hardware RNG

Bill Stewart bill.stewart at pobox.com
Tue Sep 10 00:13:32 PDT 2013


At 04:28 PM 9/9/2013, Juan Garofalo wrote:
>         Creating hardware rngs for individual PCs or phones or 
> similar devices isn't really hard. We don't need to rely on a 
> multibillion american corporation like intel to produce some 
> state-of-the-art circuitry. There are applications that need a fast 
> stream of random numbers, but those applications are not the 
> applications end users run on their devices for security purposes - 
> Did I get the general idea right?

Except for security purposes, most people who need a lot of random 
numbers are doing things like simulation or generating events in 
games, so they need a source with very good statistics about 
independence and uncorrelatedness, but don't mind if it's predictable 
(and in fact being predictable can be useful, since you can run the 
same random data stream against different versions of your 
application and see if it performed better or worse).  For those 
people, a statistically good pseudorandom number generator is usually 
just fine, and if it's cryptographically secure that's nice but only 
because crypto stuff needs to be statistically good.  Fast on-chip 
hardware random number generation is useful to non-security people 
because it's also likely to be statistically good.

Security's different, of course.  In a typical client-server or 
peer-to-peer environment, a client or peer isn't going to be 
generating a lot of random session keys per second, much less a lot 
of high-strength long-term-use public keys, so the only reason 
performance matters is that you don't want the user to use a 
too-short key because generating a long enough key would have taken 
15 minutes or required them to wave a mouse around for a long 
time.  A web server or mail server or sometimes a peer with a lot of 
traffic (e.g. a Tor node) is a different case; they might handle 
enough traffic that fast strong hardware random number generation is 
necessary, and they're also the more interesting targets for Bad Guys 
to attack.

The other set of security people who want a large quantity of really 
good random numbers are people who use one-time pads.  Most of them 
are either hobbyists (who can wait), or actually 
military/spies/anti-government activists (who are going to ship keys 
around by courier, which is slow, so they should be willing to 
generate them in advance), or paranoids (who don't trust public-key 
crypto, or who don't trust their hardware not to have backdoors, so 
they've got lots of challenges.)  Using OTPs in a professional 
environment is operationally expensive; you should be willing to 
spend money on hardware if you're doing it.




More information about the cypherpunks mailing list