search

miracl / MIRACL

MIRACL Cryptographic SDK: Multiprecision Integer and Rational Arithmetic Cryptographic Library is a C software library that is widely regarded by developers as the gold standard open source SDK for elliptic curve cryptography (ECC).
https://miracl.com
651 stars 242 forks source link

Security of the PRG #68

Open wangxiao1254 opened 5 years ago

wangxiao1254 commented 5 years ago

Can you point to the PRG scheme that is being used in the code? Is it a provably secure PRG in the cryptographic sense?

mcarrickscott commented 5 years ago

Hello,

Its the method described here - ftp://ftp.rsasecurity.com/pub/pdfs/bull-1.pdf

See figure 1

Mike

On Fri, Dec 14, 2018 at 2:58 AM Xiao Wang notifications@github.com wrote:

Can you point to the PRG scheme that is being used in the code? Is it a provably secure PRG in the cryptographic sense?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/miracl/MIRACL/issues/68, or mute the thread https://github.com/notifications/unsubscribe-auth/ACm8jlkeXNFyXF5KfYwcd_4g-K44b-99ks5u4xPYgaJpZM4ZSzQt .

wangxiao1254 commented 5 years ago

Thanks.

Thanks, Xiao

mcarrickscott commented 5 years ago

The basic construction is according to figure 1 as as described. The components are however updated.

So in mrstrong.c we use SHA256 instead of MD5, and the long-period Marsaglia & Zaman random number generator.

As far as I am aware this construction is not provably secure. But it has passed the test of time..

Mike

On Fri, Dec 14, 2018 at 1:27 PM Xiao Wang notifications@github.com wrote:

Thanks.

-

When you say you use the scheme in figure 1, do you mean you assume that MD5 is a random oracle?

I saw that there is a comment here: https://github.com/miracl/MIRACL/blob/master/source/mrcore.c#L495 Saying that the PRG is "Marsaglia & Zaman random number generator". Is this the same as in the Figure?

Thanks, Xiao

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/miracl/MIRACL/issues/68#issuecomment-447325215, or mute the thread https://github.com/notifications/unsubscribe-auth/ACm8jqWs_ZsyBKVPfUBJLpvvYYCwAltDks5u46dCgaJpZM4ZSzQt .

wangxiao1254 commented 5 years ago

Ignoring the performance penalty, using SHA-256 is fine, but I'm not sure why "Marsaglia & Zaman" is needed. This "Marsaglia & Zaman" does not seem to be secure and not necessary anyway.