[Cryptography] Questions of taste on UDF presentation

Arnold Reinhold agr at me.com
Tue Feb 19 17:16:21 EST 2019 

On Sat, 16 Feb 2019 14:48 -0500, Phillip Hallam-Baker asked:

> … The question I need to answer right now is whether to group UDF values in
> groups of 4, 5 or 5+3 alternating.
> 
> The following fingerprints all represent the text/plain string "UDF Data
> Value":
> 
> MDDK7-N6A72-7AJZN-OSTRX-XKS7D (5)
> 
> MDDK-7N6A-727A-JZNO-STRX-XKS7 (4)
> 
> 
> MDDK7-N6A-727AJ-ZNO-STRXX-KS7 (5/3)
> 
> 
> The comparison is not quite fair in that the 5 group version provides
> 125 bits of precision while the other two provide only 120. But 120
> bits is much easier to code because it is a multiple of 8 bits.
> 
> Adding another 20 bits to the 4 and 5/3 character version gives us a
> work factor of 132 bits, thus meeting the 128 bit work factor we like
> to work to:
> 
> MDDK-7N6A-727A-JZNO-STRX-XKS7-DJAF
> 
> MDDK7-N6A-727AJ-ZNO-STRXX-KS7-DJAF
> 
> 
> This is one of those choices that you only really get one go at. The
> minute I acquire a user is the minute I can't change the architecture.
> 
> 
> The 8 bit clean groupings are going to be easier to code. The 5 bit
> groupings are likely to be more robust in use.

This seems to me to be part of a broader issue: as computation power increases, we need longer cryptographic primitives and as a result are stressing the ability of most people to inspect, memorize or type correctly. I like the mixed length scheme as it seems more likely to make small variations stand out. I’d even go for a more dramatic variation that mimics the word length variation in natural language sentences. For example 3-5-4-3-5-3-5:

MDD-K7N6A-727A-JZN-OSTRX-XKS-7DJAF

My instincts say the greater variation would aid users in comparing the individual elements. The best thing, of course, would be to do some actual testing of various schemes. Perhaps some local university might take it on as a student project. 

I wouldn’t worry about coding difficulty.The needs of the general public far out weigh programmer issues. Providing sample code and some test cases should minimize that problem.  Given the ongoing noise about quantum cryptanalysis, I’d go with the longer version (isn’t it 140 bits?). I would also use a resource intensive hash if possible, at least PBKDF2, preferably Argon2 or balloon. This would make it much more difficult for an attacker to forge a fingerprint that is even close.

> … I am looking for backers to see if we could use this to fix
> filing of expenses, invoices, etc. …

I’d just mention that one of the better recent Super Bowl ads was for a company called Expensify that is addressing the expense report market.

Arnold Reinhold

More information about the cryptography mailing list