[Cryptech Tech] Alpha board main CPU change

Randy Bush randy at psg.com
Mon Jun 1 15:10:54 UTC 2015

Previous message (by thread): [Cryptech Tech] Alpha board main CPU change
Next message (by thread): [Cryptech Tech] FYI: Intel buys Altera
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

How does mixing explicitly untrusted data into the csprng improve randomness or trust in it?

randy, please excuse tiPos

> On May 30, 2015, at 09:15, Warren Kumari <warren at kumari.net> wrote:
> 
> 
> 
>> On Friday, May 29, 2015, Jacob <jacob at edamaker.com> wrote:
>> 
>>>> Also, realizing that I don't have any of the credentials required to
>>>> enter into the sanctum sanctorum of the crypto world, and I know
>>>> that this is bordering on heresy, but since M4 has a TRNG, will you
>>>> trust it? If yes, what benefit is provided by the noise board, if
>>>> any? If not, why would you trust the M4 to manage your external TRNG
>>>> and FPGA
>>> 
>>> As others have stated. No, we wont replace our TRNG with the one inside
>>> the M4. And note that the noise board is only one of our noise sources.
>>> 
>>> If the TRNG inside is the same design as in the STM32L06, based on
>>> testing with Dieharder it generates good random numbers. But it is a
>>> black box. ST does not provide any real information on what the
>>> underlying physical process is, how it is used to drive a CSPRNG. And of
>>> course to real insight into what is actually on the chip.
>>> 
>>> We could use the TRNG in the M4 as an entropy source to feed the TRNG
>>> inside the FPGA (basically a FIFO into which SW could write words
>>> consumed during entropy mixing). But replacing the TRNG, no.
>> 
>> I brought up the M4 TRNG issue with a view on any possible subversion of its internal design, but I get from you that the issue on hand is much more basic - no knowledge what's in it and how it operates - and thus can't be fully embraced as a sole actor. Good point.
>> 
>> Jacob
> 
> Sure, not as a sole actor, but what about as an additional source, mixed in with the others? I'm not sure what the latest views on this are - if an attacker could predict all of the output of the M4 TRNG do they have any advantage over a design that just doesn't mix this in? Intuitively it feels like they don't (just pretend that the extra RNG outputs a stream of 0), but I seem to remember someone knowledgeable saying that N sources of entropy is better than N + 1, where the attacker controlls the +1... 
> Makes no sense, but then again that's how I often feel when talking about random :-
> W
> 
>  
>> 
>> 
>> _______________________________________________
>> Tech mailing list
>> Tech at cryptech.is
>> https://lists.cryptech.is/listinfo/tech
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
>    ---maf
> _______________________________________________
> Tech mailing list
> Tech at cryptech.is
> https://lists.cryptech.is/listinfo/tech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cryptech.is/archives/tech/attachments/20150601/16b6a6d4/attachment.html>

Previous message (by thread): [Cryptech Tech] Alpha board main CPU change
Next message (by thread): [Cryptech Tech] FYI: Intel buys Altera
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list