[Cryptography] combining lots of lousy RNGs ... or not

John Denker jsd at av8n.com
Tue Nov 22 23:52:52 EST 2016

On 11/22/2016 08:55 PM, Theodore Ts'o wrote:
> So the question is what do you get if calculate
> 	H(squish_NSA | squish_KGB | squish_MSS)
> Well, it's certainly not "random", in the formal information
> theoretical sense.  But from a _practical_ sense, if you assume that
> the NSA, KGB, and MSS will never collude and/or admit to each other
> that they introduced a NOBUS vulernabiliy into DUAL_EC, RDRAND, and a
> TPM module, it might be _practically_ random.

I disagree.  It's an invalid argument leading to an unsound

Among other flaws, the argument depends on the unstated assumption
that a backdoor installed by this-or-that agency cannot possibly
be exploited by anybody else (without the installer's consent).
All evidence indicates that this is not a safe assumption.
 -- The Clipper Chip story is widely known.
 -- The Snowden documents indicate that many of NSA's favorite
  entry points are backdoors installed by *somebody else*.
 -- Do you really think that opening the "TSA-Approved" lock on
  your suitcase would require "collusion" by a TSA agent?
 -- etc. etc. etc.

This is a very serious public-policy issue.  Cryptographers (e.g.
Matt Blaze) have been called to testify before Congress.  The
point is, when this-or-that agency says something is NOBUS, you
really, really must not assume it is actually NOBUS.

Please do not assume any such thing.  It's bad engineering and
bad public policy.

More information about the cryptography mailing list