[cryptography] random number generator

dj at deadhat.com dj at deadhat.com
Fri Nov 21 12:01:31 EST 2014


> Rather than me listing "names", why not just let it rip and run your own
> randomness tests on it?

Because that won't tell me if you are performing entropy extraction.

Jytter assumes an x86 machine with multiple asynchronous clocks and
nondeterministic physical devices. This is not a safe assumption. Linux
assumes entropy in interrupt timing and this was the result
https://factorable.net/weakkeys12.extended.pdf.

This falls under the third model of source in my earlier email. Your
extractor might look simple, but your system is anything but simple and
entropy extracted from rdtsc and interrupts amounts to squish.

Looking at the timing on your system and saying "it looks random to me"
does not cut it. Portable code has to have a way to know system timing is
random on every platform it runs on. The above paper shows that it isn't.

Jytter does something neat but the broad claims you are making and the
broader claims the Jytter web site makes do not pass the sniff test.



More information about the cryptography mailing list