Toshiba shows 2Mbps hardware RNG

Dan Kaminsky dan at doxpara.com
Fri Feb 15 04:47:45 EST 2008 


Peter Gutmann wrote:
> "David G. Koontz" <david_koontz at xtra.co.nz> writes:
>
>   
>> Military silicon already has RNG on chip (e.g. AIM, Advanced INFOSEC Machine,
>> Motorola),
>>     
>
> That's only a part of it.  Military silicon has a hardware RNG on chip
> alongside a range of other things because they know full well that you can't
> trust only a hardware/noise-based RNG, there are too many variables and too
> many things that can go wrong with that single source.  That's why I was
> sceptical of the "we've solved the RNG problem with our custom hardware"
> claim, they've created one possible source of input but not a universal
> solution.
>
> Peter.
>   
Peter, you've just hit on something that's genuinely confused me for
quite some time.  Combining hash functions has always seemed naive --
the problem with chaining two different functions is that it creates a
midpoint; you can collide half the bitspace independently of the other
half.  Better to just thoroughly mix them both.  But shouldn't it be an
improvement to XOR a theoretically correct RNG with a well seeded PRNG,
based on the theory that:

1) Either generator could be safely XOR'd against a repeated series of
0x41's, and the output would still be just as random
2) The flaws of a subtlety broken RNG would be difficult to exploit
through the noise of a sufficiently validated cryptographic function,
and vice versa

For example, the following construction:

Start with an RNG.  Retrieve 64K of "random data".  Assume there might
be a bias somewhere in there, but that at least 256 bits are good. 
SHA-256 the data.  AES-256 encrypt the data with the result from the
SHA-256.  XOR the random data against its encrypted self.  Return 64K of
PNRG-hardened RNG data.

Aside from the obvious rejoinder to maybe XOR *another* batch of entropy
against the previous batch's encrypted self (a change that halves
performance), I can't see much wrong.  I rather deeply doubt I'm the
first to come up with a suggestion like that either.  So, uh, why do
weak RNG's keep showing up?  Is there something fundamentally breakable
in the above design?

--Dan

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list