[cryptography] [liberationtech] Random number generator failure in Rasperri Pis?

Russell Leidich pkejjy at gmail.com
Sat Jul 20 03:47:43 EDT 2013


RANDU issues aside, I don't think thermal or even quantum noise is a good
basis upon which to produce a true random number generator. And not because
good noise sources don't exist. But because, in the interest of
trustworthiness, we want to have TRNGs which are as high as possible in the
stack. (Like Jytter, which does no IO at all and lives in user space, but
is still a TRNG. It could be easily ported to Pi.)

The biases of a software TRNG are exposed and thus easily criticized. But
if I sell you a modern microprocessor with a TRNG implemented in a few
hundred gates, how do you know that I'm being honest? Are you going to xray
the device and hope to learn anything useful? And nevermind deliberate
hacking: think of the silicon yield curve. What are the odds that, despite
my best efforts at quality assurance, I've given you a badly biased
generator?

In other words, it's a question of how easy it is to trust and measure
entropy which you have harvested, rather than merely how easy it is to
harvest "promised" entropy.

I understand the argument that "it can't hurt to be more random by reading
platform-specific TRNG registers". But then, do you know how much entropy
that read is worth? How many intersecting trust dependencies is your
conclusion standing on? If you're not confident, then why do it at all?

I also understand the argument that "the hardware has to be trustworthy"
because if it's not, then the whole userspace is a sham. But the problem is
that this is an analog component we're talking about. If my 64-bit hardware
TRNG can only generate 1% of 64-bit numbers (probably because I hacked it),
how are you going to discover that anytime soon? Again, why even get into
that discussion by relying on these devices in the first place?

I'm not trying to devalue the great work that hardware engineers have done
in order to create these devices. It's tough work. But there's a supply
chain trust problem here.

Eugen Leitl <eugen at leitl.org> quotes:

>
>>  Just came accross this article, apparently showing the bad quality of the
>>> hardware RNG in Raspberri Pi devices.
>>>
>>> http://scruss.com/blog/2013/**06/07/well-that-was-**
>>> unexpected-the-raspberry-pis-**hardware-random-number-**generator/<http://scruss.com/blog/2013/06/07/well-that-was-unexpected-the-raspberry-pis-hardware-random-number-generator/>
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130720/a937defd/attachment-0001.html>


More information about the cryptography mailing list