[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Shared random value calculation edge cases (proposal 250)

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
From: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>
Date: Mon, 23 Nov 2015 09:14:11 +1100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 22 Nov 2015 17:14:30 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:message-id :references:to; bh=WBRK1ccF7+LY1i5wFfjq90kOY0WpZ0tAp/aR2Mf3TrQ=; b=s1MuKkIfpkMEQt+DInUXanPQW+xyrKaSNbse3dm5HBJ7uinGAXzSB5xQwYX1uFgGJC GeaFDuHT+XW2HTFWKofyPNahihkNQZfzLdTfP2rw+5ASEiJmusI/hMO7MGG6KE2aVv55 hlOcscnM9LxWEfhUnZkH4V0D7SranKxCM8KjFARj0tceQYUkbgxb7Ce1DBpwiPJ6Ipy1 JaFid9gAnXgqRhSGdzH4tE6sO03ol5zILO69eshnnE1QxCgB8MpMtExaEVksEBdFHdvP JTs1cQhC7snhT5dtmGwusznlG0+Ozfh0WFn69d+aGA8TZjPBGhNyRlXFe/bJ6w+OCOB4 ZLoA==
In-reply-to: <CAFggDF0t=0dMW0JugX8vco8pNVQ1bqFeJKZa12Nb0KT1j=aFeQ@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <87mvuj70rk.fsf@xxxxxxxxxx> <CAFggDF3gjhj8JcRmEKedKG1PU6hCX_qFGann_XeGcXMu_k39Mg@xxxxxxxxxxxxxx> <20151119223249.GC14686@raoul> <8737w1o80t.fsf@xxxxxxxxxx> <D54F678B-209C-4EF5-8F94-506871D23C9E@xxxxxxxxx> <CAFggDF0t=0dMW0JugX8vco8pNVQ1bqFeJKZa12Nb0KT1j=aFeQ@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On 22 Nov 2015, at 01:09, Jacob Appelbaum <jacob@xxxxxxxxxxxxx> wrote:

We typically add a distinguishing value to hashes and signatures in prop224
- can/should we do that for the shared random proposal as well?

I don't think so?

I tend to agree - there's no need for a distinguishing value here.

As far as I understand, a distinguishing value is used to make hashes used for different purposes unique, even if they have the same input data. It also means that any precomputed matches or hash confirmations have to be done for each hash and purpose.

But random inputs don't suffer from either of these issues (the input is random, and precomputing 256 random bits is infeasible). Also, adding a distinguishing value would mean that more than 256 bits are hashed into 256 bits, which I assume would be slower, for no net gain.

It would look like:

RN = 255-bit random number
REVEAL_VALUE = H("derive-reveal" | RN)
COMMIT_VALUE = H("derive-commit" | REVEAL_VALUE)

My suggestion shouldn't impact such a choice in any case. I merely
suggest that the 256-bit (surely you don't mean 255 bit?) random
number is hashed before we consider it a valid candidate RN value.

Ugh, I copy-pasted the original mistake. You're right, it should be 256.

The following are equivalent and should be indistinguishable uniformly
random values:

(RN = H(gen_random(256)) ~= (RN = gen_random(256))

The cost is an extra full sha256 but the resulting output is
different. The key difference is that we do not reveal the raw outputs
of the (P)RNG directly to the network or to a potential adversary.

I'll see if I can write a patch for this.

It's something we should do with all our random values, not just the ones for prop250.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: George Kadianakis
- Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: Jacob Appelbaum
- Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: David Goulet
- Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: George Kadianakis
- Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: Tim Wilson-Brown - teor
- Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
  - From: Jacob Appelbaum

Prev by Author: Re: [tor-dev] Graphs - Estimated Traffic Capacity
Next by Author: Re: [tor-dev] Scaling Tor Metrics
Previous by thread: Re: [tor-dev] Shared random value calculation edge cases (proposal 250)
Next by thread: [tor-dev] Weird interactions between TBB and Hidden Services upon HS kill/restart
Index(es):
- Author
- Thread