[Cryptography] A TRNG review per day: RDRAND and the right TRNG architecture

Jerry Leichter leichter at lrw.com
Sun Oct 26 20:54:29 EDT 2014


On Oct 26, 2014, at 6:32 PM, Sandy Harris <sandyinchina at gmail.com> wrote:
> Another architecture that is correct is the type of design
> used in various random(4) devices.
> 
>     several sources -> pool -> cryptographic hash
> 
> This requires stronger assumptions about the hash than the
> Turbid-ish design does and it fails (at least short-term) if the
> enemy learns pool contents.
> 
> All operations on the pool should be pool_word ^= input or
> += input, never pool_word = input, so that bad inputs cannot
> reduce pool entropy. Given that plus reasonable assumptions
> about the hash and that at least one source produces entropy
> unknown to an attacker, it is easy to show that this must
> recover from any state compromise attack eventually.
As has been mentioned here recently - and discussed in various papers - this last is false if the generator is forced to produce output while it's trying to recover.  If outputs are produced at a rate at least equal to the rate in which new entropy is fed into the pool, and that feed rate is low enough, the generator may never recover.  The work-around with the design as given is to block long enough to build up the necessary entropy.  This may be difficult if you have only a very conservative estimate of entropy to work from - you may have to block for a while.

							-- Jerry




More information about the cryptography mailing list