Dirty Secrets of "noise based" RNGs

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jul 5 09:56:16 EDT 2006


Thor Lancelot Simon <tls at rek.tjls.com> writes:

>Do you actually know of publically available documentation on the design and
>implementation of *any* of these "noise based" RNGs?  I have spent some time
>looking, and I do not.

Someone from HiFn discussed an older HiFn design based on ring oscillators
with postprocessing at the NIST RNG workshop in 2004,
http://csrc.nist.gov/CryptoToolkit/RNG.html.  Newer designs are apparently
more sophisticated than this, but the details aren't easily available.  I feel
reasonably confident in their design, they know what they're doing.

>Broadcom makes no RNG documentation, much less analysis, publically
>available.

Broadcom makes no documentation of any kind available.  Nothing to see here,
move along.

>I have not had time to investigate the situation vis-a-vis VIA.  I am told
>it's somewhat better, but I was told the Broadcom stuff was trustworthy, too,
>and then I found out that the person who said so did not really have
>documentation either!

Via's stuff is currently the best-documented and best-analysed, and you know
what you're getting in the CPUs (you can read all the status info out of
MSRs).

>If you're using their RNG without NDA documentation that may or may not even
>exist, it's on a "trust us...really!" basis.

Unfortunately the security techies are very much in the minority here, for
99.99% of customers "trust us, really" is fine.  For the vendors it's just too
much work to prepare and clear technical documentation for release when only a
handful of guys in an ivory tower somewhere will ever read it.  I've seen
documentation for one crypto device where it was obvious that it was an
internal doc that had been hastily cleaned up for publication because someone
somewhere had demanded it (some bits of the document had been passed over in
the clearing process, their lawyers would have had a fit).

Asking for these sorts of docs reminds me of the situation with the kernel
hackers who bug vendors for hardware technical data ("why on earth do you want
this information, we provide you with the drivers don't we?"), but with an
even harder case to make to the crypto hardware vendors.

>These all add up to "vendors are doing things with their 'noise-based' RNGs
>that should *really* scare you".

That's why I'd never trust a single source of entropy for anything, but mix as
many sources as possible into a PRNG (safety through redundancy).  If you look
at the Skipjack RNG, the NSA seem to do the same thing, there are multiple
sources and even if one fails completely it won't destroy the usefulness of
the generator as a whole.

Peter.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list