chip-level randomness?

Peter Fairbrother peter.fairbrother at ntlworld.com
Wed Sep 19 21:02:28 EDT 2001 

Bram,

I need _lots_ of random-looking bits to use as covertraffic, so I'm using
continuous reseeding (of a BBS PRNG) using i810_rng output on i386 platform
as well as other sources (the usual suspects plus CD latency plus an
optional USB feed-through rng device a bit like a dongle). I don't use a rng
on Apple, 'cos it doesn't have one. Others would perhaps not need so many
bits. 

I do hash them, but I don't really trust any hash, algorithm, or rng, so I
use all the entropy I can get from anywhere and mix it up. I try to arrange
things so each source is sufficient by itself to provide decent protection.

It might be a better idea to schedule reseeding of the PRNG depending on
usage rather than time for more everyday use. Actually I don't disagree with
you much, except I'd like to see reseeding more often than once a minute.

There is another reason to use a PRNG rather than a real-rng, which is to
deliberately repeat "random" output for debugging, replaying games, etc. Not
very relevant to crypto, except perhaps as part of an attack strategy.

-- Peter


>> On Wed, 19 Sep 2001, Peter Fairbrother wrote:
> 
>> Bram Cohen wrote:
>> 
>>>> You only have to do it once at startup to get enough entropy in there.
>> 
>> If your machine is left on for months or years the seed entropy would become
>> a big target. If your PRNG status is compromised then all future uses of
>> PRNG output are compromised, which means pretty much everything crypto.
>> Other attacks on the PRNG become possible.
> 
> Such attacks can be stopped by reseeding once a minute or so, at much less
> computational cost than doing it 'continuously'. I think periodic
> reseedings are worth doing, even though I've never actually heard of an
> attack on the internal state of a PRNG which was launched *after* it had
> been seeded properly once already.




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list