[Cryptography] combining lots of lousy RNGs ... or not

Ray Dillinger bear at sonic.net
Tue Nov 22 14:15:15 EST 2016 


On 11/21/2016 02:53 PM, John Denker wrote:

> As a *minor* point that's not strictly true.  In this world there
> are many situations where it makes sense to put all your eggs in
> one well-guarded basket.  Birds have been doing precisely that for
> the last 50 million years.  

First: NO single nest is worthy of absolute trust.  Absolute trust does
not exist.

You will note that birds do not, in general, all trust the *same*
basket.  A particular family of owls might trust that nest that they
built under the eaves of a barn where the squirrels can't get at it,
while a different family of owls, even in the same species, might trust
that nest they built in the hollow tree where the humans won't notice
it.  Even birds have different threat models, and besides it would be
really really stupid for them to trust just *one* bird to build a giant
nest for the entire species.  It would even be stupid for them all to
use the same method of selecting nesting sites, because a new predator
might come along making one of the choices a deadly mistake, and they
can't tell in advance which choice, and they'd really like at least a
few families of owls to survive.

Trent should not get to put himself in the position of the one bird that
builds the giant nest for the whole species, because Alice or Bob or
both may not trust Trent.  Did we learn nothing from the Debian RNG fiasco?

> Seriously, folks:  The fundamental equation is:
>   squish XOR squish = squish

I really and truly do want non-squish.  But we're talking about
virtualized machines and pseudorandom bit generators.  It is very hard
to tell which sources are non-squish, so I prefer to use all of the ones
that MIGHT be, including a bitcoin-mining USB stick that stays powered,
retains its internal state, and keeps hashing across reboots, and
obscure them with multiple squishing algorithms to prevent attacks that
see through some of them.

If every opponent finds at least one squish to be opaque, even if it's
not the same one for every opponent and even if I'm wrong about which
ones, then my pile of squish is opaque against every opponent. I am
*absolutely* confident of no implementation of any algorithm, so with
confidence factors thrown in, my equation is

non-squish(99%) XOR non-squish(99%) = non-squish(99.99)

> Combining untrusted RNGs makes just as much sense as combining untrusted
> ciphers, i.e. no sense at all.

But in the absence of ANY 100% trusted source, combining 99% trusted
RNGs makes as much sense as trusting 99% trusted ciphers, ie a hell of a
lot of sense.

Also?  The days when one cipher might accidentally undo the security of
another are gone.

				Bear


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161122/b08eb891/attachment.sig>

More information about the cryptography mailing list