[Cryptography] Is there a point to key schedules?

Joseph Ashwood ashwood at msn.com
Wed Mar 11 09:05:17 EDT 2015

From: Ryan Carboni 
Subject: [Cryptography] Is there a point to key schedules?

> Is there a point to key schedules? 

Absolutely yes.

> Let's look at the origin of entropy for an HTTPS session. First hardware entropy is collected. 

Very, very slowly, and incompletely, and every refresh of hardware actually works to eliminate sources of entropy as much as possible. Turing type machines are a nightmare to get entropy from.

> It is usually then hashed. 

This is as much as anything to try and distill down to just the entropy, working on concentrating the extremely slow entropy collection so as not to store all the non-entropy.

> That is then used to seed a PRNG, often a block cipher, sometimes RC4 (although ChaCha is being adopted). Due to biases in RC4 and other biases in all block ciphers, if a 256-bit key is generated, 

> it is at best 255.999... bits secure.  

I separated out the part where you answered your own question. It is at best secure, everything around it is to attempt to help make it secure.

> Now lets go see how many bits a 128-bit block cipher takes... say a hypothetical one with thirty-two rounds. 
32*128= 4096 bits. 4096 bit asymmetric ciphers have 128-bit security and could transmit 4096 bits. so everything is mathematically comparable.

You’re assuming an inherent compatibility where none exists. 

First, 4096 bit asymmetric ciphers do not offer 128 bits of security. Depending on the exact numbers you want to believe, as there is significant debate, the value ranges from 108-142 bits and is often banned from standards on principal. 

Second, the security of the various bits is not equal, both RSA and DH have very weak low order bits. 

Third, as mentioned before, in increasing numbers of environments RSA and DH are not acceptable. 

Fourth, when using ECC 4096 bit keys offer approximately 2048 bit security. Far exceeding any requirement today.

Fifth, at 4096 bits RSA and DH are slower and more costly than similar security with ECC.

Sixth, these numbers keep moving around, there was a time where 500 bit RSA was effectively as secure as 128-bit ciphers. It is my view that attacks on factoring are extremely likely to advance far faster than counting.

So that is a brief initial list of the problems with the argument.

Now as to why key schedules are necessary.

First, entropy is hard to find. Having a reliable, smooth method of spreading the entropy around the keys for a cipher is extremely important.

Second, maintaining compatibility across key transfer methods. 

Third, addressing weaknesses in the cipher itself. A tiny key schedule change can remove weak keys in a cipher that would not be possible otherwise.

Fourth, I’m actually tired of writing this email so I’m going to stop.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150311/825dd98b/attachment.html>

More information about the cryptography mailing list