. And 0.01% corresponds to about 13 
bits of security.

      --David Jacobson