log☇︎
665600+ entries in 0.426s
Rassah: Me: You're basically saying that, even if they stole the device and examined it, or stole one that was made right after it with similar chip characteristics, they'd still have 8000 bits of entropy to dea with, making their brutefocing impossible?
Rassah: kakobrekla: What kind of a question is that?
kakobrekla: do you go to church Rassah ?
asciilifeform: Rassah: 'they are aware of most of these concerns' << and still did nothing. this, you realize, is an accusation of willful scammitude. not mere ignorance.
Rassah: asciilifeform: Work on this device was started in early September. So we have had a lot of tests on the chips by people who have been working on bitcoin cryptography for years now. So it seems as if they are aware of most of these concerns...
mircea_popescu: kakobrekla lmao good one. but no, it was "thanks god i put some piss in there too, so it's not all shit"
kakobrekla: mircea_popescu leave the bits you dont like? :)
Rassah: asciilifeform: Nikita: Well, yeah, you can narrow the range down to about 8000 bits.
mircea_popescu: Rassah do you know what the cook said when the people in the restaurant didn't like his shit soup ?
mircea_popescu: with a little less luck they're identical but physically translated in the plane.
Rassah: So it's a good thing we're not relying on just SRAM fo the entropy then
mircea_popescu: same batch, yea, obv. with a little luck they are exactly identical.
asciilifeform: mircea_popescu: incidentally, it may not eve be necessary to capture a particular unit. just one of her 'sisters.'
mircea_popescu: all it takes is to find which, and/or count them
asciilifeform: Rassah: if you read the paper, you will see that a small minority of sram cells is responsible for most of the 'random' behaviour.
mircea_popescu: Rassah it's not that they retain bits. it's that they retain their behaviour.
Rassah: asciilifeform: On the contrary, they are reading all of this
Rassah: I am not tech, no. I wasn't aware that these things actually retained any bits when you yank them out
asciilifeform: mircea_popescu: betcha the tech won't read any of this.
mircea_popescu: he's not tech, is he.
asciilifeform: mircea_popescu: i was hoping he'd figure it out, without you or i drawing the picture.
mircea_popescu: takes the stick, puts it in the freezer, melts it slowly, identifies the flip bits, counts them
Rassah: I plug it into my printer, and make a paper walet. I put it away, and send money to the paper wallet. Then you......
Rassah: asciilifeform: So, if I use an entropy device to generate paper walets, you can bruteforce it by recording the temperature in my room???
mircea_popescu: understandable, especially as pgp has been around for three decades.
BingoBoingo: Rassah: That too, but I just want to point out that even for signing cleartext, it isn't workable.
mircea_popescu: he could also say "i don't want my signature to be dependent on the code written last year by a bunch of dudebros"
Rassah: BingoBoingo: You could just say "Bitcoin address doesn't support encryption, or storing identity inside the key"
asciilifeform: Rassah: your friend has cemented my conclusion. i can figure out which cells are responsible for the device's output, merely by knowing your room temperature over time. and then all we have to do is run brute force over the narrowed set. (a few bits)
BingoBoingo: Rassah: And the last tolerable version of Multibit does something else as well. When PGP/GPG has the ascii armored text block already it just isn't worth trying to replace it with bitcoin signing just to save a few bytes.
Rassah: We can say that the skews are randomly distributed among cells during manufacture, and then remain fixed; temperature shifts all skews.
Rassah: put it in the freezer in the kitchen and collected data while it was cooling down. There was still plenty at 0ºC, but it smoothly went down to zero entropy around -20º. The cells with high skew are those which effectively constitute device signature.
Rassah: asciilifeform: From Nikita again: Most cells have too much skew to be useful. We suck entropy out of those whose skew is low. That's why there is ~21:1 cell-to-entropy ratio at room temperature on most devices. They had one device from Microchip IIRC, whose entropy was much lower, but the others were very close to the 20–21 ballpark. We analysed data from MRD SoC, which is in the bitcoincard, and got the same 21:1 ratio. Then I
asciilifeform: Rassah: the skew we're talking about isn't rng output skew - the kind that can be addressed with von neuman's algo, etc. it's the actual physical effect you're using.
asciilifeform: Rassah: 'Skew shift is monotonic with respect to temperature. If an increase in temperature makes a neutral cell become 1-skewed, then decreasing the temperature will make that same cell 0-skewed.' << fixed bad paste
Rassah: asciilifeform: We've dealt with skew stuff too. I don't remember what it was, but it was addressed (I think we have more than enough enropy to work with or something)
mircea_popescu: o look at that, they DO listen.
asciilifeform: Rassah: ergo: if i have a sufficiently precise graph of the temperature of your unit over time, i can infer something about the sram and which cells are responsible for the bulk of the input to rng.
Rassah: You mean like this?
asciilifeform: Rassah: K, of all cells that are neutral at 293 K. Note that the probability exceeds 0.04 at the highest points; these peaks are omitted to show the rest of the distribution with greater detail. See Section VI-B1 for discussion typically
asciilifeform: Rassah: 'Skew shift is monotonic with respect to temperature. If an increase in temperature makes a neutral cell become 1-skewed, then decreasing the temperature will Fig. 11: This contour shows the probability distribution at 273 K and 323
BingoBoingo: Rassah: ... Otherwise I don't know what the difference in implementation is between PGP and BTC signing << Other big difference is PGP signing has a nice container for inline signatures attached to signed human readable text of arbitrary length
asciilifeform: Rassah: but all of this pales in comparison to another little observation. recall pg. 10 of the paper.
Rassah: and won't that make an excelent opportunity for someone to sell a device just like ours, using their own trusted sram chips? Maybe for more money, but more secure?
asciilifeform: Rassah: including, e.g. one that functions as an sram on all days but every 5th christmas.
Rassah: won't that cost them way more?
mircea_popescu: https://bitcointalk.org/index.php?topic=569043.0;all << check that shit out
asciilifeform: Rassah: it would have to be an electron micrograph. taken by somebody other than atmel.
Rassah: asciilifeform: We'll publish those
asciilifeform: Rassah: note that you would need to know the actual physical layout of atmel's die, to draw this picture. do you?
Rassah: His movies are shit from what he told me
asciilifeform: Rassah: not very interesting, i'm afraid. let's see the actual grid values - unprocessed.
BingoBoingo: Rassah: Some thing where he went in time with knights or some shit. At first I confused him with Thomas Ian Nicholas. I think his popularity stems from this confusion.
Rassah: BingoBoingo: Name one movie (besides Mighty Ducks, where he had a sall cameo) that we was in? I've never even heard of him before bitcoin
BingoBoingo: Rassah: Anyone ever wonder how the hell Brock, whom no one knew much about, got elected to the BF board, when the public either does't know him or hates his guts? To me that says connections of some sort... << 90's nostalgia
Rassah: Hah, Nikita just ran the output from our device as an actual example http://pastebin.com/yz2GnsKd
asciilifeform: Rassah: consider the title of the paper. do you see any apparent contradiction?
asciilifeform: Rassah: we read the paper. (or at least, i did)
assbot: CiteSeerX — Power-up SRAM State as an Identifying Fingerprint and Source of True Random Numbers
Rassah: asciilifeform: It's a bit white (with 0's), but it's considerably more populated than that. This is the paper that we used to base this one, and it has some examples of the results http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.164.6432&rep=rep1&type=pdf
mircea_popescu: i suspect a trick.
Rassah: asciilifeform: We read the ram data directly
asciilifeform: Rassah: by what means do you 'collect the entropy' ?
asciilifeform: Rassah: as you can see - if you turn this into a bitstring by pure 'raster' scan, it will contain mostly zero.
asciilifeform: Rassah: this is approximately the kind of pattern you end up with using sram on powerup
Rassah: We don't use hashing as a source of entropy, no. Only to combine ours with a salt
asciilifeform: mircea_popescu: yes. some people, somehow, think this adds 'entropy'
Rassah: asciilifeform: Nikita says we use standard cryptographic hashes. Just for salt, for private and public keys, and other bitcoin specific things
mircea_popescu: which is supposedly "entropic", up until someone tries to put your source through md5
mircea_popescu: whitening is the process of turning the banal 11111 string into b0baee9d279d34fa1dfd71aadb908c3f
asciilifeform: Rassah: hashing as an attempt to 'distill' entropy.
Rassah: I asked. Can you tell me what whitening is? I'm not that techie :(
Rassah: but since the sample amount is very large even a 10% value is technically enough
Rassah: state and we'd read 0 and refuse to generate a key. We will check if the amount of 0 > x% and < y% (to check for deep-freeze temperatures) the Closer they are to 50% the better
Rassah: asciilifeform: from Nikita: Firstly, we'll publish our analysis of data from chips and argue that it should apply to all chips, and whoever wants can get data from his chip and run our tools or make his own. (our device will be fully open source, so anyone can make one if they wish). Secondly, we zero out a word in memory and make sure it's got enough 1s next time. If there was not enough power-off time, sram would retain its
BingoBoingo: Oh it is abnormal as hell, but because of its role it is still a transmission
mircea_popescu: Rassah well then i guess they don't get to talk about it at all, to no-one's particular detriment.
Rassah: After working on cars, this thing is too weird and different (and less problem-prone) to me
Rassah: BingoBoingo: I think Prius calls it a transaxle too. But I don't see it as any sort of normal "transmission"
BingoBoingo: Because it is transmission+axle
BingoBoingo: Right, but this arrangement of gears and fluids to drive power to wheels is still a transmission. Even if oddly arranged. Nearly any front wheel drive, front engine car uses the term transaxle for this.
Rassah: mircea_popescu: Not realy. The reason I was hired is because they don't have time or patience for that
Rassah: Basicaly, normally to get more power, a car (or other hybrids) switch to a lower gear ratio and spin the electric and/or gas harder. In a prius, the gas engine spins faster than the smaler inner engine can keep up, whic cases it to spin backwards, generate electricity, and then that electric is pumped into the big electric engine
kakobrekla: o wait i take that back.
Rassah: Just Prius. Others use plain engine, plain motor, ad connect them with a CVT
mircea_popescu: yah i think that's how they do all the hybrids.
Rassah: BingoBoingo: It's three motors in a constantly moving planetary gear setup. The "transmitting" is done by varying input, generation, and torque of he electric motors
kakobrekla: Pirus story rehashed with the new gizmo
mircea_popescu: Rassah seriously, this guy can't irc or something ?
BingoBoingo: Rassah: What I didn't know before is that Priuses have no transmissions, timing belts, or belts f any kind, and reqire practicaly no mainenance other than 10k mile oil changes and 100k brake pad and transaxle fluid changes. Everything else is electric... After $600+ expenses every 3 to 5 years on my Honda Civic, this is awesome. The 60mpg helps too << Transaxel is just a sideways transmission
asciilifeform: Rassah: consider that you are now married to the physical characteristics of a particular model from particular vendor. e.g. next year atmel ships sram that's non-entropic down to -40. without bothering to tell you. or it is 'entropic', but actually picks up Voice of America.
Rassah: I understand. I'm glad you are asking these questions
asciilifeform: Rassah: my purpose isn't pedantry. try to apprehend: i buy your product, get a keychain-sized gizmo with a single chip. how do i verify that the package functions exactly as described?
asciilifeform: Rassah: 'we will be testing' >> how ?
asciilifeform: Rassah: then it doesn't matter what you did to plug in the random bits - they are smeared across the 'ciphertext' (if you will, the hash output) and can be inferred.
Rassah: Due to bits not always flipping because of temperature and outside environment, we will be testing for these issues already.
asciilifeform: Rassah: picture a thoroughly, obscenely broken hash.
asciilifeform: Rassah: 'we are physically reading it' << how do you know this? that is to say, if both the reader and the sram are on one ic die, how can you substitute, e.g. a fake sram that never flips bits, to test ?
Rassah: It may reduce entropy, but it inreases he number of attack vectors, doesn't it? Attacker would need both the hardware based RNG and the salt to compromise it
asciilifeform: Rassah: do you actually believe that hashing can add (instead of subtracting) entropy?