[cryptography] [liberationtech] Random number generation being influenced - rumors

coderman coderman at gmail.com
Mon Sep 9 03:27:57 EDT 2013


On Sun, Sep 8, 2013 at 10:18 PM, Greg Rose <ggr at seer-grog.net> wrote:
> ...
> I actually hate to point this out, but having access to something that "looks like" a raw entropy source proves nothing. Given a design for a hardware RNG, with a characterization of its biases, I could straightforwardly take a stream generated by AES in counter mode with a 32-bit counter and do a kind of reverse distillation to make it look like the output from such a hardware RNG. Then, if the adversary knows what software is used to distill the entropy (and the AES key), the game is still over.

two things,

1) i suspect a system to introduce realistically viable biases
expected with a particular TRNG design is more complicated than you
assume (especially when performing long running analysis over a large
corpus, not trivial / short checks like FIPS.)  it would certainly be
much larger on die, but perhaps that is beside the point.

2) this underscores the need to combine multiple entropy sources, and
not put all your all trust in one built in instruction.

the gist of you argument is correct, however, the microcode itself is
a block box, just as suspect as other instructions, given enough
resources and privileged access.


More information about the cryptography mailing list