[147940] in cryptography@c2.net mail archive
Re: [Cryptography] What's a Plausible Attack On Random Number
daemon@ATHENA.MIT.EDU (ianG)
Fri Nov 1 13:47:34 2013
X-Original-To: cryptography@metzdowd.com
Date: Fri, 01 Nov 2013 12:03:33 +0300
From: ianG <iang@iang.org>
To: cryptography@metzdowd.com
In-Reply-To: <20131101052015.GC32733@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 1/11/13 08:20 AM, Nico Williams wrote:
> I've asked this before and maybe we can make it very short and sweet:
>
> How hard is an attacker fitting your threat model[*] willing to work
> to attack you via your RNG?
>
> [*] The person answering this question gets to pick their threat model.
Good point. The only RNG attack I can think of off-hand for which we
have reasonable evidence is the Android Bitcoin theft [0]. Very recent.
Any others?
It would seem that attacking the RNG is rather esoteric.
We don't even have evidence that the NSA has ever used their Dual_EC
pre-positioned attack vector, assuming we all agree that they did that.
What we have is supposition that if this is an attack, it's plausibly
convenient for them, 32 bytes being enough:
> Considering Dual_EC, assuming it's an attack on the wider community (as
> opposed to a secret self-key escrow that happens to also escrow other
> Dual_EC users' keys)... the answer appears to be: not too hard. This
> particular attacker, well-funded and all, apparently wanted to have to
> see just 32 bytes of RNG output to be able to recover its state with
> little effort.
>
> That's NOT evidence that no attacker is willing to work much harder than
> that to attack you via your RNG. But it's suggestive.
iang
[0] for me, I always exclude demos, academic papers, etc. Attacks must
be done by bad guys, coz that is the only way we know what the economics
of the attack are. And attacks must succeed, they must steal money or
something.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography