[cryptography] Random number generation influenced, HW RNG
James A. Donald
jamesd at echeque.com
Sun Sep 8 17:25:11 EDT 2013
On 2013-09-09 1:54 AM, Thor Lancelot Simon wrote:
> On Sun, Sep 08, 2013 at 03:00:39PM +1000, James A. Donald wrote:
>> On 2013-09-08 1:25 PM, Thor Lancelot Simon wrote:
>>> On Sun, Sep 08, 2013 at 08:34:53AM +1000, James A. Donald wrote:
>>>> Well, since you personally did this, would you care to explain the
>>>> very strange design decision to whiten the numbers on chip, and not
>>>> provide direct access to the raw unwhitened output.
>>> You know as soon as anyone complained about this, they turned around
>>> and provided access to the unwhitened output in the next major version
>>> of the same product family, right?
>> I am not aware of this. Could you provide further details?
RDSEED provides the output of the /enhanced/ non-deterministic random
number generator (ENRNG
Which is "enhanced" by being whitened.
And therefore makes it just as impossible to tell if the supposed
randomness is backdoored as RDRAND does.
What we need is the output of the entropy source.
Supposedly we have a circuit that generates fairly random offwhite
noise. (The entropy source) This is then AES encrypted (the enhanced non
deterministic number generator), and the enhanced non deterministic
random number generator then continuously seeds a pseudo random number
generator, which provides the output of RDRAND
To tell if there is a backdoor or not, we need the output of the entropy
If the entropy source is real, it will show its analog characteristics
leaking into the digital abstraction. The correlations and anti
correlations between nearby bits will reflect the analog values of the
circuit, thus no two chips will show quite the same correlations, and
the correlations will vary with temperature and overclocking. These
analog variations would be compelling evidence that the entropy source
is the something very like the claimed circuit.
Because RDSEED gives us the encrypted output of the entropy source, we
cannot tell if the entropy source is a real entropy source, or a counter
encrypted with the NSA's secret key.
Since the whitening is deterministic, it is potentially reversible, but
Intel does not appear to be releasing sufficient information to reverse it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography