[Cryptography] Use of RDRAND in Haskell's TLS RNG?

Ray Dillinger bear at sonic.net
Wed Nov 23 13:24:49 EST 2016

On 11/23/2016 02:23 AM, Darren Moffat wrote:
> What is a "proper audit" and why do you think that Intel hasn't done that
> already ? What more find they (or any chip designer/builder) do to convince
> you?
> Darren

A proper audit is one that's sufficient for anybody with a copy of the
audit to notice if there's a mistake in the claimed implementation.
Therefore, it would include a discussion of the exact design specs, the
design process, and why the design is expected to meet those specs.
Then it would show both images of the relevant parts of the chip die and
the source code that resulted in that layout, so that people can check
those things against the claimed implementation.  And it would be
publicly available so security researchers and random grad students
anywhere in the world can inspect it, publish papers about it, freely
quote it, etc. without need of an NDA and without worrying about getting

If this document existed we'd know about it because researchers and grad
students in Shanghainese and Russian universities, and everybody else
whose governments or sponsors are suspicious of American companies and
would budget a whole lot of university research, would be publishing a
firehose stream of papers about it.

Lite Verification means making the pre-whitening random-process output
available from the chip and letting people verify that that the RDRAND
output does indeed correspond to those bits and the whitening process
claimed in the audit. Likewise, we'd know about it, and there'd be
another firehose stream of papers coming out.

Full Verification involves decapping randomly selected chips that have
been sold to the general public, and inspecting them under an electron
microscope to make sure the implementation claimed in the audit is
what's actually there.  And to make sure that it's actually hooked up so
people can tell that it is the part of the die which is used to handle
that particular instruction. Full verification could *in principle* be
repeated by as many people, in as many different countries, as there are
chips sold, with notice to or participation by the manufacturer neither
required nor given nor expected.

Publishing the audit would be simple and easy.  We assume that document
already exists, it just hasn't been published.  Lite verification would
require additional chip design, possibly additional output pins, and
would raise the cost of the chip, but designing to make it possible
would have been well within Intel's capabilities. Full Verification
would be an absolute bugger for anybody to do, very expensive, and IMO
is unlikely to be done by anyone save nation-states who will never
publish their findings. Nor, indeed, even admit they've done it.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161123/15c0864c/attachment.sig>

More information about the cryptography mailing list