[Cryptography] Random number generation influenced, HW RNG

[John Kelsey]

On Sep 9, 2013, at 6:32 PM, "Perry E. Metzger" <perry at piermont.com> wrote:

> First, David, thank you for participating in this discussion.
> 
> To orient people, we're talking about whether Intel's on-chip
> hardware RNGs should allow programmers access to the raw HRNG output,
> both for validation purposes to make sure the whole system is working
> correctly, and if they would prefer to do their own whitening and
> stretching of the output.

Giving raw access to the noise source outputs lets you test the source from the outside, and there is alot to be said for it.  But I am not sure how much it helps against tampered chips.  If I can tamper with the noise source in hardware to make it predictable, it seems like I should also be able to make it simulate the expected behavior.  I expect this is more complicated than, say, breaking the noise source and the internal testing mechanisms so that the RNG outputs a predictable output stream, but I am not sure it is all that much more complicated.  How expensive is a lightweight stream cipher keyed off the time and the CPU serial number or some such thing to generate pseudorandom bits?  How much more to go from that to a simulation of the expectdd behavior, perhaps based on the same circutry used in the unhacked version to test the noise source outputs?  

--John