[Cryptography] [IP] 'We cannot trust' Intel and Via's chip-based crypto, FreeBSD developers say

[Jerry Leichter]

On Dec 19, 2013, at 7:42 AM, I wrote:
> If you don't like the idea of mixing RDRAND into the pool rather than XOR'ing it at the end....
It's worth noting that treating RDRAND specially is not without justification.  RDRAND produces 64 (allegedly good) random bits at a shot, at a very high data rate.  Other sources that feed the mixing algorithm produce a few bits here and there, which have to be mixed and distilled over a period of time.

- If you count the 64 bits as 64 bits of entropy, RDRAND will swamp all the other sources.  If RDRAND is spiked, it could spike the output of the mixer.
- If you count the 64 bits as no entropy, or only a little entropy, and RDRAND is actually good *but the Linux mixer or its other sources are bad*, then the mixer will effectively throw away the value RDRAND could have give you.

Linux mixer XOR RDRAND is strong if *either* of the two inputs is strong (modulo the active attacks we've been discussing, and which can be neutralized).  You can't get that guarantee by making RDRAND "just another input" - it reduces you to relying on the strength of the Linux mixer.

                                                        -- Jerry