[Cryptography] Random number generation influenced, HW RNG
Perry E. Metzger
perry at piermont.com
Tue Sep 10 00:08:10 EDT 2013
On Mon, 9 Sep 2013 23:29:52 -0400 John Kelsey <crypto.jmk at gmail.com>
> On Sep 9, 2013, at 6:32 PM, "Perry E. Metzger" <perry at piermont.com>
> > First, David, thank you for participating in this discussion.
> > To orient people, we're talking about whether Intel's on-chip
> > hardware RNGs should allow programmers access to the raw HRNG
> > output, both for validation purposes to make sure the whole
> > system is working correctly, and if they would prefer to do their
> > own whitening and stretching of the output.
> Giving raw access to the noise source outputs lets you test the
> source from the outside, and there is alot to be said for it. But
> I am not sure how much it helps against tampered chips. If I can
> tamper with the noise source in hardware to make it predictable, it
> seems like I should also be able to make it simulate the expected
Sure, but that might be visible in chip teardowns, which
would see an unexpected circuit, while an analog defect in the dual
inverter circuit Intel is using (or was using, I haven't looked in a
while) that biased the output might be quite subtle and very
difficult to find even then.
People forget that you can, in fact, tear down chips. Though I
will not claim it can be done with anything like the the ease with
which people reverse engineer software, the tools are available at
many research universities these days, and more and more people are
The part that could get hairy, of course, is that there's an ocean of
circuitry on a modern high end processor, and given that this is being
handled by an instruction, there's an awful lot of ways it could be
gimmicked even if the "correct" circuit was there and seemed to work
as advertised. Fully analyzing the situation might take real funding.
Perry E. Metzger perry at piermont.com
More information about the cryptography