[cryptography] Enranda: 4MB/s Userspace TRNG

Krisztián Pintér pinterkr at gmail.com
Wed May 27 08:14:04 EDT 2015


On Wed, May 27, 2015 at 3:12 AM, Russell Leidich <pkejjy at gmail.com> wrote:
> "if your proposed method comes with a complex extractor, it is bullshit"
>
> OK point well taken. I should offer a raw mode.

no, you actually shouldn't. you should offer raw mode only. maybe some
clever compression just to reduce the amount of data going into the
slower secure whitening.

> What this leaves behind is the aperiodic residue. Or more specifically,
> ((the hashes (of all sequences)) that have not been seen in the last 2^16
> such hashes). I realize that this isn't hard proof (as nothing in physical
> hardware can be proven)

this is much worse than "not a hard proof". it is next to nothing. you
have a hypothesis, which you don't clearly state, and then you have a
countermeasure, which you don't explain.


> cache misses, pipeline stalls, CPU circuit clock gating, etc. that provide
> the majority of the protoentropy.

the CPU is a deterministic system. cache misses and all the other
stuff are not random, but depend on previous instructions, thus the
internal state of the cpu. this is NOT a source of entropy. the source
of entropy comes from outside of the CPU, namely anything that changes
its internal state. these are: responses from mass storage or other IO
drivers, user input, network events, etc. that is: IRQs. the CPU as a
system is chaotic, and so tiny differences in those inputs cause huge
differences later. but this is NOT entropy. this is a completely
deterministic process.

at this point, we could dwell on the nature of entropy. by definition,
entropy is anything the attacker does not know. considering your
probable attackers, the entire internal state of the CPU is entropy.
but this is not the case for limited hardware and more potent
attackers.

that is why it is crucial to separate the actual entropy from the
deterministic chaos on top of it. with a nice usual thermal noise
generator, we can be pretty sure about the real entropy, which is
entropy for all attackers. that so called CPU jitter is not entropy,
but a chaotic complex postprocessing on top of some IRQ based minimal
real entropy. the amount of which is unknown.


More information about the cryptography mailing list