IETF Logo Mail Archive

Re: [Eligibility-discuss] On 3797 alternatives

Martin Thomson <mt@lowentropy.net> Wed, 07 June 2023 00:34 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: eligibility-discuss@ietfa.amsl.com
Delivered-To: eligibility-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF8F5C15152D for <eligibility-discuss@ietfa.amsl.com>; Tue, 6 Jun 2023 17:34:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="mNBo3aII"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="XX6cFpWi"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eJBwRvV1fvMG for <eligibility-discuss@ietfa.amsl.com>; Tue, 6 Jun 2023 17:34:04 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27D92C1522D3 for <eligibility-discuss@ietf.org>; Tue, 6 Jun 2023 17:34:03 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id B1AD1320090E; Tue, 6 Jun 2023 20:34:00 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Tue, 06 Jun 2023 20:34:00 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1686098040; x= 1686184440; bh=tDcWJ5Fxchh4hje59Rw6pM/aggPBzytNCeBnZ5lDsWs=; b=m NBo3aIIpsquhrxk9S6O0v1mwj8drXuD92MKwDDqN4SIEJ+/6dhJSRF/UqpJxNQii pfkakpafJvo8Xl3hf4V0K+kSRbXKrpTMb2qyjfULdTuRwT7USc4s3pcCo9/E5E55 /HWQ6uFN3NOoAoK7AxyWAxoJsRRea+bVvl8QYfgHufxF8A1po864kT9dCr/U75u4 m6GEIH5EAf3XhBY57zxzV/gLv5p+V/1KIEMy+9rIEu5P2kACYjdd/Be5PlI03tsE Kpr13jFxt/RzvMl3E5iMZ/oBoiB9zbdz7YcsnnCj2UK/5dtnLc64EeS26WND+fVc +Zyr44TywmWBM/FlNBjZA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1686098040; x=1686184440; bh=tDcWJ5Fxchh4h je59Rw6pM/aggPBzytNCeBnZ5lDsWs=; b=XX6cFpWixR+qUB/vY4Px4fH3ofwcZ 8WU0pBUjr6lAvtUbALF7kGDQ6VqSNRnE4STfmlmoA9XW3gEt3cvSFQVSisItlWZ2 2qRl1kgzaPjAkBvXKXxyjW+4StrOz0cqsedqgUy1bYw2MRYADWhYL1t3eUMD4YOg Tw45tk92Zf7RHvnFQk2YTGqptOAzhb0VjGEIGfNZmm1DKw0ht1zXcJnuxLEl1N6M vNqMReMF059O+W4+tzuJJkZ+YDFKbGlC8R1Vm6yNVq+zw8B4wG+cx6BpZ5JeQqt3 tZKR+DWQu6oFOycsSi8Y61YlQrU6MLHVM4GnaLv9bMbmm9UgA1DabWcww==
X-ME-Sender: <xms:eNB_ZMq2HPcjMZ5vGEWkkw1bt64m-YUPKZ7sG0tVPuP55au2fX886w> <xme:eNB_ZCpsoflxt_BL5gRSfXmFcR21r4BqfseKwGRkBIRUtKEDlzKUzwGxBkFbFjS0d pe9cGAllH82dWlZjpc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgedtvddgfedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvvefutgesth dtredtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepudelueeftdfhgeeiie eikeekjedvjefgveduffegfedvffelveefkeduieeikeelnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnh gvth
X-ME-Proxy: <xmx:eNB_ZBMiAWtmcvsy84i6DmB9Hci1jjHoDJx5h27xD_zKDjFmgRVLwA> <xmx:eNB_ZD4AgLzKYDQCEy-BC7H-AjhciBEHbQ5sBEwbYRmQV00J0ZDO2w> <xmx:eNB_ZL6SI3xxcIumxwjG_QxPlq6YfI8Q8lpDJ9BQfO702NccyqN0yQ> <xmx:eNB_ZEU605fNNJdsAZByfV4Lw8PX8JSpNGhUiDDGwXyzZRvNa4PJqA>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 1F241234007B; Tue, 6 Jun 2023 20:34:00 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-447-ge2460e13b3-fm-20230525.001-ge2460e13
Mime-Version: 1.0
Message-Id: <5e3b330b-7945-4e83-8d27-0b46722a6c74@betaapp.fastmail.com>
In-Reply-To: <CAF4+nEFV9t+UJSHk5wop8C9=J54hQX0hFGe3BYrHUpLA8_zXGA@mail.gmail.com>
References: <54F373CD-1E97-42BC-9AAB-0451ABD9D448@eggert.org> <1229DD7D-3640-4EFD-8058-D0EC18020038@eggert.org> <18537EEF-4E16-4C48-8456-02A8FB0C8CFC@vpnc.org> <4a8f2bb4-25c3-5514-f13f-8db1804619a6@joelhalpern.com> <0531CD69-AAA4-4657-9B90-B50F76D997B7@vpnc.org> <ffa1d82b-a22b-f68f-5000-6a1ca437d147@joelhalpern.com> <B953359D-72A9-4032-857E-490AEAF60C4A@vpnc.org> <2745cf30-098d-4a3a-9e9e-3c3c44179176@app.fastmail.com> <CAF4+nEGL0_h-iagUxhyxh2FJdz=QUi5JQr6XdPj-Q=q8Rov0XQ@mail.gmail.com> <9d9b0e70-c7ca-4602-8862-33165522497c@app.fastmail.com> <896FF479-E5B7-4A31-95AE-376CCE2591C9@akamai.com> <CABcZeBN7XyRknvkg9TfvTCx3rGEpLtWynE7-eaufhmcEmnDHtA@mail.gmail.com> <30f8a4a3-2a3c-4560-abe5-63ee0c4366d4@app.fastmail.com> <9DCA0EF0-8E99-4A33-ABAB-45997C96002F@akamai.com> <CABcZeBOS1zAmS664bQAiAZPhN5-Hr6OTbv6UZu+Ai9zwsps_CQ@mail.gmail.com> <09B9FC9D-9124-41CB-A47A-2B36FCFF688B@akamai.com> <CABcZeBNn4UvwX3H2Go_0Hb-6=mjD5jpi=9709rNJn3-R-pCnZg@mail.gmail.com> <1E2309D2-4413-4A43-847F-C2FFAAB44A6E@akamai.com> <CABcZeBPqntox9kA2C+vx+62U6O5HYJKt7CGqBMb=yUsCmDqZ=Q@mail.gmail.com> <79752801-b405-445b-a782-784823a00118@betaapp.fastmail.com> <CAF4+nEFV9t+UJSHk5wop8C9=J54hQX0hFGe3BYrHUpLA8_zXGA@mail.gmail.com>
Date: Wed, 07 Jun 2023 10:33:39 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Donald Eastlake <d3e3e3@gmail.com>
Cc: "eligibility-discuss@ietf.org" <eligibility-discuss@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/eligibility-discuss/NL8hXP6_z_UnRiOQupYa_1zkaC8>
Subject: Re: [Eligibility-discuss] On 3797 alternatives
X-BeenThere: eligibility-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF eligibility procedures <eligibility-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eligibility-discuss>, <mailto:eligibility-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eligibility-discuss/>
List-Post: <mailto:eligibility-discuss@ietf.org>
List-Help: <mailto:eligibility-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eligibility-discuss>, <mailto:eligibility-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 00:34:09 -0000

On Sat, Jun 3, 2023, at 07:46, Donald Eastlake wrote:
> So, what is a reasonable estimate of the amount of bias that can be 
> introduced by the attack you hypothesize?

Let's take the simplest case.  There is just one person who volunteers, but the attacker intends to add one more.  The process therefore needs only to choose from two people.  There is one real candidate and a small set of people who might volunteer for the other position.

The seed contains 2 bits of entropy, which is then fed into MD5 and whatnot.  By the logic presented in 3797, this is ample entropy.  It's twice as much as you would seem to need.

There are four possible outcomes in this scenario.  Each outcome is either first chosen or second chosen. If the set of outcomes is all first chosen, then the attacker chooses a volunteer that will be sorted first; if the set of outcomes is all second chosen they do the opposite.  Probability of success in that case is 1, not some probability distribution.

If we model MD5 as an ideal PRF (which it isn't, but I'll hold my nose briefly), then maybe we conclude that the odds of this outcome only occurs one time in eight.  But then there is the 3/4 case, which occurs half the time, but provides a 3/4 odds of attacker success.  And at 2/2, the attacker's preferred outcome occurs half the time with 3/8 probability.  Multiply out and you get odds of influence at 0.75, which is an advantage of random of 0.25 over pure 50/50 chance.

Extending that model with more bits would seem to reduce that advantage quite a bit.

My point is that the 3797 analysis has a shortcoming in that it considers the PRF as a random oracle, when it isn't.  Consequently, the system is not as strong as it might seem.

Of course, I want to point out that this is all academic.  In practice, we use high entropy seeds and there is no real reason not to continue to do so.

v2.23.0 | Report a Bug | By Email