--On Tuesday, June 23, 2015 09:18 -0400 Phillip Hallam-Baker
<phill(_at_)hallambaker(_dot_)com> wrote:
From a security point of view, the question is not whether
the inputs are
random, it is whether they are vulnerable to manipulation.
Having more inputs does not make a system more robust against
this type of attack, it makes it more vulnerable.
I am not a cryptographer and don't even play one on television.
But my statistical intuition (and the reasoning in RFC 3797)
causes me to question the latter assertion. I note, for example
that almost everyone who has taken an introductory, sampling or
data-based, stats course has been told that the remedy for the
likelihood than a subject will end up in the sample who is not
representative of the population is larger sample sizes.
Assuming that there is no direct relationship between a
particular source and the output, the same principle suggests
that (up to a point, see 3797) requiring more sources should
reduce the effects of one manipulated source. In the interest
of sanity, I'm not interested in discussing it further on this
list -- if you believe the 3797 is wrong, I look forward to a
carefully-researched and well-documented I-D that both
demonstrates that and proposes something better.
If we are changing our ECC curves due to the possibility that
NIST might have been suborned, we should not be using a number
so obviously capable of being manipulated as an input.
The reason that we can trust lottery numbers is not that they
are absolutely immune from tampering. We can trust them
because anyone who could be bothered to tamper with them has a
much bigger incentive than manipulating the IETF NOMCON
choices. This means that we can put a dollar value on the
manipulation, a few hundred million USD.
Just following that logic, could you explain who would have the
power and incentive to manipulate the reported US national debt
in order to affect the IETF Nomcom selection process? I suppose
that demonstration would start by demonstrating that there are
people involved in the debt analysis and reporting process who
have even heard about the IETF and its nomination process and
who give a rat's a** about it? Given the 3797 criteria (or the
definition of unbiased in 7437), it seems like a real stretch
and, frankly, that it would be more productive to worry about
lotteries with bad randomization processes or algorithms.
I also observe that someone trying to attack the IETF process
would, in most cases, need to figure out how to attack a
particular day's numbers and not the overall formula or method
of producing the relevant value or statistic. That seems even
more far-fetched, especially because the day on which the
numbers will be drawn is not generally known.
If one were worried about being extra-cautious about
predictability of a future draw, I'd wonder a bit about
autocorrelation in any economic statistic but, again, if one
were concerned about that, one might get more sophisticated
about trimming high-sensitivity (to autocrrelation) digits from
the numbers. However, again with the assumption that drawing
numbers from multiple sources adds to to diversity and
randomness (at least absent evidence of specific, IETF-focused
manipulation of multiple sources), it seems to me a real stretch
to believe that is occurring or likely to occur.
I am not going to contribute to this thread and where I think it
belongs by making this my last posting on the subject.
john