Hi Christian,
On 7/10/26 22:56, Christian Huitema wrote:
On 7/10/2026 11:54 AM, Nico Williams wrote:
...
So in a way hashing `m` adds no value because if the attacker
knows you'll be hashing `m`: since we're talking about an attacker
that can convince you to use their RNG they can just make you use
one where hashing `m` achieves nothing.
But it might be more difficult to switch out the RNG at this late
a stage. On that basis one might recommend some application level
whitening of RNG outputs: on the off chance that the attacker was
in fact counting on the use of raw RNG outputs for `m` [and
nonces].
Yes, just hashing the RNG achieves little. What you want is
whitening the RNG. You could do that by including a nonce in the
hash or by encrypting the RNG output with a local key. Or you could
do all kind of elaborate solutions, maybe some kind of sponge
construct. Or you could use something like AES-CTR-DRBG, which
satisfies the requirements for NIST SP 800-90A Compliance, and which
I understand is included in Boring SSL.
It is incredible how the disinformation mistakes the two issues.
The first problem is that you don't know that you have a sabotaged RNG
that hides structure in outputs. If you did, you'd use a different RNG,
right? So, are you already using a different RNG?
The purpose of hashing is to destroy the covert channel's algebraic
structure.
I will say it again: you hash because the output has structure but it
looks statistically like noise. It will pass your entropy tests.
Hashing is not to increase entropy and it does not require an attacker
trick you into using their RNG.
The issue is that the attacker has _already_ sabotaged people's RNGs and
the game is that you don't know which one is sabotaged.
To be completely clear: Sabotaging the entropy is a different technique
that NSA has deployed, but that is a different issue. Please don't mix
the two up.
Kind regards,
Jacob Appelbaum
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]