[Cryptography] combining lots of lousy RNGs ... or not

Jason Cooper cryptography at lakedaemon.net
Wed Nov 23 09:39:17 EST 2016

Hi John,

On Tue, Nov 22, 2016 at 09:52:52PM -0700, John Denker wrote:
> On 11/22/2016 08:55 PM, Theodore Ts'o wrote:
> > So the question is what do you get if calculate
> > 
> > 	H(squish_NSA | squish_KGB | squish_MSS)
> > 
> > Well, it's certainly not "random", in the formal information
> > theoretical sense.  But from a _practical_ sense, if you assume that
> > the NSA, KGB, and MSS will never collude and/or admit to each other
> > that they introduced a NOBUS vulernabiliy into DUAL_EC, RDRAND, and a
> > TPM module, it might be _practically_ random.
> I disagree.  It's an invalid argument leading to an unsound
> conclusion.

The difference between the two approaches is that one is sound
engineering with finite resources and little control over the hardware

The other is sound engineering when creating a product from the ground up
with full control of the manufacturing and design process.

Ted's example should really be, with no control of the hardware executed

    H(squish_NSA | squish_KGB | squish_MSS | squish_IRQ | squish_ADC)

Once a system gets at least 128 bits from IRQ or ADC, the feasibility of
any attack vector, even with knowledge of other attack vectors, goes
drastically down.

If we're designing the whole product, John's approach is the only
correct one.  If we have no control of the hardware we are executing on,
then Ted's is strictly better than using any available individual source



More information about the cryptography mailing list