[Cryptography] TRNGs as open source design semiconductors

Jerry Leichter leichter at lrw.com
Thu Sep 12 10:35:27 EDT 2019 

> It seems to me (at least in the cryptocurrency world) that there is a growing desire that hardware become more transparent (as in open source) just as software has been. I believe an open source chip could radically disrupt the existing TRNG chip market, forcing transparency....
> So, I wonder:
> 	• Might open source TRNG hardware (as a semiconductor chip) better support cryptography in general, or perhaps just for crypto currencies? Or, am I completely wrong in this belief, and the hardware designs are best left as proprietary?
I think you have to consider how realistic a target an on-chip random number generator actually is.  Modern Intel chips come with a built-in generator.  Let's assume that as designed, it's actually unpredictable.  Now imagine an attacker with effectively unlimited funds who wants to attack cryptographic or other protocols based on that generator.  Given that the designed generator is "good," there are two ways to attack it:  Leak the values, or slip a change into the hardware that makes the generator predictable.

But consider:  If I can slip a change into the hardware, why attack the RNG?  I can attack anything at all!  In fact, there are already published examples - among many - of attacks on Ethernet interfaces such that simply seeing a particular series of bits in the input causes it to do arbitrary nasty things - like sending the contents of selected memory locations to an attacker.

Against an attacker who can slip changes into hardware, defending a single part of the hardware is no defense at all.  In fact, we currently don't *have* any techniques for defending against such attackers, beyond the physical-world techniques of maintaining visibility into all of the supply chain.  That was, at one point, something available to, say, the US military.  Today, it's unlikely even the US military can afford it - a major concern, given how much the US military relies on computers.  Perhaps the NSA can, for relatively limited numbers of chips that it can build in its own "black" fabs.  For some kinds of uses - a sealed box between a computer and a network that manages all the encryption - it's possible, certainly with NSA levels of funding, to ensure that the stuff that traverses the wire can't be attacked.  But once the decrypted data is delivered to a general-purpose computer with "modern" levels of performance, the story is very different.  (The same goes, for example, to all kinds of modern sensors, which contain quite a bit of computation within them, massaging the data before your "secure" machine ever sees it.)

Designing and building cool RNG's is a nice project.  They are, by today's standards, very simple circuits.  If you know what you're doing, you can make solid physical arguments that the circuits, if implemented properly, are really unpredictable.  Since they are so simple, you can build them out of discrete components which are themselves so low-level that no hardware attack is practical.  (If I let you add a hack to every AND gate synthesized anywhere on the planet, how what exactly would you change to allow a hidden attack against some uses of those AND gates?)  And there will always be people willing to pay for such a thing, either "just in case" or because ... hey, *my* encryption algorithm has a 50,000-bit key, it's *so much more secure* than you sissy 256-bit key.  I mean, 50,000 is *way* larger than 256, so it's just obvious!

But does one of these things actually add to your security under realistic attack models?
                                                        -- Jerry

More information about the cryptography mailing list