Hacker News new | past | comments | ask | show | jobs | submit login

> [re magic "expand 32-byte k" string] And it's readable ASCII text, so you can be pretty sure there's no back door in there.

I am not sure this matters?

I mean, facebook managed to get a reasonably nice .onion routing id (facebookcorewwwi.onion) by bruteforcing stuff right?

I can imagine bruteforcing the "backdoor key space" to find something that looks good, am I insane?




They did throw >100,000,000 CPU-hours at it https://news.ycombinator.com/item?id=11550922 , but they still got extremely lucky to find such a good address. https://news.ycombinator.com/item?id=8538390 It's not usually that easy.


If backdoored constants are easy enough to find that you are able to find them AND they are appropriate English phrases then the cipher itself is likely broken doubly so as the origional version of chacha had 2 key sizes 16-byte and 32-byte and each used the applicable constant, so in this case you would have had to have found 2 matching back doored constants.

That being said you aren't crazy this is what the nsa was accused of doing with elliptical curves though they had started with inexplicable random seeds.


It doesn't really matter. The key thing is that the constant bytes prevent a symmetry from forming in the block. So it matters that the string does aid such symmetry. Making it a text string is just a flourish helpful to us humans. It makes it easier to see the lack of symmetry and trivially answers the question, "why those bytes?"


It adds significantly to the cost of putting a backdoor in. Perfect security is impossible, it's all about increasing the costs to attackers.


I'll just leave this here https://bada55.cr.yp.to/


That's a good cite but really mostly relevant to curves. If a cipher design had any of this kind of flexibility with regards to its parameters or inputs, nobody would use that cipher.


I was wondering about this, too. To put even more paranoia at the table:

Readable ASCII means that every byte is in a certain range. For example, bit 7 is 0 for every byte. Maybe this allone enables a backdoor.

That is, the mere fact that this is readable ASCII could enable a backdoor. Who knows?


No, it does not. You're taking this notion of constrained values out of context. ASCII strings in crypto constructions are very common; for instance, they provide domain isolation in hash constructions (where you have a single hash function applied to inputs of different sensitivity, and want to mint multiple logically unrelated hash functions from the one you have). They're also common in versions.

The ASCII we're looking at here is conceptually a hash input. It's not a part of the design of the hash core itself.


This theory probably contradicts the usage of block cipher in counter mode. With them, the input block is usually full of zeros. This constraint has strengthened ciphers in the past. DJB wrote somewhere that some block cipher were broken in CBC mode (all the bock can be controlled by the attacker), while CTR mode was still safe (many bits forced to zero).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: