[Cryptech Tech] Some thoughts and questions on the RNG strategy

Joachim Strömbergson joachim at secworks.se
Thu Feb 6 08:43:57 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

There are currently a huge number of interesting discussions about
entropy sources, how RNGs works, how they should work, what is important
re RNGs and what is not going on at a number of places. I'm trying to
follow these discussions.

IanG has written a good text that summarize his view on a lot of the
discussions on the cryptography maillist:

http://iang.org/ssl/hard_truths_hard_random_numbers.html

You may note that the structure with collector, mixer and generator is
pretty close to what I drew. I don't really agree on the testing part of
his text though and want to be able to both check the raw entropy
sources as well as inject seed values into the generator to be able to
verify that it work as specified.

If we follow this strategy, the path forward is pretty straight forward
(imho) with the big uncertainties related more to the entropy sources
and collectors than mixer and generator.

But recently DJB has started up a new set of discussions that sort of
flips the idea about what is important when bulding your RNG. This page
is a good read from DJB:

http://blog.cr.yp.to/20140205-entropy.html

I'm not convinced that this the path to be taken. And we _still_ need
some entropy. I would very much appreciate your thoughts on this.

Another related question is the CSPRNG to use. I've previously
considered using something like the CTR DRBG in NIST 800-90 based on
AES. But an alternative would be to use a stream cipher directly.

The ChaCha cipher for example would provide up to 2**64 512 bit random
words before reseeding, which would make requirements on the collection
very low. The ChaCha cipher is very good in HW and is designed to be
side-channel resistant. Even a small, slow FPGA could provide Gbps of
good random numbers with ChaCha. (My own FPGA-implementation achieves in
excess of 3 Gbps in the FPGA I have today)

We would then basically run ChaCha in counter mode for up to 2**64 words
and then reseed with 256+64 = 320 bits that we have ample of time to
collect and curate.

The question I have for you, is do we wan't to stay close to standards
such as SP 800-90 or shall we follow our own path? Do we gain or lose trust?

BTW: I will try and see if I can get DJB and/or other people to look at
our proposal when we have some more substantial to show.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJS80tNAAoJEF3cfFQkIuyNVCAQAIKCo/O2SkPudqT7NLnIVQd9
yPUD43kWFHORcdB14Auh43actKh63WcdUzvuUXqNwcoJn95tiicKf6gUq0sMH6w2
3rvY2mpdETjeIU9unlbzWIDjOLvggvCnQbhuKZ8F/IsutGSEVf30BcdQ93+FCiro
sPHSDr6kkVtnTRwUI6nkzkF3ltdFu225H3GKrCw7cDT/Zh/dJopjvqSuvGsaZVts
kJy+3+jcF+MCoTNc22MHiRrFFCy6Hc2lS7H2gaP5luF2sbla2g8vlYUMLfT378vt
TaM0Ejhl3OXp0SLMRPpW8ImE3+3pjfLC0hOHCnPItjUYTBeuYVxOgup2JrLVrTYo
u8sZJ0QWa5f5awE/7QILjlWyQrkSdff3sqWNRGPNuieZVxmp3i5J6Mx9dG5pN4yZ
fJLzqjrM+Fzfrxfx4mws/9qIYEITa5J1f9bxeCntWT2yWO5hTjN5qT3+fAWvEnXJ
e/PZYVYKDA6KxP5n2Xmo6OguBKjp+0Inw6idWbp4bgqIPfvTRzdgjKJE2cMQXvaq
KSiNl813fw9semvHX3CakAe2y94tmcP1Q+fdCfBJAvSWm70vDn2FkYTMPJHZl5ip
prtQBwRZFjdGfz+ExUqcgIJhhPSUbFwh+4BY1vhdUTmwZUC9pcNPssN9hXLNPjc3
CZ6ek6J++Oq6kEoYIz9F
=yInY
-----END PGP SIGNATURE-----



More information about the Tech mailing list