[Cryptography] combining lots of lousy RNGs ... or not
leichter at lrw.com
Tue Nov 22 06:13:02 EST 2016
> We can summarize by saying RDRAND is squish. From our point of view,
> it is neither reliably predictable nor reliably unpredictable.
> Combining it with other sources of squish does not help!
I would put this in slightly different terms. Combining two (or more) random number generators is just like building a reliable system by combining multiple, redundant, unreliable components. This is a great approach - indeed, the only approach we have for building highly reliable systems - but it only works *if the failure modes of the components are uncorrelated*. Major systems of all sorts - from buildings to economic constructs on Wall Street - have failed exactly because "I don't see a correlation" is very far from "there *is* no correlation".
If you can't characterize why some alleged source of randomness is unpredictable to an opponent, it's unlikely you can characterize whether two such "squishy" (to use John's term) sources are correlated. If, as it happens, both are actually pretty good, but both can be made predictable by imposing an AC signal on their power rails - you've gained precisely nothing by combining them.
Knuth has the classic example of a (non-cryptographic) "super pseudo-random number generator" that was clearly really strong - and which in fact had a short cycle. Designing random number sources based on ... nothing much, and then combining them and saying "Oh, now it's certainly secure", is no better than designing block ciphers based on ... nothing much, and then simply chaining them together. Triple rot13, indeed.
More information about the cryptography