----- Forwarded message from "James A. Donald" <jamesd@echeque.com> ----- Date: Mon, 09 Sep 2013 07:25:11 +1000 From: "James A. Donald" <jamesd@echeque.com> To: Thor Lancelot Simon <tls@panix.com> Cc: cryptography@randombit.net Subject: Re: [cryptography] Random number generation influenced, HW RNG User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 Reply-To: jamesd@echeque.com On 2013-09-09 1:54 AM, Thor Lancelot Simon wrote:
On Sun, Sep 08, 2013 at 03:00:39PM +1000, James A. Donald wrote:
On 2013-09-08 1:25 PM, Thor Lancelot Simon wrote:
On Sun, Sep 08, 2013 at 08:34:53AM +1000, James A. Donald wrote:
Well, since you personally did this, would you care to explain the very strange design decision to whiten the numbers on chip, and not provide direct access to the raw unwhitened output. You know as soon as anyone complained about this, they turned around and provided access to the unwhitened output in the next major version of the same product family, right? I am not aware of this. Could you provide further details? http://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdra...
RDSEED provides the output of the /enhanced/ non-deterministic random number generator (ENRNG Which is "enhanced" by being whitened. And therefore makes it just as impossible to tell if the supposed randomness is backdoored as RDRAND does. What we need is the output of the entropy source. Supposedly we have a circuit that generates fairly random offwhite noise. (The entropy source) This is then AES encrypted (the enhanced non deterministic number generator), and the enhanced non deterministic random number generator then continuously seeds a pseudo random number generator, which provides the output of RDRAND To tell if there is a backdoor or not, we need the output of the entropy source, unenhanced. If the entropy source is real, it will show its analog characteristics leaking into the digital abstraction. The correlations and anti correlations between nearby bits will reflect the analog values of the circuit, thus no two chips will show quite the same correlations, and the correlations will vary with temperature and overclocking. These analog variations would be compelling evidence that the entropy source is the something very like the claimed circuit. Because RDSEED gives us the encrypted output of the entropy source, we cannot tell if the entropy source is a real entropy source, or a counter encrypted with the NSA's secret key. Since the whitening is deterministic, it is potentially reversible, but Intel does not appear to be releasing sufficient information to reverse it. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5