gistfile1.txt

[22:32] <sokrates> does having a "perfect" PRNG trivially lead to perfect symmetric crypto?
[22:33] <sokrates> imagine this situation: A and B both have a copy of this perfect PRNG
[22:33] <sokrates> they both seed it with the shared key
[22:33] <catid> in the OTP sense yes i believe so
[22:33] <sokrates> and then alice simply XORs the PRNG's output with the plaintext
[22:34] <catid> but you can still misuse that kind of cipher construction: you can reuse the PRNG seed to encrypt the same data twice
[22:34] <Riastradh> If the key was chosen uniformly at random and the PRNG's output is indistinguishable from uniform random, then yes.  This is how stream ciphers work.
[22:34] <catid> or the seed can have insufficient randomness itself
[22:34] == Platyp [~flatline@2607:f470:22:8:beae:c5ff:fe5a:903f] has joined ##crypto
[22:35] <catid> an online game cheater can filter out all packets with length = 53 to stop something from going through, even though they cannot decrypt the data
[22:35] <Riastradh> Usually stream ciphers have an extra parameter called a nonce, which need not be chosen uniformly at random nor even be secret but must be used only once (a `number used once'), to give you multiple different key streams with a single key.
[22:35] <catid> and it also provides no MAC
[22:36] <catid> and if compression is used, the length provides an insight into the data that is encrypted
[22:36] <catid> etc etc.. ciphers aren't the only consideration
[22:37] <Riastradh> Crypto engineering is hard.  But you have correctly identified the model of an important piece of it.
[22:37] <sokrates> i see, awesome!
[22:38] == JamesNZ [~james@fedora/JamesNZ] has joined ##crypto
[22:38] <kmc> right, it is very easy for an attacker to tamper with such ciphertexts without knowing the key
[22:39] <kmc> they can flip any bit they like
[22:39] <snappy> a perfect PRNG is not going to give you OTP.
[22:39] <Riastradh> Other important parts are authentication (MACs, like catid mentioned, or signatures), timing and length side channels (like the compression catid mentioned), handling entropy (where do you get keys?), key exchange (how do you agree on keys?)...
[22:39] <catid> oh yeah and your PRNG can also have a timing side channel based on the key:)
[22:39] <kmc> are there constructions for building a MAC from a stream cipher / CSPRNG?
[22:40] == Zifre [~Zifre@unaffiliated/zifre] has joined ##crypto
[22:40] <snappy> kmc: i believe so, from a PRNG you can get a PRF and use feistal for a PRP which can be used to construct a MAC
[22:40] <Riastradh> kmc, is polynomial evaluation OK?
[22:41] <Riastradh> That is how the GMC information-theoretic one-time authenticator works.
[22:41] <kmc> I remember reading about that
[22:41] == karel [~karel@unaffiliated/karel] has quit [Quit: leaving]
[22:42] <kmc> snappy: how do you get a PRF from a PRNG?
[22:42] <kmc> the first way I can think of is very slow
[22:43] * tarcieri <3 "let's just use a PRNG to make an OTP and then we'll have perfect secrecy!"
[22:43] <tarcieri> o_O
[22:43] <sokrates> don't judge me! :P
[22:44] <tarcieri> http://dogepos.com/
[22:44] <tarcieri> o_O
[22:44] <Riastradh> tarcieri, that is the model that (one-time) stream ciphers follow...
[22:44] <tarcieri> Riastradh: well aware ;)
[22:44] <kmc> tarcieri: SEA OF WHITE DUDES
[22:45] <catid> guys.. what.. dogecoin is still a joke.. right?
[22:45] <catid> right guys?
[22:45] <kmc> I think the way sokrates phrased it is not fallacious at all; of course no such "perfect PRNG" can actually exist