[Cryptography] SP800-90A B & C

Bear bear at sonic.net
Mon Nov 11 16:23:20 EST 2013 

On Sun, 2013-11-10 at 12:09 -0800, Watson Ladd wrote:

> There are (broadly speaking) two different designs for random number
> generators. NIST is using the physics+stretch approach: A low
> bandwidth source of random bits, defined in 90B, periodically reseeds
> a pseudorandom generator as in 90A.

> The other design, exemplified by Yarrow, Fortuna, the Linux kernel
> randomness subsystem, and others, uses large numbers of inputs of
> unknown entropy, and attempts to distill a few bits of known entropy.

> I believe that we have a much better handle on the first class of
> designs from a cryptanalytic perspective then the second. In
> particular the pooling design can fail in very subtle ways if it has
> too few sources. By contrast the first approach is guaranteed by
> design to have a seed from a random process if it works.

I have actually more concerns about the first design, because recent
events force us to consider hardware manufacturers as adversaries or 
as being possibly complicit with adversaries.  A special-purpose
device which we cannot see inside to verify that it works in the way
it is being described to work is unacceptable as a sole source of
entropy because it represents a single manufacturer who must therefore
be given total trust. 

It is a good design, but we have no way of assuring that it is the 
design which is actually implemented.  Therefore we need a different 
good design, and I think that systems of the second kind with diverse 
sources of entropy are better because they contain multiple sources  
which can be verified.  The fact that they also benefit from sources 
which cannot be verified if those sources are in fact good, and with 
respect to adversaries to whom those sources are good even if there 
are other opponents to which they are transparent, is also important.

In fact even if every source of randomness available is compromised, 
but they are compromised by nine different opponents none of whom 
is trusted with the compromises by all of the others, it is still
possible to build a system secure against all of these nine adversaries
using a mixing approach.  

	Bear

More information about the cryptography mailing list