[146954] in cryptography@c2.net mail archive
Re: [Cryptography] Random number generation influenced, HW RNG
daemon@ATHENA.MIT.EDU (ianG)
Tue Sep 10 10:28:37 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 10 Sep 2013 09:30:14 +0300
From: ianG <iang@iang.org>
To: cryptography@metzdowd.com
In-Reply-To: <8681EAF5-6BBB-4761-A7CA-9754B2E6D176@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/09/13 06:29 AM, John Kelsey wrote:
> But I am not sure how much it helps against tampered chips. If I can tamper with the noise source in hardware to make it predictable, it seems like I should also be able to make it simulate the expected behavior. I expect this is more complicated than, say, breaking the noise source and the internal testing mechanisms so that the RNG outputs a predictable output stream, but I am not sure it is all that much more complicated. How expensive is a lightweight stream cipher keyed off the time and the CPU serial number or some such thing to generate pseudorandom bits? How much more to go from that to a simulation of the expectdd behavior, perhaps based on the same circutry used in the unhacked version to test the noise source outputs?
The question of whether one could simulate a raw physical source is
tantalising. I see diverse opinions as to whether it is plausible, and
thinking about it, I'm on the fence.
I'd say it might be an unstudied problem -- for us. It's sounding like
an interesting EE/CS project, masters or PhD level?
If anyone has studied it, I'd bet fair money that the NSA has.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography