[Cryptography] Proper Entropy Source
Theodore Y. Ts'o
tytso at mit.edu
Thu Jan 23 11:25:55 EST 2020
On Wed, Jan 22, 2020 at 05:47:43PM -0500, Bill Frantz wrote:
> In this area, I'm with John von Neumann, "Anyone who attempts to generate
> random numbers by deterministic means is, of course, living in a state of
> sin."
>
> Fortunately, for most cryptography, we don't need randomness, we need
> unguessability.
>
> But, as John points out, that is squish.
Exactly.
> > In other words: Combining multiple squishy sources does *not* produce
> > randomness. It might make it harder for
> > you to predict, but again, that is not the criterion.
>
> And harder to predict is something we want. If I can combine 100 sources
> that each give me 1 bit of unguessability, I have a good start on having a
> cryptographically useful unguessable number. High precision timing of packet
> arrival may be useful here.
This is true only *if* the 100 sources are uncorrelated with each
other. But if they are based on timing, and all of the "clocks" on a
particular "system on a chip" are driven by a single master oscillator
(got to reduce cost, you know), and it's a very simple RISC-V CPU
which didn't have any Spectre or Meltdown vulnerabilities because it
wasn't doing any kind of speculative execution or register
renaming.... then it could very well be that all of your timing events
are highly correlated.
If you can use packet arrival times on the local area network, and
perhaps radio signal strength information from the WiFi, perhaps
that's not as easily guessable by a remote attacker in Fort Meade.
But take for example a IOT device that attempts to generate a
public/private keypair the first time it is plugged into AC mains,
perhaps before it has attempted to bring up the network....
> Ideally, you have a hardware generator with a theoretical reason to think it
> is random. But if you don't, combining multiple sources, with very small
> guesses as to the number of bits of unguessability may be the best you can
> do.
>
> If you don't trust the organization that made your hardware source, combine
> it with some squish to make the opponent's job harder.
Agreed that this is the best we can do. Now, if only all
optimized-for-BOM-cost consumer grade devices had hardware random
number sources....
- Ted
More information about the cryptography
mailing list