[cryptography] Random number generation influenced, HW RNG

Eugen Leitl eugen at leitl.org
Mon Sep 9 01:26:15 PDT 2013


----- Forwarded message from "James A. Donald" <jamesd at echeque.com> -----

Date: Mon, 09 Sep 2013 07:25:11 +1000
From: "James A. Donald" <jamesd at echeque.com>
To: Thor Lancelot Simon <tls at panix.com>
Cc: cryptography at randombit.net
Subject: Re: [cryptography] Random number generation influenced, HW RNG
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
Reply-To: jamesd at echeque.com

On 2013-09-09 1:54 AM, Thor Lancelot Simon wrote:
> On Sun, Sep 08, 2013 at 03:00:39PM +1000, James A. Donald wrote:
>> On 2013-09-08 1:25 PM, Thor Lancelot Simon wrote:
>>> On Sun, Sep 08, 2013 at 08:34:53AM +1000, James A. Donald wrote:
>>>> Well, since you personally did this, would you care to explain the
>>>> very strange design decision to whiten the numbers on chip, and not
>>>> provide direct access to the raw unwhitened output.
>>> You know as soon as anyone complained about this, they turned around
>>> and provided access to the unwhitened output in the next major version
>>> of the same product family, right?
>> I am not aware of this.  Could you provide further details?
> http://software.intel.com/en-us/blogs/2012/11/17/the-difference-between-rdrand-and-rdseed

RDSEED provides the output of the /enhanced/ non-deterministic random
number generator (ENRNG

Which is "enhanced" by being whitened.

And therefore makes it just as impossible to tell if the supposed
randomness is backdoored as RDRAND does.

What we need is the output of the entropy source.

Supposedly we have a circuit that generates fairly random offwhite
noise. (The entropy source) This is then AES encrypted (the enhanced
non deterministic number generator), and the enhanced non
deterministic random number generator then continuously seeds a pseudo
random number generator, which provides the output of RDRAND

To tell if there is a backdoor or not, we need the output of the
entropy source, unenhanced.

If the entropy source is real, it will show its analog characteristics
leaking into the digital abstraction.  The correlations and anti
correlations between nearby bits will reflect the analog values of the
circuit, thus no two chips will show quite the same correlations, and
the correlations will vary with temperature and overclocking.  These
analog variations would be compelling evidence that the entropy source
is the something very like the claimed circuit.

Because RDSEED gives us the encrypted output of the entropy source, we
cannot tell if the entropy source is a real entropy source, or a
counter encrypted with the NSA's secret key.

Since the whitening is deterministic, it is potentially reversible,
but Intel does not appear to be releasing sufficient information to
reverse it.


_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list