[Cryptography] Use of RDRAND in Haskell's TLS RNG?

[Ray Dillinger]

On 11/22/2016 01:19 PM, dj at deadhat.com wrote:

> So when you choose to combine 1 second worth of data from RdRand with 1
> second worth of data from your undersampled ring oscillator, you end up
> with 800MBytes of RdRand data and a couple of kilobits of data from the
> other source. You can choose to lower the performance to the slowest
> source you have and if that's ok and you're using a good extractor, you'll
> be ok.

It's okay with me.  I want 128 bits of confidence and RDRAND gives me
about 5 (sorry, but for more than 5 you have to be publicly auditable).
5 bits is a net gain, so I'm glad it's there.  I use much smaller
samples of it (tho still bigger than the OS's RNG state that I'm feeding
it into) because given only 5 bits of confidence much larger samples of
output are useless.

It doesn't matter to me whether I get those 5 bits of confidence in an
800MByte sample or a 16-bit sample, they are still only 5 bits of
confidence.  That's because this isn't about the unpredictability of
some unknown physical process.  It's about the good faith of Intel,
Intel's freedom to act in good faith, and the quality of the
implementation.  Either it's golden, or it's broken, and absent an audit
I'm giving it about 31-to-1 odds of being good.

I have 20-bit (or million-to-one) confidence that acting in good faith
Intel may have provided exactly what it claims to, and with a proper
audit I could trust it 20 bits.  After a detailed check into the quality
of the implementation of a randomly-drawn sample of CPUs I could trust
it about 40 bits (trillion-to-one). But I have only 5-bit confidence
that Intel is free to act in good faith, so obviously RDRAND makes only
a 5-bit contribution to my confidence no matter how much of its output
gets used.  Make sure I read some of it before generating a key?  Yes,
because 5 bits are better than none.  Make sure I read something else
too?  Yes, because 5-bit keys are a stupid concept.

There is no ratio of bits to "entropy" from any unauditable source, and
any mixer that claims that there is, is wrong.  For something that can't
be audited, there are only two questions. How much do we trust the
implementing entity and its team? and: What fraction of the adversaries
we care about can't take advantage of any failure of the implementing
entity and its team?

				Bear


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161122/ac2e9281/attachment.sig>