tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cprng_fast implementation benchmarks



On Apr 25, 2014, at 4:31 PM, Thor Lancelot Simon <tls%panix.com@localhost> 
wrote:

> On Fri, Apr 25, 2014 at 01:53:13PM +0000, Paul_Koning%Dell.com@localhost 
> wrote:
>> 
>> Yes, the discussion is about an RNG that is weaker than the existing
>> strong RNG.  How much weaker is not clear.
> 
> There's not a single answer, because the CTR_DRBG is designed to resist
> attacks that really don't seem relevant here.  It's not a simple
> question of whether one cipher is stronger than other.

I agree.  I don’t think I said that.  And I can easily imagine that some 
consumers of random numbers are not concerned about attack X that another one 
does care about and that the strong generator is designed to resist.

But what X are we talking about?  Security analysis does not come from 
generalities, it comes from the point by point analysis of specific questions.  
You correctly point out that some attacks may not be relevant.  Which attacks 
are not relevant, and which ones are, and why?

> 
> Even if you compare the core transforms (AES-128 in the case of the
> CTR_DRBG vs ChaCha8) it's not at all clear that ChaCha8 is any weaker.
> 
> There is not any currently known attack on 8 rounds of ChaCha that is
> better than brute force on its 256-bit key.  AES-128 is, at best, 128
> bits strong.

True, but of course there is AES-256 if you need that.

The real difference is that the body of research against AES is vastly greater 
than that against ChaCha.

> 
>> that I can?t tell whether it is stronger than the minimum required, or
>> weaker than that.
> 
> At present, if we are talking simply about the strength of the cipher
> itself (rather than about properties such as backtracking resistance)
> there's no attack better than brute-forcing the 256 bit key.  It seems
> to me that is probably good enough.

I was specifically NOT talking about the strength of the underlying cipher as 
the core question.  The interesting questions all relate to the attacks against 
the RNG consumer, and what RNG properties each of those consumers needs to foil 
the interesting attacks.

For RNGs, backtrack resistance is an example of the kind of property that 
matters (or rather, might matter — it depends on what the RNG consumer needs).  
  Depending on the RNG construction, its strength against interesting attacks 
may be equal to the strength of the underlying cipher against key recovery 
attack, or it may be less.  

        paul


Home | Main Index | Thread Index | Old Index