[Cryptography] combining lots of lousy RNGs ... or not
tytso at mit.edu
Tue Nov 22 22:55:49 EST 2016
On Tue, Nov 22, 2016 at 06:13:02AM -0500, Jerry Leichter wrote:
> I would put this in slightly different terms. Combining two (or
> more) random number generators is just like building a reliable
> system by combining multiple, redundant, unreliable components.
> This is a great approach - indeed, the only approach we have for
> building highly reliable systems - but it only works *if the failure
> modes of the components are uncorrelated*.
Another way about thinking of it about it is that we're not worried
about random (so to speak) failures, but rather about the concern that
some untrustworthy advisary has intrudced a NOBUS back door into the
component. Let's assume that the NSA has introduced a backdoor into
DUAL-EC. And let's posit the possibility the KGB has a deep
penetration agent at Intel, who has introduced a NOBUS backdoor into
RDRAND. And let's assume that my laptop has a TPM chip, made in
China, has a NOBUS into my TPM module courtesy of the MSS.
So the question is what do you get if calculate
H(squish_NSA | squish_KGB | squish_MSS)
Well, it's certainly not "random", in the formal information
theoretical sense. But from a _practical_ sense, if you assume that
the NSA, KGB, and MSS will never collude and/or admit to each other
that they introduced a NOBUS vulernabiliy into DUAL_EC, RDRAND, and a
TPM module, it might be _practically_ random.
So this is a different type of anti-corrleation protection, since for
cryptographic systems, we have to worry about not only failure in the
engineering sense, but also deliberately introduced NOBUS
vunerabilities --- which if they exist, aren't necessarily "failures"
from the intelligence agency's perspective... :-)
More information about the cryptography