[cryptography] philosophical question about strengths and attacks at impossible levels

coderman coderman at gmail.com
Wed Nov 24 21:26:46 EST 2010


On Wed, Nov 24, 2010 at 2:16 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
> ...
> So are you saying it is or it isn't Cloud-Compliant?

hah, i rant at length on the mistaken security assumptions of cloud
computing. (remember when it was grid computing?, and before that ...)

i'll try to stay on topic. *grin*


> What frequency are these oscillators? Does it change with voltage?
> Temperature? External RF sources? Other (possibly malicious) activity on the
> chip? How much does it vary with manufacturing process or across individual
> samples? Too much? Too little?

in the case of a Padlock engine the hwrng implementation uses three
450-810Mhz free wheeling oscillators that are adjusted via a "bias"
control, and a sampling oscillator running at 20-68 MHz.

i tend to run these at full bias but originally they intended a
measured setting coupled to the von Neumann whitener with a much more
meager sampling of bits.

the key factor is speed. in a conservative low bias, whitened mode you
can get a fraction of a Mbit/sec throughput but in a wide open (to be
masked and mixed) configuration with dual sources this exceeds
100Mbit/sec easily.

the full details are here:
http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/evaluation_summary_padlock_rng.pdf

the Intel RNGs are not actually on die, and i haven't been able to
find technical details of the SPARC T3 N2RNG implementation. perhaps
worth a follow up on Travis's RNG list...



> Can they be measured externally?

sure, if you've got the equipment.  :)


> What's the GCD of their frequencies?
> Can they interact (e.g., over the power bus)? What prevents them from
> drifting a bit and synchronizing to a nearby fixed ratio?

the cryptography reasearch paper goes into details, and to some extent
this isn't a concern if you are properly masking your hwrng output
prior to mixing/use. just be sure you adjust entropy density
accordingly.


> Many chips have some A/D inputs, some have thermometers, etc. Most all have
> some external hardware interrupts and reasonably-fast clocked internal
> counters. Given all that, it's hard to explain how cosmic radio noise is
> more of a "physical process" than the timing of network packets.

it's about throughput. you can certainly use these sources for entropy
gathering, but the accumulation rate is slowww compared to 100Mbit/sec
or more with a hwrng designed for the purpose.


> In the end it's hard to convince the unconverted that you have something
> meaningfully better than what you could get from a pure software approach
> (interrupt timing, etc).

indeed. especially when there are so many other, more problematic
details to get correct to actually *make use* of strong entropy
sources effectively.  like the Debian OpenSSL patch, it just takes one
weak link...



> Crypto enthusiasts seem to have a particular fascination with entropy
> gathering an PRNGs for some reason. Perhaps that's because it appears to be
> a relatively easy thing to get experiment with, and quite practical to make
> something more or less impossible to break. Most of the time we spend our
> efforts trying to eliminate the effects of entropy in our systems, it's fun
> to think about the opposite for a change.

probably true. i seem to care about it more than is reasonable :)

best regards,



More information about the cryptography mailing list