chip-level randomness?

Peter Fairbrother peter.fairbrother at ntlworld.com
Wed Sep 19 16:35:32 EDT 2001 

> Bram Cohen wrote:

>> On Tue, 18 Sep 2001, Pawel Krawczyk wrote:
[..]
>> It's not that stupid, as feeding the PRNG from i810_rng at the kernel
>> level would be resource intensive,
> 
> You only have to do it once at startup to get enough entropy in there.

If your machine is left on for months or years the seed entropy would become
a big target. If your PRNG status is compromised then all future uses of
PRNG output are compromised, which means pretty much everything crypto.
Other attacks on the PRNG become possible.

>> and would require to invent some defaults without any reasonable
>> arguments to rely on. Like how often to feed the PRNG, with how much
>> data etc.

The Intel rng outputs about 8kB/s (I have heard of higher rates). Using all
this entropy to reseed a PRNG on a reasonably modern machine would not take
up _that_ much resources. And it would pretty much defeat any likely attacks
on the PRNG.

> At startup and with 200 bits of data would be fine.

So you need a "cryptographically-secure" PRNG that takes a 200-bit seed. As
the output is used by programs that may use strange and not-yet-invented
algorithms which may interact with and weaken the PRNG, how are you going to
design it? And what happens if your PRNG is broken? Everything is lost, the
attacker has "got root" so to speak.

> Of course, there's the religion of people who say that /dev/random output
> 'needs' to contain 'all real' entropy, despite the absolute zero increase
> in security this results in and the disastrous effect it can have on
> performance.

Sometimes it may have no effect on security, but it can affect it badly.
Brute force attacks on the PNRG could be more efficient than on the cipher
if 256 bit or higher keys were used. With the possible introduction of QC
looming it might well be advisable to use such key-lengths for data that
requires long-term security.

I agree that performance hits arise if an all-real-random approach is used,
but personally I am in favour of using all the entropy that can easily be
collected without taking those hits. The Intel rng can do this nicely
(although I would use other sources of entropy as well).


-- Peter Fairbrother




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list