ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed

2019-10-18 01:53:34
from [Michael Richardson] [Permanent Link] 

Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net> wrote:
    > yep, that's why i'm trying to help think this through, even though i'm
    > not particularly excited about it. :)

    >> {An interesting (mathematical, density of primes) question would be
    >> whether one would be able to determine from looking at the public key
    >> whether it was recoverable or not.  That is, can one recognize some
    >> pattern in the expanded DRBG. It might still be statistically secure,
    >> yet since the amount of entropy in the key is less than the entropy in
    >> the input, it might leave a pattern}

    > Can you give an example of this?  I haven't tried to prove this, but i
    > think if the generated public key (whether a curve25519 point or an RSA
    > modulus) is distinguishable from other public keys, there is a strong
    > argument to be made that either the DRBG or the secret key derivation
    > mechanism is deeply flawed.

If I could prove such a thing then I'd have a Fields Medal for having
discovered something new and interesting about the density of primes :-)

If the input to our KDF is 120 bits and the output is 256 bits,
then there must be a bunch of numbers that we can't derive from the KDF.
But, as PHB says, 2^120 is a big enough work factor that it's okay.
(5bits * 5 groups * 4 characters/group = 120)

For ECDSA, any number will do, AFAIK.
{When producing numbers RSA, I think we have to start with the random number
and then search deterministically for a suitable prime.  I was more thinking
that this process might leave detectable traces}

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr(_at_)sandelman(_dot_)ca  http://www.sandelman.ca/        |   ruby on 
rails    [

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Shared OpenPGP keys for use in test corpuses, Phillip Hallam-Baker
Next by Date:  Re: [openpgp] Shared OpenPGP keys for use in test corpuses, Bjarni Runar Einarsson
Previous by Thread:  Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed, Daniel Kahn Gillmor
Next by Thread:  Re: [openpgp] Deriving an OpenPGP secret key from a human readable seed, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]