[Cryptography] A TRNG review per day: RDRAND and the right TRNG architecture
David Leon Gil
coruus at gmail.com
Sun Oct 26 22:10:53 EDT 2014
On Fri, Oct 24, 2014 at 5:31 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> However, I happen to be something of a speed freak. Intel's RDRAND
> instruction is appealing to me. The architecture is the fastest TRNG I have
> seen. So, why not use it? Here's why:
>
> - It is probably back doored
> - It is not auditable
> - Critical portions of its design remain secret (such as whitening and how
> to disable it)
I thought that the whitening design had been published? They're using
CTR-DRBG instantiated with AES-128. (This, in itself, is probably all
the NSA could want; the security strength of that construction is
rather low.)
Here's the paper:
http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf
> That said, this TRNG has so many drawbacks that I predict no one other than
> Intel will ever use it. First, it requires a couple of large-ish on-chip
> capacitors to hold the control voltages that compensate for factors that
> cause the latch to prefer to power up one way or the other. Without
> measuring the 0/1 bias and dynamically compensating for it, this circuit
> simply does not work. This by itself makes Intel's TRNG both large and
> complex. Worse, it is *massively* sensitive to nearby signals. It is more
> sensitive to external signals than any other architecture I know of. No
> other TRNG relies on amplifying such a small noise signal, and no other
> architecture can be PWNed with as little injected energy. This is literally
> the most attacker signal sensitive TRNG ever designed.
Thanks for the terrific summary of potential side-channel attacks.
> A TRNG simply does not need to be fast. A Lava Lamp generates entropy fast
> enough for almost any application, so long as we use it to seed add a high
> speed CPRNG firehose. Anyone selling you a high speed TRNG for a lot of
> money, based on quantum voodoo or whatever, is ripping you off.
Agreed; the quantum RNGs in particular make me laugh. (I'd wonder who
would be so stupid as to buy one, but even Google has bought into the
similarly craptastic D-wave nonsense.)
> Due to Intel's inexplicable reluctance to make their device auditable, while
> relying on what is probably the hardest TRNG architecture to get right, I
> have to rate RDRAND as snake-oil for use in cryptography.
They need to publish layout information so that third-parties can
easily(-ish) verify it. Information on the "eight different
operational modes" supported by the RNG would be nice too.
-dlg
More information about the cryptography
mailing list