Subject: Re: FUD about CGD and GBDE
To: Perry E. Metzger <>
From: Poul-Henning Kamp <>
List: tech-security
Date: 03/04/2005 00:42:33
In message <>, "Perry E. Metzger" writes:

>I remember a certain talk at BSDCon where someone criticized the
>design of the kernel RNG during the talk on it. He mentioned that the
>person giving the presentation had stated a few inaccurate things,
>such as claiming that there was a proof of security for Schneier's
>Yarrow algorithm and a few other howlers. As I recall, he was
>thoroughly criticized for mentioning these things. As I also recall,
>when said person brought the topic up with a certain person named PHK,
>he said "I don't want to hear about it."

No, that is not what I said.  I said something about Yarrow being
so many times better than what we had before that it didn't really
affect the picture at this time and that if you had a beef with
Marks presentation you should take it up with Mark because I had
not myself read the Yarrow paper at the time.

>> You don't actually know if I invented my own "cryptographic modes"
>> or not, do you ?
>You did.

I did ?  Cool, I should patent them!  :-)

Seriously, I don't think I did, but this may be a matter of semantics
which I am not aware of on account of not being a full time

If by "cryptographic modes" you mean "use algorithms in ways we have
not seen before", then yes, I may have.  That is not the same as
I havn't thought a lot about the implications.  For instance, the
role of MD5 is not to add strength but merely to give a better
statistical distribution of bits.

But either way, I'm very interested in getting a competent review,
but saying only "you did something new" is not that.

>> Sorry, they have only been disproved in a significantly larger universe
>> than the one my users inhabit.  That doesn't count to me.
>Being stubborn on this isn't going to help your users. The math is
>pretty obvious here. Sure a brute force isn't practical -- but neither
>is a brute force of AES-256.

No, not right now.

But do we know that a brute force attack is unfeasible on AES-256
tens years from now ?  And are we sure that the reuse of key material
which happens in CGD will not materially aid any attacks that may
be developed in the next decade ?

If we do, please forward the paper.

The fact that you just need to break one single sector in CGD before
you get the entire disk contents gives a disadvantage to CGD of
2^26 before we even consider the nature of the attack.  That is not
conservative when it could have been trivially avoided.

>someone points out an obvious flaw in your logic and shows the work
>factor is lower than that for AES-256, the gentlemanly thing to do is
>say "you are correct, I was mistaken."

And you can trust me to do so.

But the "flaw" must be possible to exploit in the current universe.

The goal for GBDE is to give credible denial of access for up to
25 years, and if nothing else that limits the storage capactity
available for an attacker to within an order of magnitude of number
of particles within a 12.5 lightyear radius of Earth.

If you do not consider such limitations, you are just producing
silly math along the lines of the old joke: "First, we assume a
hexagonal sheep".

>> Any qualified, factually correct critique of GBDE will be taken very
>> serious by me.  I am very much looking forward to it.  What Roland
>> has provided is not it.
>Roland's criticism is reasonable.

As you saw from the email preceeding this one, Roland still hasn't
found out how GBDE actually works.

>Rather than getting angry, why don't
>you consider it?

What I got angry about was the fact that Roland was spreading fud
about GBDE in all sorts of mailinglists without having enough honour
to give me a Cc: so I could have a chance to participate in the

As I said in my reply just a second ago, I would very much appreciate
if Roland would take the time to give me a competent review of GBDE,
but he cannot do that as long as he is blinded by the desire to ace
me instantly instead of thinking his arguments properly through and
test his hypothesis.  Unfortunately I can no longer offer him financial
compensation for the effort, the DARPA contract is long since closed.


Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.