[Cryptography] RNG design principles

John Denker jsd at av8n.com
Sat Nov 26 12:44:56 EST 2016


On 11/25/2016 01:55 PM, Arnold Reinhold wrote:

>> In addition the need for a proper published audit that bear 
>> suggested, the most glaring defect in the Intel design is the lack
>> of access to the un-whitened random bits.
                    ^^^^^^^^^^^^^^^^^^^^^^^
Indeed!!!!!

On 11/24/2016 04:22 AM, Ron Garret wrote:

> The “Shh” example is meant more as an illustration of how simple a 
> solution to the problem can be than a serious suggestion for 
> production use,

That's a good way of looking at it.

> though it would in fact work,

Yes, it would.  If I were in a big hurry, and stranded with
almost no tools, I would do something like that.

However, there are still lots of "plumbing" problems involved
in getting your favorite app(s) to actually use the randomness
you've generated.  Cryptography exists at the intersection of
fancy mathematics and down-to-earth engineering.

Then, alas, there is this:

> A typical audio input samples at >500 kbps, so one second of audio 
> with a safety factor of 1000 will give you 500 bits of entropy. 
> That’s a pretty comfortable margin IMHO,

It is better to /measure/ these things than to spread opinions,
humbly or otherwise.

As the saying goes, there is a difference between data and
information ... and on the other side of the same coin, there
is a difference between data and unpredictability.

In this case:  Almost all of those 500k bits are predictable.
Successive samples of the audio waveform are grossly correlated.
Throwing around that 500k number is like saying Enigma «must be»
unbreakable because the keyspace (including plugboard) has billions
upon billions of possibilities.  I created a waveform with only
one bit of randomness per sample, at 8k samples per second, and
the ear does not perceive it as being any less random than a
high-data-rate recording of "shhhh".  So the «comfortable safety
margin» is one or two orders of magnitude less comfortable than
it might appear.

And has been pointed out by several people, you can do better
/without/ the microphone.  On a desktop machine this is easier
(as well as better) because you don't need to scrounge up a
microphone.  On a laptop you might have to spend $0.001 for
a piece of wood or plastic to plug into the input jack, to
open-circuit the microphone.

> I’ll be happy to sell you an HSM with a HWRNG for $75.  Under no
> circumstances should anyone be paying more than that.

I can undercut that.  For only $59.99 I will sell you a 3.5mm
diameter piece of plastic to plug into your laptop.  Free
shipping!  Act now while supplies last.

In the almost-worst case, if your machine has no audio circuits
at all, or if the existing audio is needed for other purposes,
for only $67.99 I will sell you a USB audio dongle that you can
dedicate to the HRNG task.

Or you could buy one at the corner store for a tenth of that.

On 11/22/2016 01:03 PM, Ron Garret wrote:

> I am constantly surprised by how often discussions of randomness
> arise on this list, and how long they continue.

Well, as long as people keep assuming that the hard things
are easy, and the easy things are hard, the surprises will
keep coming.


More information about the cryptography mailing list