[cryptography] random number generator

James A. Donald jamesd at echeque.com
Sat Nov 22 19:11:07 EST 2014


On 2014-11-23 09:47, Russell Leidich wrote:
> "in your case, hash 128+N samples to get, say, 127.99 bits of entropy
> per hash output. N is small, under 20 I think."
>
> Yeah this certainly inspiring with respect to milking decent entropy
> from coldbootish environments. If we assume the use of a "good" hash,
> then the problem reduces to one of asking how much entropy a sample is
> worth.
>
> But this is where Pandora's box opens up: modern systems -- even mobile
> phones -- are so complicated that autopseudorandomness can look very
> convincingly like a TRNG. For instance, we could have predictable cache
> stalls, bus stalls, pipeline stalls, etc. which interact like a decent
> PRNG in order to render the appearance of physical entropy even in the
> absence of interrupts. But we could still end up with a painfully narrow
> set of possible outputs, which would still be too large to perceive. For
> instance, our 128-bit random number might be worth only 70 bits, so we
> likely wouldn't detect that weakness until it comes back to bite us in
> the future.

If there is any true randomness in the system, autopseudorandomness will 
mix it with everything else, and so Jytter will collect it.

But in coldboot system, there may well be very little true randomness.

So, every boot image should have its own unique 128 or 256 bit secret 
unpredictable to an adversary.



More information about the cryptography mailing list