Bug #64324 for Math-Random-ISAAC: ISAAC::PP and ISAAC::XS should set the last seed element to the seed size

Thu Dec 30 02:19:42 2010 mkanat [...] cpan.org - Ticket created

Subject:

ISAAC::PP and ISAAC::XS should set the last seed element to the seed size

I wrote to the author of ISAAC (Bob Jenkins), curious about the required seed size, and this is what he wrote back: "No, you don't need a full 8192 bits of seed data. Normal key sizes will do fine, and they should have their expected strength (eg a 40-bit key will take as much time to brute force as 40-bit keys usually will). You could fill the remainder with 0, but set the last array element to the length of the key provided (to distinguish keys that differ only by different amounts of 0 padding). You do still need to call randinit() to make sure the initial state isn't uniform-looking. "After publishing ISAAC, I wanted to limit the key to half the size of r[], and repeat it twice. That would have made it hard to provide a key that sets the whole internal state to anything convenient. But I'd already published it." So at the least, it sounds like instead of *just* zero-filling the array, there should also be an element at the end of the array that lists the seed size, if the seed wasn't a full 8192 bits. It may also be better to repeat the seed as much as possible before zero-filling--I've written back to ask about it.

Thu Dec 30 19:23:45 2010 mkanat [...] cpan.org - Correspondence added

Okay, I wrote to Bob again about repeating the seed. Here's what I asked: "For my code, would repeating the key over and over to fill 256 integers be a better solution than zero-filling, or would they essentially be the same?" And here's what he said: "If the seed is under 32 bytes, they're essentially the same, otherwise repeating the seed would be stronger. randinit() takes a chunk of 32 bytes, mixes it, and combines that with the next 32 bytes, et cetera. Then loops over all the elements the same way a second time."

Thu Dec 30 19:23:46 2010 mkanat [...] cpan.org - Status changed from 'new' to 'open'

Fri Dec 31 15:04:17 2010 JAWNSY [...] cpan.org - Correspondence added

Hi, Thanks for the bug report :-) When I wrote these modules, I wanted them identical to Bob Jenkins' reference implementation as was available on his web site at the time, because they came with some accompanying tests (which I have then incorporated into these). By "tests", I guess I mean the output from randvect.txt or randseed.txt (I really don't remember what I did now, it was a long time ago) -- I verified that the Perl stuff produces the same results, though now I'm curious why I didn't write proper tests against his randvect.txt/randseed.txt files. Anyway, I thought Bob's main idea here was to get users to provide the seed (and I suppose deal with repeating it or whatever else themselves if they so desire). Personally, if using this for anything more serious, you should be seeding with as much truly random data as possible, hopefully so you don't need to repeat any part of your seed. I'm not a security expert by any means. Mostly I'm just curious why Bob hasn't updated his reference implementation to incorporate these changes, or at least leave a note similar to the information he gave you. I'll look into this; though given that this stuff "works" for now, this doesn't seem like a very critical fix -- everything here works as one would expect it, given Bob's reference implementation. It's much more likely for me to integrate these changes if I get a patch of some sort against both of these (and of course the accompanying tests). My code is currently moved to Github, and I also plan to move all of these things to using Dist::Zilla at some point in the future. Currently all of my commitments with Debian and $paid_work have been keeping me pretty busy though :-( https://github.com/jawnsy/Math-Random-ISAAC https://github.com/jawnsy/Math-Random-ISAAC-XS Cheers, Jonathan

Mon Jan 03 01:36:29 2011 mkanat [...] cpan.org - Correspondence added

Hey Jonathan. :-) Thanks for the really detailed reply. I'll reply inline. On Fri Dec 31 15:04:17 2010, JAWNSY wrote: Show quoted text

> Anyway, I thought Bob's main idea here was to get users to provide the > seed (and I suppose deal with repeating it or whatever else themselves > if they so desire).

That's true. Of course, in this case, Math::Random::ISAAC and Math::Random::ISAAC::XS are the parts that contain the array expansion for the seed, so what we do with that is up to us. Show quoted text

> Personally, if using this for anything more serious, > you should be seeding with as much truly random data as possible, > hopefully so you don't need to repeat any part of your seed.

Actually, although that sounds simple and true at first, in fact it's not. There is a limited amount of truly random data available from all of the truly-random data sources on any given system (for example, on all *nix-like systems, /dev/urandom or /dev/random). So if you continue to read a lot of data from them, you actually decrease the amount of randomness available in them and force them to fall back on their internal PRNG, meaning that not only your application is less secure, but so is every application on the system. In fact, what one should be doing when seeding is reading a seed of a reasonable size to prevent discovery by brute force (unless there are other considerations specific to the algorithm you're using, which for ISAAC, there aren't). Bob actually has a great little informative page on his site that describes the amount of time required to brute force data of various sizes: http://burtleburtle.net/bob/crypto/magnitude.html#brute Which demonstrates that a 256-bit key is probably good enough forever, and if you take into account Moore's Law, then a 512-bit key is probably good enough for the next 1000 years. Show quoted text

> I'm not a security expert by any means. Mostly I'm just curious why

Bob Show quoted text

> hasn't updated his reference implementation to incorporate these > changes, or at least leave a note similar to the information he gave

you. My understanding of Bob's viewpoint, from his emails and his website, is that ISAAC is a published math paper, and the reference implementation is the accompanying attachment to that published paper. So it's not something that can change, for him. Also, the challenge on his website depends on the reference implementation working exactly as it does now, so he may not want to change that. Show quoted text

> I'll look into this; though given that this stuff "works" for now,

this Show quoted text

> doesn't seem like a very critical fix -- everything here works as one > would expect it, given Bob's reference implementation. It's much more > likely for me to integrate these changes if I get a patch of some sort > against both of these (and of course the accompanying tests).

Yeah, I agree, it's not critical. Just thought it would be nice to make the seed even more secure if possible. :-) Show quoted text

> My code is currently moved to Github, and I also plan to move all of > these things to using Dist::Zilla at some point in the future.

Currently Show quoted text

> all of my commitments with Debian and $paid_work have been keeping me > pretty busy though :-(

Ahh, okay. Well, if I have some time or some inclination to do it, I'd be happy to convert the distros to Dist::Zilla and provide this patch, although my C skills are a little rusty and would make updating the XS part take longer than updating the Perl part. (I could still do it, though.) Thanks for the github links! :-) I don't see a likely point in the future at which I'd get to it, but perhaps we could leave this bug open for anybody else who comes along and might want to do it, or one of us if we get to it at some point.

Sun Apr 24 12:09:43 2011 JAWNSY [...] cpan.org - Taken

Mon Jun 10 13:32:40 2013 JAWNSY [...] cpan.org - Untaken