What's the chance of a collision in Python's secrets. compare_digest function?
Question:
The closest function I can find to a constant time compare in Python’s standard library is secrets.compare_digest
But it makes me wonder, if in the case of using it to verify a secret token:
-
What’s the chance of a collision? As in, what’s the chance of a secret passed that doesn’t match the correct token, but the function returns true? (Assuming that both strings passed are the same length)
-
What’s the length of secret token when it becomes pointless to make the secret longer, at least in terms of mitigating brute force attacks?
Answers:
secrets uses hmac which uses hashopenssl. This uses the _tscmp function to compare things, which uses openssl’s CRYPTO_memcmp. The docs don’t mention anything about the probability. I’m not good at reading the assembly code commit but it doesn’t look like it is doing anything other than directly comparing the memory. So I don’t see why it would have a probability of collision, since hashing is not involved
As for the question of a brute force attack – assuming assume we did the comparison at max gpu bandwidth of a modern gpu with 2TB/s, which is 1.6e+13 bits, if we multiply that by 1 year of time, that is ~ 3.1e+7 seconds we get ~5e21 bits of comparison per year per gpu. log2(5e21) = 72 -> which means we could theoretically break a 72 bit key with a a gpu in 1 year. (This is likely not possible because gpus are not designed for this, but an asic could probably be made with this kind of performance). Going with the eough estimate of 72/yr/device -> you can simply double the number of devices or number of years per bit increased. (Or maybe you could add 1 to the number of years assuming efficiency doubles every year). Here, 128 bits gives 20 years of doubling efficiency + 1 billion gpus / 10,000 supercomputers.
Addidional note -> top supercomputer flops is 1e18 per second = 100,000 gpus (it does have 8,730,112 cores or 136,408 amd 64c cpus…)
On impractical scales -> the universe contains maybe 1e82 atoms and a neucleon could last for 1e200 years which is ~1e207 seconds. Assuming each atom can do a bit comparison in 1e-44 seconds (plank time), we could theoretically compute 1e333 bits. that’s a keysize of 1106. I suspect a keysize of 1024 should be enough assuming the efficiency of turning the universe into a computer is 1e-24.
The closest function I can find to a constant time compare in Python’s standard library is secrets.compare_digest
But it makes me wonder, if in the case of using it to verify a secret token:
-
What’s the chance of a collision? As in, what’s the chance of a secret passed that doesn’t match the correct token, but the function returns true? (Assuming that both strings passed are the same length)
-
What’s the length of secret token when it becomes pointless to make the secret longer, at least in terms of mitigating brute force attacks?
secrets uses hmac which uses hashopenssl. This uses the _tscmp function to compare things, which uses openssl’s CRYPTO_memcmp. The docs don’t mention anything about the probability. I’m not good at reading the assembly code commit but it doesn’t look like it is doing anything other than directly comparing the memory. So I don’t see why it would have a probability of collision, since hashing is not involved
As for the question of a brute force attack – assuming assume we did the comparison at max gpu bandwidth of a modern gpu with 2TB/s, which is 1.6e+13 bits, if we multiply that by 1 year of time, that is ~ 3.1e+7 seconds we get ~5e21 bits of comparison per year per gpu. log2(5e21) = 72 -> which means we could theoretically break a 72 bit key with a a gpu in 1 year. (This is likely not possible because gpus are not designed for this, but an asic could probably be made with this kind of performance). Going with the eough estimate of 72/yr/device -> you can simply double the number of devices or number of years per bit increased. (Or maybe you could add 1 to the number of years assuming efficiency doubles every year). Here, 128 bits gives 20 years of doubling efficiency + 1 billion gpus / 10,000 supercomputers.
Addidional note -> top supercomputer flops is 1e18 per second = 100,000 gpus (it does have 8,730,112 cores or 136,408 amd 64c cpus…)
On impractical scales -> the universe contains maybe 1e82 atoms and a neucleon could last for 1e200 years which is ~1e207 seconds. Assuming each atom can do a bit comparison in 1e-44 seconds (plank time), we could theoretically compute 1e333 bits. that’s a keysize of 1106. I suspect a keysize of 1024 should be enough assuming the efficiency of turning the universe into a computer is 1e-24.