[148092] in cryptography@c2.net mail archive
Re: [Cryptography] NIST Randomness Beacon
daemon@ATHENA.MIT.EDU (Andy Isaacson)
Sun Nov 10 04:18:39 2013
X-Original-To: cryptography@metzdowd.com
Date: Sun, 10 Nov 2013 00:54:01 -0800
From: Andy Isaacson <adi@hexapodia.org>
To: "d.nix" <d.nix@comcast.net>
In-Reply-To: <527F0B61.7060700@comcast.net>
Cc: cypherpunks@cpunks.org, cryptography@metzdowd.com,
"cryptography@randombit.net" <cryptography@randombit.net>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sat, Nov 09, 2013 at 08:28:17PM -0800, d.nix wrote:
> surely someone here has an opinion...
>
> http://www.nist.gov/itl/csd/ct/nist_beacon.cfm
From the page, a relevant suggestion:
WARNING:
DO NOT USE BEACON GENERATED
VALUES AS SECRET
CRYPTOGRAPHIC KEYS.
The Beacon is a potentially useful service. Folks have implemented
similar semantics by, for example, hashing the DJIA closing value of a
given date (see http://xkcd.com/426/).
NIST's implementation, of course, makes them a trusted third party to
any security critical applications of this oracle. I'd be more
comfortable with a cryptographic hash of an unpredictable but publicly
determined value; however, it's hard to find one that has as much
entropy as the Beacon.
For example, suppose you use the low bits of the bitcoin blockchain
hash. An attacker with 10% of the hash power could probabilistically
attack such a system by chosing blocks with a specific value in those
bits; furthermore, the miners might know the relevant value earlier than
other users of the system.
-andy
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
