[cryptography] Intel RNG
smb at cs.columbia.edu
Mon Jun 18 23:59:57 EDT 2012
On Jun 18, 2012, at 11:21 52PM, ianG wrote:
> Then there are RNGs. They start from a theoretical absurdity that we cannot predict their output, which leads to an apparent impossibility of black-boxing.
> NIST recently switched gears and decided to push the case for deterministic PRNGs. According to original thinking, a perfect RNG was perfectly untestable. Where as a perfectly deterministic RNG was also perfectly predictable. This was a battle of two not-goods.
> Hence the second epiphany: NIST were apparently reasoning that the testability of the deterministic PRNG was the lesser of the two evils. They wanted to black-box the PRNG, because black-boxing was the critical determinant of success.
> After a lot of thinking about the way the real world works, I think they have it right. Use a deterministic PRNG, and leave the problem of securing good seed material to the user. The latter is untestable anyway, so the right approach is to shrink the problem and punt it up-stack.
There's evidence, dating back to the Clipper chip days, that NSA feels the same way. Given the difficulty of proving there are no weird environmental impacts on hardware RNGs, they're quite correct.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography