On 10/17/19 7:42 PM, Daniel Kahn Gillmor wrote:
On Thu 2019-10-17 12:13:20 +0200, Michael Richardson wrote:
That's a good point; however sometimes perfect is the enemy of good enough,
and that has been the case for encrypted email for a long time.
A recoverable key would be an option, not a requirement.
yep, that's why i'm trying to help think this through, even though i'm
not particularly excited about it. :)
{An interesting (mathematical, density of primes) question would be whether
one would be able to determine from looking at the public key whether it was
recoverable or not. That is, can one recognize some pattern in the expanded
DRBG. It might still be statistically secure, yet since the amount of entropy
in the key is less than the entropy in the input, it might leave a pattern}
Can you give an example of this? I haven't tried to prove this, but i
think if the generated public key (whether a curve25519 point or an RSA
modulus) is distinguishable from other public keys, there is a strong
argument to be made that either the DRBG or the secret key derivation
mechanism is deeply flawed.
Svenda, et al: "The Million-Key Question – Investigating the Origins of
RSA Public Keys", USENIX Security Symposium 2016.
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_svenda.pdf
"We analysed over 60 million freshly generated key pairs from 22 open-
and closed-source libraries and from 16 different smartcards, revealing
significant leakage."
Thanks,
Marcus
--
Dipl.-Math. Marcus Brinkmann
Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum
Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp