1

I'm paranoid about new storage devices, since it's a common scam to reprogram a device to lie and report a much larger capacity than it actually has.

I know that there are testing programs specifically for this, but I wonder if those programs are sufficiently paranoid. If a program just wrote a repeating pattern, the controller in the device might recognize the pattern and play it back. The controller is a full-blown computer with potentially a large amount of memory as cache, so it could be pretty sophisticated. Also the host computer has its own cache.

So for maximum paranoia I want an unpredictable pattern which is larger than any cache which is likely to be in place. My idea is to use a (Keccak) sponge to absorb a secret string, then squeeze it forever and write the output to the device until it is full. I think this is using the sponge as an extendable-output function (XOF). Since the device is ~512GB I figure that writing 512GB of sponge output is enough to overwhelm any particular cache.

Questions:

  • Is there any obvious weakness or stupidity to what I have described?
  • Is there a name for this application? I would look it up myself if I knew what to call it.
  • The sponge has a state of 1600 bits so potentially a period of 2^1600 before it repeats. Are there any proofs that say whether the state repeats before reaching full cycle? Practically as long as it doesn't repeat in 2^50 bits then there will be no cycles on the device.
  • Is there a list or paper on good (or more importantly not good) applications for using a sponge like this?
kwan3217
  • 113
  • 2

1 Answers1

1
  • Is there any obvious weakness or stupidity to what I have described?

No. Actually, that's a novel use of XOF.

  • Is there a name for this application? I would look it up myself if I knew what to call it.

I think "secure storage erasure" can describe it.

In SD cards (and other compact storage formats) and SSD drives, there's the TRIM command that instruct the block to read all-0 without rewriting data to the unit to prolong its lifetime - sophisticated physical instruments can recover data from TRIM'd blocks.

  • The sponge has a state of 1600 bits so potentially a period of 2^1600 before it repeats. Are there any proofs that say whether the state repeats before reaching full cycle? Practically as long as it doesn't repeat in 2^50 bits then there will be no cycles on the device.

Not exactly $2^{1600}$, since there's potentially multiple sets of states that leads back to themselves, with varying period length. A secure permutation such as Keccak should not easily admit short periods.

  • Is there a list or paper on good (or more importantly not good) applications for using a sponge like this?

Likely not, most papers would focus on cryptographic or infosec applications.

Other notes

AES running in counter mode (CTR) can also produce arbitrarily-long output with the caveat that period is much shorter than Keccak, as well as the pattern becomes distinguishable after $2^{64}$ blocks (since AES-CTR won't repeat for $2^{128}$ blocks, which is an distinguishable feature). Such limit is not relevant for practical applications.

If you do intend to fill your storage device with random data using SHAKE or other XOF, make sure you find an implementation that allows for incremental reading - i.e. a absorb-finalize-squeeze paradigm. The implementation shipped with Python's hash module isn't good for this.

DannyNiu
  • 10,640
  • 2
  • 27
  • 64