[Cryptography] A TRNG review per day: RDRAND and the right TRNG architecture

Sandy Harris sandyinchina at gmail.com
Sun Oct 26 18:32:37 EDT 2014


Bill Cox <waywardgeek at gmail.com> wrote:

> The "right TRNG architecture" looks like this:
>
>     auditable cheap low speed TRNG -> auditable high speed CPRNG -> happy
> user

That is one good design, but far from the only one.

One alternative is a well-designed high-speed TRNG, such as Turbid.

    fast process with provable minimum entropy -> auditable compressor

Given some fairly mild assumptions about properties of the hash, this
can provably get within epsilon of perfectly random output. Also, it is
stateless, so it is completely immune to the state discovery attacks
which are a threat to CPRNGs.

This solves the problem, short of extremes like failure or saturation of
the hardware part (sound card in Turbid). Add auditable checks for
those conditions and there you go.

It looks to me like Intel or others with on-chip TRNGs could reach
the requirements of this model without excessive effort, at least
given an assumption that the hardware actually implements its
spec. Dealing with the possibility of subversion that makes the
chip different from the spec is a separate problem that looks
harder.

Another architecture that is correct is the type of design
used in various random(4) devices.

     several sources -> pool -> cryptographic hash

This requires stronger assumptions about the hash than the
Turbid-ish design does and it fails (at least short-term) if the
enemy learns pool contents.

All operations on the pool should be pool_word ^= input or
+= input, never pool_word = input, so that bad inputs cannot
reduce pool entropy. Given that plus reasonable assumptions
about the hash and that at least one source produces entropy
unknown to an attacker, it is easy to show that this must
recover from any state compromise attack eventually.


More information about the cryptography mailing list