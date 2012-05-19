Hacker News new | comments | show | ask | jobs | submit login
On the Impending Crypto Monoculture (2016) (lwn.net)
71 points by dankohn1 2 hours ago





As the article says, Bernstein's stuff won out because his work is at the intersection of solid crypto, clean and performant code, and sane API design. This, coupled with the NIST curve debacle that shook public confidence, makes for a compelling case.

Part of the problem is there is often a wide gulf between cryptographers and the authors of libraries who then go on to use those algorithms. This is perhaps more acute with approved-by-committee, standardized crypto because library authors may have to implement it to be compatible, despite not being experts in the particular algorithm.

In Bernstein's case, he ships (through NaCl) a reference implementation that is good enough to be used in production, and packages complete constructs in ways that are resistant to misuse. This is his innovation -- other libraries tend to offer only the primitives and rely on the user to chain them together in ways that make sense and never in the ways that don't.

There are other cryptographers that ship decent reference implementations -- the Keccak team being one -- but their work is largely restricted to sponges and any construct that can be formed out of it (e.g. PRFs, stream ciphers, hash functions). There is perhaps a shortage of people who look at holistic cryptosystems and possess both the domain knowledge and the ideal attitude towards misuse-resistant design.

> As the article says, Bernstein's stuff won out because his work is at the intersection of solid crypto, clean and performant code, and sane API design.

As a casual observer, my impression has been pretty different. Here's an excerpt from the README of curve25519-donna, which it seemed like everyone was using for a while:

curve25519 is an elliptic curve, developed by Dan Bernstein, for fast Diffie-Hellman key agreement. DJB's original implementation was written in a language of his own devising called qhasm. The original qhasm source isn't available, only the x86 32-bit assembly output.

Since many x86 systems are now 64-bit, and portability is important, this project provides alternative implementations for other platforms.

My impression has always been that what we get from DJB is some wacky implementation written in a language of his own devising, or just the 32bit assembler output of that, or some partial code fragment that has to be disentangled from his benchmarking library, and the only thing that makes this usable are people who are motivated to do the work of making it digestible by mortals.

I get the point, but the current state of affair encourages me to make it even worse. I'm currently working on a tweetNaCl-like library that will integrate not only Chacha20, but also Blake2b and Argon2i, based on the same ideas.

The repeated application of simple ARX based rounds is a damn good idea: it's efficient even for software implementations, it's often "naturally" constant time, and it's simple. Implementing this stuff is easy: if it's Valgrind clean and passes the test vectors, it probably works. It also makes audits and reviews much easier.

Similarly, Wegman-Carter authenticators such as Poly1305 are kind of a no-brainer: no forgeries are possible unless you break the cipher itself! Also, fast. Modular arithmetic and potential limb overflow makes them harder to get right but still.

Finally, there is simply no escaping elliptic curves. I don't trust the NIST curves. 25519 is not too complex, fast, and doesn't leave enough space in its constants for a backdoor (DJB made sure the design constraints were tight).

I mostly agree with this article, but I don't mind a monoculture if it means I get boring crypto.

Reminder, because the term "monoculture" has a powerful negative valence for those of us who remember Slashdot from the 1990s: Guttman isn't arguing that this is a dangerous development, but rather that it's sad that the rest of the cryptographic research community hasn't given Bernstein a run for his money.

I suspect the situation will look different 10 years from now: CAESAR will probably spit out a couple strong non-Bernstein AEADs, for instance. And remember, we're still not using a Bernstein hash (though BLAKE traces back to Salsa).

> BLAKE traces back to Salsa

Just reviewed some Blake2b, the round structure even integrates the Chacha20 improvements: the quarter-round has the same structure (besides the extra 2 parameters), and their application follows the same SIMD friendly column/diagonal rounds we see in Chacha20.

> What's more, the reference implementations of these algorithms also come from Dan Bernstein (again with help from others), leading to a never-before-seen crypto monoculture in which it's possible that the entire algorithm suite used by a security protocol, and the entire implementation of that suite, all originate from one person.

We've had crypto monoculture before. 15-20 years ago, we were using RSA, RC4, and MD5. Ron Rivest had a large hand in all of them. They weren't bad for the time, and the bad parts weren't bad because of common authorship.

I think the problem is ultimately the Bus Factor. If we're all relying on one implementation and that implementation is compromised (hit by a bus, a bug, NSA involvement, one bad 0-day, etc), there isn't anything to fall back on. That's my take given the history provided. This may be fixed as time passes and more implementations and crypto experts come together, but it does leave us with a Single Point of Failure nonetheless at this time.

For those newbies like me wondering about AEADs:

https://www.imperialviolet.org/2015/05/16/aeads.html

Another good one:

https://blog.cryptographyengineering.com/2012/05/19/how-to-c...

> In adopting the Bernstein algorithm suite and its implementation, implementers have rejected both the highly brittle and failure-prone current algorithms and mechanisms and their equally brittle and failure-prone implementations.

Right for the throat.

So djb writes crypto code that works and everybody switches to it but it isn't because his stuff is any good? Through the entire article he doesn't list anything wrong with the djb crypto stuff and ends up calling it 'brakish' and 'camel dung'? Really? It isn't because djb stuff is good, it is because everything else is crap? WTF?

  the single biggest, indeed killer failure 
  of the [GCM], the fact that if you for some
  reason fail to increment the counter, you're
  sending what's effectively plaintext (it's
  recoverable with a simple XOR).
Is this property particularly unique to GCM? I'd have thought all encryption algorithms would fail if you didn't give them the right inputs?

Yeah, Chacha20 would fail the same way if we used the same key and nonce for different messages. I'm not sure what he was getting at.

To be honest, nonce reuse with Bernsteins authenticated encryption algorithms will lead to the same problem as those the author points out with GCM (i.e. plaintext recovery). However, the biggest issue with GCM isn't that the plaintext leaks when reusing nonces, it's the fact that reusing nonces leads to an attacker being able to forge arbitrary ciphertexts.

But… Poly1305 has the same "problem"…

(2016)

Why personify crypto? Let the math alone be the driver in this domain. What is solid and true will eventually trickle up.

Security issues often come from engineering and culture, not math.

