deterministic generation of public/private keypairs

13 views
Skip to first unread message

zooko

unread,
Mar 13, 2008, 12:38:52 PM3/13/08
to Crypto++ Users
Folks:

I've continued to use and extend my "pycryptopp" library which
provides a small subset of Crypto++ functionality to Python programmers.

I've also set up a "trac" to manage pycryptopp. Trac is a
combination of an issue tracker, revision control history, source
code browser, and wiki:

http://allmydata.org/trac/pycryptopp

Notice the "Buildbot" button -- that takes you to the display of the
results from automated unit tests.


Recently I realized that my code which was intended to offer the user
to deterministically generate a public/private key-pair from a secret
seed was not working. I had assumed from the names that "Auto
Seeded" RNGs drew from information outside of the explicit arguments
and that therefore non "Auto Seeded" RNGs would be determined
entirely by their arguments. Now I've learned that this is not true,
neither for RandomPool nor for X917RNG. (So it would be good to
augment the documentation to make it clear that the RandomPool and
X917RNG both sample the clock by default.)


So I started to use X917RNG by passing a correctly-sized array of
zeroes for the "deterministic time vector" argument, but then I
realized that the seed size is limited by the block size of the
BlockTransformation, and after a brief search I didn't see a block
cipher with a sufficiently large (256-bit) block size that I wanted
to use. (It would be nice if there were a convenient way to specify
"deterministic PRNG only, please" without having to construct a 32-
byte array of zeroes.)


I tried using SHA256, and then Salsa20, but of course they aren't
BlockTransformations.

So my next idea is to define my own BlockTransformation class which
uses Salsa20 and pretends to have a block size of 32.


Make sense?

Thanks!

Regards,

Zooko

Jeffrey Walton

unread,
Mar 13, 2008, 1:04:25 PM3/13/08
to zooko, Crypto++ Users
Hi Zooko,

> Now I've learned that this is not true,
> neither for RandomPool nor for X917RNG.

RandomPool is based on PGP's Random Pool.

> ... use X917RNG by passing a correctly-sized array of


> zeroes for the "deterministic time vector" argument

If I recall correctly, ANSI 9.17 recognizes two sources: 3DES (E-D-E)
and SHA1. In either case, I think the time variant is required.

> after a brief search I didn't see a block
> cipher with a sufficiently large (256-bit)

SHACAL-2 is 32 bytes, but I'm not sure how secure it is. I don't use
it so I have not read up on it.

Jeff

Reply all
Reply to author
Forward
0 new messages