[Cryptech Tech] trng ready for play
bernd at net2o.de
Thu Oct 16 18:28:27 UTC 2014
Am Donnerstag, 16. Oktober 2014, 15:37:14 schrieb Joachim Strömbergson:
> What I do is add 1024 bits and perform next_block processing in SHA-512
> to get 512 bit seeds. That means that any 512 bit block of seed depends
> not only of 1024 new bits of entropy, but also on all previous SHA-512
> operations. An attacker must know this internal state too in order to
> predict the seed values used to initialize the csprng.
> If you do a reset of the FPGA this state is lost. But we are fairly
> rapidly moving into an area where alarms should have been started to
> loudly warble.
> A bit more likable, yes?
Ok, that's fine. As long as you keep some state from previous entropy, it's
save against temporary attacks on the entropy sources.
> I think my description of the csprng and seeds needs to be clearer. Your
> description of how ChaCha works is exactly how I use it with blocks
> generated based on key, IV, counter. The 512-bit block is the data block
> that the generated blocks are XOR:ed with. It is my "data block" in a
> stream cipher operation. It could be all zero too but setting it to a
> random value adds internal state an attacker has to guess.
Ok, then this is a documentation review, not a design review ;-).
> The random seek functionality is why I can get to arbitrarily high
> random number perdformance by instantiating more parallel ChaCha cores
> and have then generate values interleaved by stepping the counter +N
> steps (with N ChaCha cores) instead of +1
Well, if you want ultra-high-speed randomness, you most likely have to go to
the CPU core itself; ChaCha takes only a few cycles per byte, and everything
but cache is aleady slower than that.
"If you want it done right, you have to do it yourself"
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 198 bytes
Desc: This is a digitally signed message part.
More information about the Tech