[Cryptech Tech] ICFO Introduction

Joachim Strömbergson joachim at secworks.se
Fri Nov 25 08:03:46 UTC 2016

Hash: SHA256


Elie Benchimol wrote:
> In order to move the conversation forward it would be helpful for us 
> to understand if there are any circumstances or applications where a 
> fast random bit rate could be useful. We understand that your 
> particular application only requires a small amount of entropy to 
> initially seed the CS-PRNG and for periodic refreshes.

There are use cases where fast random bit rate is very useful. But that
puts requirements on the CSPRNG, not the entropy sources. The CSPRNG
used today is capable of Gbps performance. And you could fairly easily
instantiate more than one CSPRNG in  parallel (seeded with different
seeds) to multiply the performance.

But in general, the frequency of reseeding will never be very high. Once
every GByte of random data from the CSPRNG is quite probably excessively
too often. As somebody pointed out, Daniel J Bernstein suggests that
when you have at least 128 bits of entropy to seed your CSPRNG, you
really don't ever reseed again. Since we are using ChaCha with 256 bit
key we need more bits. But the default reseeding happens very slowly.


> For example, are there any applications where the QRNG would re-seed 
> more frequently, or run actively alongside the CS-PRNG?  Could you 
> imagine an large scale application where one fast QRNG is seeding 
> multiple Cryptech HSMs in parallel?
> Best, Elie Calvin Benchimol
>> -----Original Message----- From: Bernd Paysan 
>> [mailto:bernd at net2o.de] Sent: Friday, October 28, 2016 4:28 PM To: 
>> tech at cryptech.is Cc: Carlos Abellan <Carlos.Abellan at icfo.eu>;
>> Peter Stuge <peter at stuge.se>; Elie Benchimol
>> <Elie.Benchimol at icfo.eu> Subject: [SPAM] Re: [Cryptech Tech] ICFO
>> Introduction
>> Am Donnerstag, 27. Oktober 2016, 12:09:40 CEST schrieb Carlos 
>> Abellan:
>>> The final bitrate we can provide depends on the target price.
>>> Our optical system has been proven up to 42 Gb/s, but then the 
>>> electronics, ADC and processing gets very expensive. What do you 
>>> think would be an attractive RNG bitrate for your HSMs?
>> The purpose of an entropy source in an HSM is to fill up the 
>> entropy pool for the deterministic RNG.  That one is a 
>> cryptographic stream cipher (ChaCha20), and we trust this stream 
>> cipher (If not, we would have chosen a different one).  Actually, 
>> if you don't trust your symmetric crypto, the rest of the HSM 
>> doesn't make any sense.  DJB summed up some of the principles for 
>> entropy here:
>> http://blog.cr.yp.to/20140205-entropy.html
>> So there is no need to be particularly fast, just fill up the 
>> entropy source with enough bits to get an initial state (key) for 
>> the stream cipher.  There is no need for Gb/s from the entropy 
>> source.
>> -- Bernd Paysan "If you want it done right, you have to do it 
>> yourself" net2o ID: kQusJzA;7*?t=uy at X}1GWr!+0qqp_Cn176t4(dQ* 
>> http://bernd-paysan.de/
> _______________________________________________ Tech mailing list 
> Tech at cryptech.is https://lists.cryptech.is/listinfo/tech

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Tech mailing list