[Cryptography] Use of RDRAND in Haskell's TLS RNG?

grarpamp grarpamp at gmail.com
Mon Nov 28 20:09:35 PST 2016 

Any recent processor from Intel has between 1B and 8B transistors.
Not a single modern processor from them has been publicly decapped
and audited.
Both Intel and the fabs they are built in are closed source.
And the NSA and others intercept your deliveries and backdoor
your microcode.
Audits... there, really? Trying to start with and prove out that mess?
LOL, you're fucked.

Instead of pouring yet another hundred messages into the quarterly
circle jerk about 'random', why not try figuring out how to create
something that might be worthy of some level of objective trust.

#OpenFabs


On Wed, Nov 23, 2016 at 1:24 PM, Ray Dillinger <bear at sonic.net> wrote:
>
>
> On 11/23/2016 02:23 AM, Darren Moffat wrote:
>> What is a "proper audit" and why do you think that Intel hasn't done that
>> already ? What more find they (or any chip designer/builder) do to convince
>> you?
>>
>> Darren
>>
>
> A proper audit is one that's sufficient for anybody with a copy of the
> audit to notice if there's a mistake in the claimed implementation.
> Therefore, it would include a discussion of the exact design specs, the
> design process, and why the design is expected to meet those specs.
> Then it would show both images of the relevant parts of the chip die and
> the source code that resulted in that layout, so that people can check
> those things against the claimed implementation.  And it would be
> publicly available so security researchers and random grad students
> anywhere in the world can inspect it, publish papers about it, freely
> quote it, etc. without need of an NDA and without worrying about getting
> sued.
>
> If this document existed we'd know about it because researchers and grad
> students in Shanghainese and Russian universities, and everybody else
> whose governments or sponsors are suspicious of American companies and
> would budget a whole lot of university research, would be publishing a
> firehose stream of papers about it.
>
> Lite Verification means making the pre-whitening random-process output
> available from the chip and letting people verify that that the RDRAND
> output does indeed correspond to those bits and the whitening process
> claimed in the audit. Likewise, we'd know about it, and there'd be
> another firehose stream of papers coming out.
>
> Full Verification involves decapping randomly selected chips that have
> been sold to the general public, and inspecting them under an electron
> microscope to make sure the implementation claimed in the audit is
> what's actually there.  And to make sure that it's actually hooked up so
> people can tell that it is the part of the die which is used to handle
> that particular instruction. Full verification could *in principle* be
> repeated by as many people, in as many different countries, as there are
> chips sold, with notice to or participation by the manufacturer neither
> required nor given nor expected.
>
> Publishing the audit would be simple and easy.  We assume that document
> already exists, it just hasn't been published.  Lite verification would
> require additional chip design, possibly additional output pins, and
> would raise the cost of the chip, but designing to make it possible
> would have been well within Intel's capabilities. Full Verification
> would be an absolute bugger for anybody to do, very expensive, and IMO
> is unlikely to be done by anyone save nation-states who will never
> publish their findings. Nor, indeed, even admit they've done it.
>
>                                 Bear
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cypherpunks mailing list