[148109] in cryptography@c2.net mail archive
Re: [Cryptography] SP800-90A B & C
daemon@ATHENA.MIT.EDU (Bear)
Mon Nov 11 17:39:33 2013
X-Original-To: cryptography@metzdowd.com
From: Bear <bear@sonic.net>
To: cryptography@metzdowd.com
Date: Mon, 11 Nov 2013 13:23:20 -0800
In-Reply-To: <CACsn0cm-_=Yk4Pjs+YfF_SjC7jQW90hEM7W2hUvXwxU2qMuqGg@mail.gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sun, 2013-11-10 at 12:09 -0800, Watson Ladd wrote:
> There are (broadly speaking) two different designs for random number
> generators. NIST is using the physics+stretch approach: A low
> bandwidth source of random bits, defined in 90B, periodically reseeds
> a pseudorandom generator as in 90A.
> The other design, exemplified by Yarrow, Fortuna, the Linux kernel
> randomness subsystem, and others, uses large numbers of inputs of
> unknown entropy, and attempts to distill a few bits of known entropy.
> I believe that we have a much better handle on the first class of
> designs from a cryptanalytic perspective then the second. In
> particular the pooling design can fail in very subtle ways if it has
> too few sources. By contrast the first approach is guaranteed by
> design to have a seed from a random process if it works.
I have actually more concerns about the first design, because recent
events force us to consider hardware manufacturers as adversaries or
as being possibly complicit with adversaries. A special-purpose
device which we cannot see inside to verify that it works in the way
it is being described to work is unacceptable as a sole source of
entropy because it represents a single manufacturer who must therefore
be given total trust.
It is a good design, but we have no way of assuring that it is the
design which is actually implemented. Therefore we need a different
good design, and I think that systems of the second kind with diverse
sources of entropy are better because they contain multiple sources
which can be verified. The fact that they also benefit from sources
which cannot be verified if those sources are in fact good, and with
respect to adversaries to whom those sources are good even if there
are other opponents to which they are transparent, is also important.
In fact even if every source of randomness available is compromised,
but they are compromised by nine different opponents none of whom
is trusted with the compromises by all of the others, it is still
possible to build a system secure against all of these nine adversaries
using a mixing approach.
Bear
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography