[Cryptography] combining lots of lousy RNGs ... or not

Theodore Ts'o tytso at mit.edu
Tue Nov 22 22:55:49 EST 2016

On Tue, Nov 22, 2016 at 06:13:02AM -0500, Jerry Leichter wrote:
> I would put this in slightly different terms.  Combining two (or
> more) random number generators is just like building a reliable
> system by combining multiple, redundant, unreliable components.
> This is a great approach - indeed, the only approach we have for
> building highly reliable systems - but it only works *if the failure
> modes of the components are uncorrelated*.

Another way about thinking of it about it is that we're not worried
about random (so to speak) failures, but rather about the concern that
some untrustworthy advisary has intrudced a NOBUS back door into the
component.  Let's assume that the NSA has introduced a backdoor into
DUAL-EC.  And let's posit the possibility the KGB has a deep
penetration agent at Intel, who has introduced a NOBUS backdoor into
RDRAND.  And let's assume that my laptop has a TPM chip, made in
China, has a NOBUS into my TPM module courtesy of the MSS.

So the question is what do you get if calculate

	H(squish_NSA | squish_KGB | squish_MSS)

Well, it's certainly not "random", in the formal information
theoretical sense.  But from a _practical_ sense, if you assume that
the NSA, KGB, and MSS will never collude and/or admit to each other
that they introduced a NOBUS vulernabiliy into DUAL_EC, RDRAND, and a
TPM module, it might be _practically_ random.

So this is a different type of anti-corrleation protection, since for
cryptographic systems, we have to worry about not only failure in the
engineering sense, but also deliberately introduced NOBUS
vunerabilities --- which if they exist, aren't necessarily "failures"
from the intelligence agency's perspective...  :-)

   	     	       	       			- Ted

More information about the cryptography mailing list