[kitten] confounding >> random IV?
Nico Williams <nico@cryptonector.com> Thu, 26 September 2013 18:42 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A283521F9F50 for <kitten@ietfa.amsl.com>; Thu, 26 Sep 2013 11:42:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.947
X-Spam-Level:
X-Spam-Status: No, score=-1.947 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TTWUXnrgJ-0f for <kitten@ietfa.amsl.com>; Thu, 26 Sep 2013 11:41:47 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by ietfa.amsl.com (Postfix) with ESMTP id AA6D021F9F88 for <kitten@ietf.org>; Thu, 26 Sep 2013 11:41:37 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id 585FD67C073 for <kitten@ietf.org>; Thu, 26 Sep 2013 11:41:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:date:message-id:subject:from:to:content-type; s= cryptonector.com; bh=+1cFQbhjYXwo/0Cqq0Y486o2NcY=; b=UAJg8yF1cT5 Ts77Src+16mXxByrfi8h0TfhS1bJ8rmBbw6LVnM4kjGVWw2U63zGyhZyMxWAlKVJ siuEJWa4nXaARiqtAEQwKqoJDUwmA746wxndlxbr04Y9w9IBW1NesbEDIHB03DHP qEEDmJ3psbS5n5g2bdQedpULW0iTnL/k=
Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 01C2367C06B for <kitten@ietf.org>; Thu, 26 Sep 2013 11:41:35 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id t61so1590143wes.16 for <kitten@ietf.org>; Thu, 26 Sep 2013 11:41:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:date:message-id:subject:from:to:content-type; bh=K7u1uGbcepF+zYCDPuW7kW5eiOkKL/xavnSLLwm0wdQ=; b=LQjWOj+9ktj+3soSeWE8ie190His3VOf44CjDbbaK691kr8Xm7FabO8VVZbi5iWjuB 3Eh3FpLflVW718j2v0/YkaCh9lN8/Pg9R2Av74W4Irz5M9lVmQgrI9HmuftTdEWieVyG wim1kzWa5xL7KPiZjnaYER5RMwaCHhU06i+eaAus9lU90N238bF2OoUcG4CNOc5ZmglO 5njdBbMo/ZZfxOyDlbhcUaYLWWVlg6vKu8gsRHve2W2nmlpE4URHomO2590IjBQNGJDv 8xtsuRB+5HYdLDM7h+7btuSGvM6dufG8Mb8kkKxWCRTbKfamaM45CxdmvgSHhwkWC8Kl VB6g==
MIME-Version: 1.0
X-Received: by 10.194.23.196 with SMTP id o4mr2194498wjf.62.1380220894258; Thu, 26 Sep 2013 11:41:34 -0700 (PDT)
Received: by 10.216.240.70 with HTTP; Thu, 26 Sep 2013 11:41:34 -0700 (PDT)
Date: Thu, 26 Sep 2013 13:41:34 -0500
Message-ID: <CAK3OfOivNW8BR7xBg7kMiGSj4ZmwdYcQA7sfAxGdUC5FrnmkyQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "kitten@ietf.org" <kitten@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Subject: [kitten] confounding >> random IV?
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2013 18:42:15 -0000
If you have an RNG that has a backdoor such that anyone who possesses the key to it can recover the next output given any one output (of some given size, perhaps), then random IVs and nonces leak RNG state if they are taken directly from the RNG. Confounding eliminates this problem, at least for RFC3961 crypto. Maybe we should keep confounding. Of course, this notion is rather contrived. No one in their right minds would run an RNG like that... Also, confounding cannot protect against other backdoored PRNG attacks, just those where the attacker gets a lot of value from observing direct PRNG outputs. So maybe confounding adds no value; it definitely subtracts performance. But we should at the very least note this in the new enctypes' security considerations. Also, we should consider carefully whether we really want to ditch confounding. Nico --
- [kitten] confounding >> random IV? Nico Williams