[Cryptography] Use of RDRAND in Haskell's TLS RNG?
David Johnston
dj at deadhat.com
Sat Nov 26 15:43:11 EST 2016
On 11/25/16 9:41 PM, Viktor Dukhovni wrote:
>> On Nov 25, 2016, at 3:55 PM, Arnold Reinhold <agr at me.com> wrote:
>>
>> In addition the need for a proper published audit that bear suggested, the most glaring defect in the Intel design is the lack of access to the un-whitened random bits. Adding a mode that bypassed the whitener would have been simple. Statistical analysis of the raw bit stream can provide ongoing assurance that the RNG is doing what it says. Likely there will be correlations between raw bit statistics and external parameters such as chip temperature and supply voltage. Of course it is possible for a deterministic generator to mimic such variations, but it would have to have a relatively large footprint on the die compared to simply using the whitener in a feedback mode or similar mischief.
> It seems you're hinting at:
>
> https://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed
> https://en.wikipedia.org/wiki/RdRand
>
> RDSEED first appears in Broadwell CPUs, while RDRAND appears earlier in Ivy Bridge.
>
RdSeed is an implementation of the XOR Construction ENRBG as defined in
SP800-90C. This draft spec did not exist when RdRand was first developed.
More information about the cryptography
mailing list