[cryptography] philosophical question about strengths and attacks at impossible levels

Marsh Ray marsh at extendedsubset.com
Wed Nov 24 05:49:45 EST 2010


On 11/24/2010 02:58 AM, coderman wrote:
> On Tue, Nov 23, 2010 at 10:43 PM, Marsh Ray<marsh at extendedsubset.com>  wrote:
>> ....
>> How about all the weak and insufficiently seeded RNGs out there?
>
> it's more than a little annoying how many accelerated crypto
> implementations exist while good entropy is still a scarcity.
>
> why isn't this a native instruction on every architecture?

How would you know if it was working properly? Or backdoored?

How does this feature interact with virtualization? Low power and sleep 
states? What about variations in manufacturing process?

How hard is it to define such a thing in standard chip design tools? I 
imagine many tools will complain loudly about nondeterministic states.

What if it suddenly stopped working?
It seems like doing a decent test on each unit shipped would add at 
least some cost to the part.

Will the chip estimate the amount of entropy it has pooled? How?

Wouldn't you prefer an industrial-strength software entropy pool over a 
minimum-possible-area instruction that can never be fully tested?

I think a conscientious designer will want entropy from multiple 
sources, so he probably won't trust the chip to do it all for him, but 
perhaps it could be used as another input. What sources of entropy are 
available to the chip designer that are not also available to a software 
EGD?

How many customers would choose your chip instead of the other brand 
because of this? Is it worth the risk inherent in any new feature?

How do you market it? How do you keep it from being marketed as 
something that it isn't?

If it turned out to be weak, would you have to recall the chips? How 
about products containing it?
This sucker got baked into a lot of smart meters, or so I hear:
http://travisgoodspeed.blogspot.com/2009/12/prng-vulnerability-of-z-stack-zigbee.html

Of course, the answer may still be that it's better to have an 
instruction for it than not. But the advantages are subtle and hard to 
quantify, whereas the costs, complexity, and risks of adding it are 
measurable.

- Marsh



More information about the cryptography mailing list