Via puts RNGs on new processors
Don Davis
don at mit.edu
Tue Apr 8 17:28:20 EDT 2003
At 12:20 PM -0400 4/8/03, Perry E. Metzger wrote:
>>> FYI, it appears that Cryptography Research has
>>> done an evaluation on the RNG. See:
>>> http://www.cryptography.com/resources/whitepapers/index.html
> Don Davis wrote:
>>
>> a one-time evaluation of the RNG's design
>> and of its output aren't really enough.
>> there are three related issues,
>>
>> * production-line QA:
At 4:42 PM -0400 4/8/03, Ian Grigg wrote:
> This could be solved by selling the chip
> "as is". With no guaruntee of performance,
> leaving each user to make their own tests.
this isn't a salable answer for commercial
deployments, though it's a good-enough answer
for crypto hobbyists.
>> * detection of run-time TRNG failures:...
> No guaruntee, then no problem. This seems
> to be a userland problem, solved by some
> user program that tests the output, run on
> an application basis.
again, not a commercially salable solution.
good RNG tests run _slow_. i once found a
correlation in an RNG's output that showed
up only in a set of 30M samples.
>> * surely, vendors are going to be unwilling
>> to discard a chip whose CPU and on-board
>> memory work, but whose TRNG doesn't work.
> run the TRNG for a couple of seconds,
> compress the result, and use the result
> to decide whether the chip goes into the
> "good" bucket or the "no-TRNG" bucket.
i'm sorry, but compressibility is not a
sensitive randomness test at all, much
less is it a thorough randomness test.
> The main thing about use of random number
> sources is to never trust a single source;
> ... From that point of view, an on-chip RNG
> would be a really useful input into Yarrow.
agreed. but this undermines the on-chip TRNG's
"one stop shopping" claim to fame.
- don davis
-
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list