[Cryptech Tech] SHA-2 security and RNG verification

[Joachim Strömbergson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Philipp Gühring wrote:
> I am far more worried about a potential problem in the CSPRNG. If
> anyone discovered such a problem, your whole system is likely
> toasted. I think that you can work against that.

If the CSPRNG is broken I agree that the data generated by it can't be
used as secrets. I'm not sure I agree that this implies that you can
also backtrack through the mixer and recreate the total entropy state.
But yes, if the CSPRNG is broken we are pretty screwed until we switch
the CSPRNG. This is true for any CSPRNG we choose though (CTR-mode with
AES or some other block cipher, SHA3 in PRNG mode etc.)


> Another idea I had was that you could add a Von-Neumann filter
> between SHA-2 and the CSPRNG. Quality-wise it shouldn´t make a
> difference, it should be easy to implement, and any problem in the
> CSPRNG will not cause problems with SHA-2, since you can´t calculate
> back through the Von-Neumann filter. It should reduce the amount of
> bits you get from SHA-2 by half, and I think it should be a perfect
> protection against any calculating-back attacks.

We have a von Neumann decorrelator as a HW core in Cryptech and I've
considered using it between the mixer and the csprng. So yes, that is a
possibility. But right now I'm more leaning towards using a better hash
function primitive. Adding a decorrelator makes it harder to audit the
TRNG chain. It is complex as it is.


> Yes, what if someone finds a problem in ChaCha (or perhaps call it
> an unintentional backdoor) that can be used to calculate back?
> 
> It seems unlikely and implausible now, but that´s what we also
> thought about those elliptic curve RNGs.

The difference being the ones designed ChaCha vs Dual_EC_DRBG and how
open they are specced and evaluated. Also there is a huge difference in
complexity between the EC-based PRNGs and ARX-ciphers like ChaCha. I'm
personally not worried about backdoors in ChaCha. But of course there
can appear weaknesses in the ARX construction for example and how they
are used. This paper on rounds and security surprised me Yesterday:

"More Rounds, Less Security?"
https://eprint.iacr.org/2015/484.pdf

We use 24 rounds in ChaCha since we get a lot of random number data out
of it and want to be conservative. But that might possibly be wrong.

One thing to note with the Cryptech TRNG is that it is fairly modular.
One can add more entropy sources to it and one can replace the specific
mixer and csprng fairly easy. If one doesn't like our choices it is not
very hard to replace them without having to rebuild the whole chain.

I'm planning to work some more on the TRNG during the summer. Adding the
test mode, more support for observability of the operation and
measurements. And then test that it really works fully the way we
expect. After that I will quite probably try and change the mixer so
that the complete mixer state is not used as seed. Thank you for
pointing out this to us.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJVdp2QAAoJEF3cfFQkIuyN6p0QAMbQK/WdL21IO8jTpnSsPimN
+ijs7XPqme58akOx5ILT+pK8XiRPuW2FebNoxyCwkkT/WxJ5HnWY1QqyCk8AT3hK
WEz1y17Yr6GdRgcGbZZka2oBWCJ9F+h22oLDmsPNvrIxnfS7/YVlLu5/2tMYNglg
jfpC3vc+vxpUB75Cy63p+eTdhIxWGuHYTHsUMt3quGSoHgdynEbxWKfyjT8qeoUu
LZNS234rdfQrixMpSCvo8JcbshEAFdkOA6zK432gwwJ45WddGLn5/w47QnYVUcvA
vnFXeqotVLC2JhAYfOFEUq/wfr+32DEjn8fjBfenP/HWmnIzggtJUxSMMRFbxMOz
oiWqARjoAtoCGs9Y/EMsARk30X4chHwDVJUjmJyvbzvCaoA/E4rUVHlXuBTpZL0t
SeyYghAWNvWVnHK4Mgt8Stt05IFZoFx4UFGOL9phzDHnBsKORaJW0tFYdCdet4ik
8Yo48XZWTIPZgoqYKMVCUtUQQ37CKuow8XvB5Pla7vp6i6hdxnAQ7NixO8/2KQ/c
+xknwlfTiZ3IJAOm8UfOuLxP2jvLfqvPcdxKPAfYApOCOsKkzxhEsK7tux2k5Nqq
D/Lopi5wwMXQKneSp5Z+wjRG16amG0blnSmrnvrBIT7sa11AYbfERTrcjkoQX6zw
FBfcCuUGC+0CaKMVqj16
=hjwl
-----END PGP SIGNATURE-----