On 19/06/12 08:49 AM, Jack Lloyd wrote:
I've never heard about someone trying to talk past, say, an AES
implementation that didn't actually work, or a bad RSA, that's a
pretty bright line.
I had a bit of an epiphany in two parts.
The first part is that AES and block algorithms can be quite tightly
defined with a tight specification, and we can distribute test
parameters. Anyone who's ever coded these things up knows that the test
parameters do a near-perfect job in locking implementations down.
This results in the creation of a black-box or component approach.
Because of this and perhaps only because of this, block algorithms and
hashes have become the staples of crypto work. Public key crypto and
HMACs less so. Anything crazier isn't worth discussing.
Then there are RNGs. They start from a theoretical absurdity that we
cannot predict their output, which leads to an apparent impossibility of
black-boxing.
NIST recently switched gears and decided to push the case for
deterministic PRNGs. According to original thinking, a perfect RNG was
perfectly untestable. Where as a perfectly deterministic RNG was also
perfectly predictable. This was a battle of two not-goods.
Hence the second epiphany: NIST were apparently reasoning that the
testability of the deterministic PRNG was the lesser of the two evils.
They wanted to black-box the PRNG, because black-boxing was the critical
determinant of success.
After a lot of thinking about the way the real world works, I think they
have it right. Use a deterministic PRNG, and leave the problem of
securing good seed material to the user. The latter is untestable
anyway, so the right approach is to shrink the problem and punt it up-stack.
Taking that back to Intel's efforts. Unfortunately it's hard to do that
deterministic/seed breakup in silicon. What else do they have?
The components / black-boxing approach in cryptoplumbing has been ultra
successful. It has also had a rather dramatic effect on everything
else, because it has raised expectations. We want everything else to be
as "perfect" as the block encryption algorithm. Unfortunately, that's
not possible. We need to manage our expectations.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
