Re: [Cryptography] [RNG] on RNGs, VM state, rollback, etc. - cypherpunks - lists.cpunks.org

newer
Re: [serval-project-dev] More on...

Re: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.

older
[Bitcoin-development] Core...

Russ Nelson

24 Oct 2013 24 Oct '13

4:10 a.m.

Tony Naggs writes:

I think you a overestimating how much real entropy you will collect this way [ through powerline drift.]

Indeed. By the time you set up a powerline interface, you may as well just reverse-bias a diode, compare it to a low-pass-filtered version of itself, and capture that noise. You could do it with a DigiSpark, and get a USB bytestream. 100% open source, 100% auditable. http://digistump.com/ -- --my blog is at http://blog.russnelson.com Crynwr supports open source software 521 Pleasant Valley Rd. | +1 315-600-8815 Potsdam, NY 13676-3213 | Sheepdog _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Reply

Sign in to reply online Use email software

Show replies by date

John Kelsey

24 Oct 24 Oct

2:59 p.m.

New subject: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.

We seem to be seeing a move toward commonly-used CPUs including hardware entropy sources. With those, we're in a much better position. There's always the possibility that the entropy source was cooked or flawed, but that's something you can engineer your way around reasonably well. Suppose you have a cryptographic PRNG that you initialize with a seed like this: a. Get 256 bits of entropy from the OS. b. Get 256 bits of entropy from the hardware entropy source. c. Ping several hosts on the internet and measure the response time, and fold that into your seed. d. Fold your ethernet address, IP address, and serial number into the seed. e. Fold the installed-at-birth secret 128 bit value from your device into the seed. Initialize a PRNG with all that, and the attacker is in an extremely hard place, as he has to be able to guess all five elements. (d) isn't all that hard to guess, but the rest will in general be very hard to guess. --John _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Reply

Sign in to reply online Use email software

Kent Borg

4:04 p.m.

New subject: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.

On 10/24/2013 10:59 AM, John Kelsey wrote:

Suppose you have a cryptographic PRNG that you initialize with a seed like this:

a. Get 256 bits of entropy from the OS. b. Get 256 bits of entropy from the hardware entropy source. [...]

A warning here: when mixing in different sources, you want to make sure they are different or it might make matters worse. In recent versions of Linux's urandom the Intel CPU random HW is NOT independent of urandom output; CPU HW random bits are XOR-ed in just before they are output. If you mix them Intel random bits again you are making a complex system that is hard to analyze, and so not necessarily an improvement. Using some different and independent HW source? Cool. -kb _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Reply

Sign in to reply online Use email software

4035

Age (days ago)

4035

Last active (days ago)

Download

2 comments

3 participants

tags

participants (3)

John Kelsey
Kent Borg
Russ Nelson