[Cryptography] Duh, why aren't most embedded TRNGs designed this way?

Phillip Hallam-Baker phill at hallambaker.com
Tue May 25 14:33:38 EDT 2021


On Wed, May 19, 2021 at 1:21 AM Kent Borg <kentborg at borg.org> wrote:

> On 5/13/21 8:48 AM, Ron Garret wrote:
>
> The hard part is not finding good sources of entropy.  The hard part is
> protecting that source against tempest attacks and other forms of
> eavesdropping.
>
> No.
>
> The hard part about RNGs is that when they fail, they usually do so
> silently.
>
Amen. there is almost nothing you can do to prevent someone compromising a
RNG in ways that you can't detect at the application level.

Also what we are after is not 'entropy' it is 'unguessability'. The seed
can be perfectly random but that won't help if the seed can be leaked via a
side channel. In the days of RSA, that nice big modulus was the perfect
place to smuggle out the encrypted seed. Instead of picking p and q and
calculating the modulus, pick a seed, use it to pick p then encrypt the
seed in and that is the top 256 bits of the modulus and divide in p to get
the rest just as Moti Yung taught us.


So the way I (try) to look at it, I treat my RNG output as likely to be
compromised and make sure that I never reveal the output to an adversary
without passing it through a digest or a KDF.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210525/e15905b4/attachment.htm>


More information about the cryptography mailing list