[cryptography] Random number generation influenced, HW RNG

James A. Donald jamesd at echeque.com
Sun Sep 8 17:25:11 EDT 2013


On 2013-09-09 1:54 AM, Thor Lancelot Simon wrote:
> On Sun, Sep 08, 2013 at 03:00:39PM +1000, James A. Donald wrote:
>> On 2013-09-08 1:25 PM, Thor Lancelot Simon wrote:
>>> On Sun, Sep 08, 2013 at 08:34:53AM +1000, James A. Donald wrote:
>>>> Well, since you personally did this, would you care to explain the
>>>> very strange design decision to whiten the numbers on chip, and not
>>>> provide direct access to the raw unwhitened output.
>>> You know as soon as anyone complained about this, they turned around
>>> and provided access to the unwhitened output in the next major version
>>> of the same product family, right?
>> I am not aware of this.  Could you provide further details?
> http://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed

RDSEED provides the output of the /enhanced/ non-deterministic random 
number generator (ENRNG

Which is "enhanced" by being whitened.

And therefore makes it just as impossible to tell if the supposed 
randomness is backdoored as RDRAND does.

What we need is the output of the entropy source.

Supposedly we have a circuit that generates fairly random offwhite 
noise. (The entropy source) This is then AES encrypted (the enhanced non 
deterministic number generator), and the enhanced non deterministic 
random number generator then continuously seeds a pseudo random number 
generator, which provides the output of RDRAND

To tell if there is a backdoor or not, we need the output of the entropy 
source, unenhanced.

If the entropy source is real, it will show its analog characteristics 
leaking into the digital abstraction.  The correlations and anti 
correlations between nearby bits will reflect the analog values of the 
circuit, thus no two chips will show quite the same correlations, and 
the correlations will vary with temperature and overclocking.  These 
analog variations would be compelling evidence that the entropy source 
is the something very like the claimed circuit.

Because RDSEED gives us the encrypted output of the entropy source, we 
cannot tell if the entropy source is a real entropy source, or a counter 
encrypted with the NSA's secret key.

Since the whitening is deterministic, it is potentially reversible, but 
Intel does not appear to be releasing sufficient information to reverse it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130909/714451e7/attachment.html>


More information about the cryptography mailing list